239862 2022-04-28 11:54:18 -0700 CSP: Fix mixing strict-dynamic and unsafe-inline policies 2022-04-28 19:01:13 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 pgriffis pgriffis bfulgham ews-watchlist katherine_cheney mkwst webkit-bug-importer oldest_to_newest 1865212 0 pgriffis 2022-04-28 11:54:18 -0700 If you have multiple policies, one including strict-dynamic and another with unsafe-inline, the unsafe-inline policy was incorrectly handled. 1865213 1 458540 pgriffis 2022-04-28 11:59:45 -0700 Created attachment 458540 Patch 1865318 2 ews-feeder 2022-04-28 19:00:12 -0700 Committed r293603 (250109@main): <https://commits.webkit.org/250109@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 458540. 1865319 3 webkit-bug-importer 2022-04-28 19:01:13 -0700 <rdar://problem/92500528> 458540 2022-04-28 11:59:45 -0700 2022-04-28 19:00:13 -0700 Patch bug-239862-20220428135944.patch text/plain 4471 pgriffis U3VidmVyc2lvbiBSZXZpc2lvbjogMjkzNTgwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNjFjMmVmYmM0MDg3YzA1 N2RiZWIzY2Y5ZjZjMDkwYzk2MGU4NDBiZS4uNGQ0NjcwYjMxZGM4NjAxNmUyNWQ2ZmY5MjM0MDU4 NDliYWIzMjBmNCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDIyLTA0LTI4ICBQYXRy aWNrIEdyaWZmaXMgIDxwZ3JpZmZpc0BpZ2FsaWEuY29tPgorCisgICAgICAgIENTUDogRml4IG1p eGluZyBzdHJpY3QtZHluYW1pYyBhbmQgdW5zYWZlLWlubGluZSBwb2xpY2llcworICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjM5ODYyCisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGVzdDogaHR0cC90ZXN0cy9z ZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvc2NyaXB0LXNyYy1zdHJpY3QtZHluYW1pYy1h bmQtdW5zYWZlLWlubGluZS1wb2xpY2llcy5odG1sCisKKyAgICAgICAgKiBwYWdlL2NzcC9Db250 ZW50U2VjdXJpdHlQb2xpY3lEaXJlY3RpdmVMaXN0LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkNv bnRlbnRTZWN1cml0eVBvbGljeURpcmVjdGl2ZUxpc3Q6OnZpb2xhdGVkRGlyZWN0aXZlRm9yTm9u UGFyc2VySW5zZXJ0ZWRTY3JpcHRzIGNvbnN0KToKKwogMjAyMi0wNC0yOCAgUGhpbGlwcGUgTm9y bWFuZCAgPHBoaWxuQGlnYWxpYS5jb20+CiAKICAgICAgICAgW0dTdHJlYW1lcl0gUGlwZXdpcmUg ZGlzcGxheSBjYXB0dXJlIGJyb2tlbgpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGFnZS9j c3AvQ29udGVudFNlY3VyaXR5UG9saWN5RGlyZWN0aXZlTGlzdC5jcHAgYi9Tb3VyY2UvV2ViQ29y ZS9wYWdlL2NzcC9Db250ZW50U2VjdXJpdHlQb2xpY3lEaXJlY3RpdmVMaXN0LmNwcAppbmRleCBh MDUxZjZlYmEwNjZiNGZlN2U0Mjk0Zjk3YTBlZjUzOGI1YzQ5MGFhLi43ZDczYWM4YmZiOTc0MTI3 ZjZhZGI3OWQxY2Q1ZjVmNmNiODE1MmVmIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wYWdl L2NzcC9Db250ZW50U2VjdXJpdHlQb2xpY3lEaXJlY3RpdmVMaXN0LmNwcAorKysgYi9Tb3VyY2Uv V2ViQ29yZS9wYWdlL2NzcC9Db250ZW50U2VjdXJpdHlQb2xpY3lEaXJlY3RpdmVMaXN0LmNwcApA QCAtMjQ2LDcgKzI0Niw4IEBAIGNvbnN0IENvbnRlbnRTZWN1cml0eVBvbGljeURpcmVjdGl2ZSog Q29udGVudFNlY3VyaXR5UG9saWN5RGlyZWN0aXZlTGlzdDo6dmlvbGF0CiAgICAgaWYgKGNoZWNr SGFzaGVzKG9wZXJhdGl2ZURpcmVjdGl2ZSwgaGFzaGVzKQogICAgICAgICB8fCBjaGVja05vblBh cnNlckluc2VydGVkU2NyaXB0cyhvcGVyYXRpdmVEaXJlY3RpdmUsIHBhcnNlckluc2VydGVkKQog ICAgICAgICB8fCBjaGVja05vbmNlKG9wZXJhdGl2ZURpcmVjdGl2ZSwgbm9uY2UpCi0gICAgICAg IHx8IGNoZWNrU291cmNlKG9wZXJhdGl2ZURpcmVjdGl2ZSwgdXJsKSkKKyAgICAgICAgfHwgY2hl Y2tTb3VyY2Uob3BlcmF0aXZlRGlyZWN0aXZlLCB1cmwpCisgICAgICAgIHx8ICh1cmwuaXNFbXB0 eSgpICYmIGNoZWNrSW5saW5lKG9wZXJhdGl2ZURpcmVjdGl2ZSkpKQogICAgICAgICByZXR1cm4g bnVsbHB0cjsKICAgICByZXR1cm4gb3BlcmF0aXZlRGlyZWN0aXZlOwogfQpkaWZmIC0tZ2l0IGEv TGF5b3V0VGVzdHMvQ2hhbmdlTG9nIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IDQ1NjRh MGNhNzhjNTlmZjNkYzJjNjYyOWFlYWIxNGI0OWI3MmVhMWMuLjg1Yzk2ZGZhZjFmYjJlNTI1YjMw NjkxNDE2ZTZkMmIwZmVlYTk2N2YgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL0NoYW5nZUxvZwor KysgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNiBAQAorMjAyMi0wNC0yOCAg UGF0cmljayBHcmlmZmlzICA8cGdyaWZmaXNAaWdhbGlhLmNvbT4KKworICAgICAgICBDU1A6IEZp eCBtaXhpbmcgc3RyaWN0LWR5bmFtaWMgYW5kIHVuc2FmZS1pbmxpbmUgcG9saWNpZXMKKyAgICAg ICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIzOTg2MgorCisgICAg ICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIElmIHlvdSBoYWQgbXVs dGlwbGUgcG9saWNpZXMsIG9uZSBpbmNsdWRpbmcgc3RyaWN0LWR5bmFtaWMgYW5kIGFub3RoZXIg d2l0aCB1bnNhZmUtaW5saW5lLCB0aGUgdW5zYWZlLWlubGluZQorICAgICAgICBwb2xpY3kgd2Fz IGluY29ycmVjdGx5IGhhbmRsZWQuCisKKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L2Nv bnRlbnRTