239840 2022-04-27 23:22:26 -0700 REGRESSION (iOS 15.4): Worker csp with script-src 'strict-dynamic' and script-src-elem blocks importScripts that should pass 2022-06-23 12:03:43 -0700 1 1 1 Unclassified WebKit Page Loading Safari 15 Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 webkit pgriffis beidson bfulgham ews-watchlist katherine_cheney mkwst pgriffis seongil.wi webkit-bug-importer oldest_to_newest 1865065 0 webkit 2022-04-27 23:22:26 -0700 Hi team, I have encountered an issue in Safari 15.4 on iOS and macOS where a worker loaded with a CSP header calls importScripts to bring in a local script and fails unexpectedly. I was serving a worker script with the same CSP as used elsewhere in an application and encountered this issue. I managed to boil it down to a CSP that fails but it's not obvious to me why, I think it's a bug but apologies if not. A worker loaded with the following CSP fails to load a script via importScripts: default-src 'self'; script-src 'strict-dynamic'; script-src-elem 'self'; Removing either "'strict-dynamic'" OR "script-src-elem 'self';" resolves the issue, e.g. either: default-src 'self'; script-src 'strict-dynamic'; default-src 'self'; script-src-elem 'self'; I have a small test case that loads a worker that calls importScripts, none of these cases fail in Chrome/Firefox/Opera/Edge latest. https://www.tests.massivedev.com/safari-worker-csp/?csp=1 - this fails in Safari 15.4 https://www.tests.massivedev.com/safari-worker-csp/?csp=2 https://www.tests.massivedev.com/safari-worker-csp/?csp=3 https://www.tests.massivedev.com/safari-worker-csp/?csp=4 1865438 1 webkit-bug-importer 2022-04-29 08:31:58 -0700 <rdar://problem/92525351> 1865439 2 katherine_cheney 2022-04-29 08:33:40 -0700 Hi! Thank you for filing this! I just want to confirm I understand - this behavior worked as expected on previous versions of iOS and now fails on 15.4? 1865440 3 webkit-bug-importer 2022-04-29 08:33:47 -0700 <rdar://problem/92525435> 1865567 4 webkit 2022-04-29 16:03:14 -0700 (In reply to Kate Cheney from comment #2) > Hi! Thank you for filing this! I just want to confirm I understand - this > behavior worked as expected on previous versions of iOS and now fails on > 15.4? Yep! I'm guessing based on the introduction of 'strict-dynamic' support. 1865665 5 pgriffis 2022-04-30 10:44:30 -0700 Didn't write a test for it yet and not sure this is the correct directive for everything that calls this method but the most direct fix: diff --git a/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp b/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp index 7d73ac8bfb97..c7466c36f437 100644 --- a/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp +++ b/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp @@ -408,8 +408,7 @@ const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violat const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>& subResourceIntegrityDigests, const String& nonce) const { - auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem); + auto* operativeDirective = this->operativeDirective(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem); if (!operativeDirective || operativeDirective->containsAllHashes(subResourceIntegrityDigests) || checkNonce(operativeDirective, nonce) 1866460 6 katherine_cheney 2022-05-04 08:25:53 -0700 (In reply to Patrick Griffis from comment #5) > Didn't write a test for it yet and not sure this is the correct directive > for everything that calls this method but the most direct fix: > > diff --git a/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp > b/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp > index 7d73ac8bfb97..c7466c36f437 100644 > --- a/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp > +++ b/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp > @@ -408,8 +408,7 @@ const ContentSecurityPolicyDirective* > ContentSecurityPolicyDirectiveList::violat > > const ContentSecurityPolicyDirective* > ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& > url, bool didReceiveRedirectResponse, const > Vector<ResourceCryptographicDigest>& subResourceIntegrityDigests, const > String& nonce) const > { > - auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), > ContentSecurityPolicyDirectiveNames::scriptSrcElem); > + auto* operativeDirective = > this->operativeDirective(m_scriptSrcElem.get(), > ContentSecurityPolicyDirectiveNames::scriptSrcElem); > > if (!operativeDirective > || > operativeDirective->containsAllHashes(subResourceIntegrityDigests) > || checkNonce(operativeDirective, nonce) I think this will be fine because violatedDirectiveForScript is called for non-inline script sources which should all fall under script-src-elem. We will need to use operativeDirectiveScript to ensure we fall back to script-src if script-src-elem is not present. 1866983 7 458912 pgriffis 2022-05-05 14:04:22 -0700 Created attachment 458912 Patch 1867416 8 ews-feeder 2022-05-06 18:39:21 -0700 Committed r293940 (250386@main): <https://commits.webkit.org/250386@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 458912. 1877749 9 bfulgham 2022-06-23 12:03:43 -0700 *** Bug 241337 has been marked as a duplicate of this bug. *** 458912 2022-05-05 14:04:22 -0700 2022-05-06 18:39:23 -0700 Patch bug-239840-20220505160421.patch text/plain 4554 pgriffis U3VidmVyc2lvbiBSZXZpc2lvbjogMjkzNTgwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZTRiNmU3NzQ5NTYzMTRh YTc5ZjMwYmU3M2Q2YTRiODY4OTFmZDU2NC4uNzY2OGFmOTE0YmM2OTU5NjQxZjVkYTg4NmFkZWNl Y2UzOWE3ZGM1ZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDIyLTA1LTA1ICBQYXRy aWNrIEdyaWZmaXMgIDxwZ3JpZmZpc0BpZ2FsaWEuY29tPgorCisgICAgICAgIENTUDogRml4IHNj cmlwdC1zcmMtZWxlbSBwb2xpY2llcyBpbiB3b3JrZXJzCisgICAgICAgIGh0dHBzOi8vYnVncy53 ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzk4NDAKKworICAgICAgICBSZXZpZXdlZCBieSBO T0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUZXN0OiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRl bnRTZWN1cml0eVBvbGljeS9zY3JpcHQtc3JjLXN0cmljdC1keW5hbWljLWFuZC1zY3JpcHQtc3Jj LWVsZW0uaHRtbAorCisgICAgICAgICogcGFnZS9jc3AvQ29udGVudFNlY3VyaXR5UG9saWN5RGly ZWN0aXZlTGlzdC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpDb250ZW50U2VjdXJpdHlQb2xpY3lE aXJlY3RpdmVMaXN0Ojp2aW9sYXRlZERpcmVjdGl2ZUZvclNjcmlwdCBjb25zdCk6CisKIDIwMjIt MDUtMDUgIFBhdHJpY2sgR3JpZmZpcyAgPHBncmlmZmlzQGlnYWxpYS5jb20+CiAKICAgICAgICAg Q1NQOiBGaXggaW5jb3JyZWN0IGJsb2NrZWQtdXJpIGZvciBpbmxpbmUgc2NyaXB0cyBhbmQgc3Ry aWN0LWR5bmFtaWMgcG9saWNpZXMKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvY3Nw L0NvbnRlbnRTZWN1cml0eVBvbGljeURpcmVjdGl2ZUxpc3QuY3BwIGIvU291cmNlL1dlYkNvcmUv cGFnZS9jc3AvQ29udGVudFNlY3VyaXR5UG9saWN5RGlyZWN0aXZlTGlzdC5jcHAKaW5kZXggN2Q3 M2FjOGJmYjk3NDEyN2Y2YWRiNzlkMWNkNWY1ZjZjYjgxNTJlZi4uMDdjNDgwMTNhODk0ZTAwYTc1 MjI5NmQ4YjM4ZmViY2I1NTM1ZDNhNCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvcGFnZS9j c3AvQ29udGVudFNlY3VyaXR5UG9saWN5RGlyZWN0aXZlTGlzdC5jcHAKKysrIGIvU291cmNlL1dl YkNvcmUvcGFnZS9jc3AvQ29udGVudFNlY3VyaXR5UG9saWN5RGlyZWN0aXZlTGlzdC5jcHAKQEAg LTQwOCw3ICs0MDgsNyBAQCBjb25zdCBDb250ZW50U2VjdXJpdHlQb2xpY3lEaXJlY3RpdmUqIENv bnRlbnRTZWN1cml0eVBvbGljeURpcmVjdGl2ZUxpc3Q6OnZpb2xhdAogCiBjb25zdCBDb250ZW50 U2VjdXJpdHlQb2xpY3lEaXJlY3RpdmUqIENvbnRlbnRTZWN1cml0eVBvbGljeURpcmVjdGl2ZUxp c3Q6OnZpb2xhdGVkRGlyZWN0aXZlRm9yU2NyaXB0KGNvbnN0IFVSTCYgdXJsLCBib29sIGRpZFJl Y2VpdmVSZWRpcmVjdFJlc3BvbnNlLCBjb25zdCBWZWN0b3I8UmVzb3VyY2VDcnlwdG9ncmFwaGlj RGlnZXN0PiYgc3ViUmVzb3VyY2VJbnRlZ3JpdHlEaWdlc3RzLCBjb25zdCBTdHJpbmcmIG5vbmNl KSBjb25zdAogewotICAgIGF1dG8qIG9wZXJhdGl2ZURpcmVjdGl2ZSA9IHRoaXMtPm9wZXJhdGl2 ZURpcmVjdGl2ZShtX3NjcmlwdFNyYy5nZXQoKSwgQ29udGVudFNlY3VyaXR5UG9saWN5RGlyZWN0 aXZlTmFtZXM6OnNjcmlwdFNyY0VsZW0pOworICAgIGF1dG8qIG9wZXJhdGl2ZURpcmVjdGl2ZSA9 IHRoaXMtPm9wZXJhdGl2ZURpcmVjdGl2ZVNjcmlwdChtX3NjcmlwdFNyY0VsZW0uZ2V0KCksIENv bnRlbnRTZWN1cml0eVBvbGljeURpcmVjdGl2ZU5hbWVzOjpzY3JpcHRTcmNFbGVtKTsKIAogICAg IGlmICghb3BlcmF0aXZlRGlyZWN0aXZlCiAgICAgICAgIHx8IG9wZXJhdGl2ZURpcmVjdGl2ZS0+ Y29udGFpbnNBbGxIYXNoZXMoc3ViUmVzb3VyY2VJbnRlZ3JpdHlEaWdlc3RzKQpkaWZmIC0tZ2l0 IGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IDFi NTIyNzA0MWFhY2UwZjEzZDA1YmY1ODQyOTg5NTlkNThiNjk5MGQuLjg1ZTBhZDA5YjM2Mzk4MjNh NzRiOGRmYmRlMWMzYTliODRiY2E4YmMgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL0NoYW5nZUxv ZworKysgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNSBAQAorMjAyMi0wNS0w NSAgUGF0cmljayBHcmlmZmlzICA8cGdyaWZmaXNAaWdhbGlhLmNvbT4KKworICAgICAgICBDU1A6 IEZpeCBzY3JpcHQtc3JjLWVsZW0gcG9saWNpZXMgaW4gd29ya2VycworICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjM5ODQwCisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQ1NQOiBGaXggc2NyaXB0LXNyYy1lbGVt IHBvbGljaWVzIGluIHdvcmtlcnMKKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvY29u dGVudFNlY3VyaXR5UG9saWN5L3NjcmlwdC1zcmMtc3RyaWN0LWR5bmFtaWMtYW5kLXNjcmlwdC1z cmMtZWxlbS1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJp dHkvY29udGVudFNlY3VyaXR5UG9saWN5L3NjcmlwdC1zcmMtc3RyaWN0LWR5bmFtaWMtYW5kLXNj cmlwdC1zcmMtZWxlbS5odG1sOiBBZGRlZC4KKwogMjAyMi0wNS0wNSAgUGF0cmljayBHcmlmZmlz ICA8cGdyaWZmaXNAaWdhbGlhLmNvbT4KIAogICAgICAgICBDU1A6IEZpeCBpbmNvcnJlY3QgYmxv Y2tlZC11cmkgZm9yIGlubGluZSBzY3JpcHRzIGFuZCBzdHJpY3QtZHluYW1pYyBwb2xpY2llcwpk aWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJp dHlQb2xpY3kvc2NyaXB0LXNyYy1zdHJpY3QtZHluYW1pYy1hbmQtc2NyaXB0LXNyYy1lbGVtLWV4 cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3Vy aXR5UG9saWN5L3NjcmlwdC1zcmMtc3RyaWN0LWR5bmFtaWMtYW5kLXNjcmlwdC1zcmMtZWxlbS1l eHBlY3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uNDU2NTE5NjM3MTQ2YjVmMWMzN2M4NzFmZWE4YzEzMWQy ZDc1NjcxYwotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJp dHkvY29udGVudFNlY3VyaXR5UG9saWN5L3NjcmlwdC1zcmMtc3RyaWN0LWR5bmFtaWMtYW5kLXNj cmlwdC1zcmMtZWxlbS1leHBlY3RlZC50eHQKQEAgLTAsMCArMSwyIEBACitBTEVSVDogaW1wb3J0 U2NyaXB0cyBhbGxvd2VkCisKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2Vj dXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3NjcmlwdC1zcmMtc3RyaWN0LWR5bmFtaWMtYW5k LXNjcmlwdC1zcmMtZWxlbS5odG1sIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9j b250ZW50U2VjdXJpdHlQb2xpY3kvc2NyaXB0LXNyYy1zdHJpY3QtZHluYW1pYy1hbmQtc2NyaXB0 LXNyYy1lbGVtLmh0bWwKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uYjk5ODkyMmIxOTFiY2U5YTQ5MzM5M2IxMjMwNGYz YzJiMjlkOTk1NwotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2Vj dXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3NjcmlwdC1zcmMtc3RyaWN0LWR5bmFtaWMtYW5k LXNjcmlwdC1zcmMtZWxlbS5odG1sCkBAIC0wLDAgKzEsMjggQEAKKzwhRE9DVFlQRSBodG1sPgor PGh0bWw+Cis8aGVhZD4KKzxzY3JpcHQ+CitpZiAod2luZG93LnRlc3RSdW5uZXIpIHsKKyAgICB0 ZXN0UnVubmVyLndhaXRVbnRpbERvbmUoKTsKKyAgICB0ZXN0UnVubmVyLmR1bXBBc1RleHQoKTsK K30KKzwvc2NyaXB0PgorPC9oZWFkPgorPGJvZHk+Cis8c2NyaXB0PgordHJ5IHsKKyAgICB2YXIg d29ya2VyID0gbmV3IFdvcmtlcignaHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L2NvbnRl bnRTZWN1cml0eVBvbGljeS9yZXNvdXJjZXMvd29ya2VyLnB5P3R5cGU9aW1wb3J0c2NyaXB0cyZj c3A9JyArCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgZW5jb2RlVVJJQ29tcG9uZW50KCJz Y3JpcHQtc3JjICdzdHJpY3QtZHluYW1pYyc7IHNjcmlwdC1zcmMtZWxlbSBsb2NhbGhvc3Q6ODAw MCIpKTsKKyAgICB3b3JrZXIub25tZXNzYWdlID0gZnVuY3Rpb24gKGV2ZW50KSB7CisgICAgICAg IGFsZXJ0KGV2ZW50LmRhdGEpOworICAgICAgICBpZiAod2luZG93LnRlc3RSdW5uZXIpCisgICAg ICAgICAgICB0ZXN0UnVubmVyLm5vdGlmeURvbmUoKTsKKyAgICB9OworfSBjYXRjaCAoZSkgewor ICAgIGFsZXJ0KGUpOworICAgIGlmICh3aW5kb3cudGVzdFJ1bm5lcikKKyAgICAgICAgdGVzdFJ1 bm5lci5ub3RpZnlEb25lKCk7Cit9Cis8L3NjcmlwdD4KKzwvYm9keT4KKzwvaHRtbD4K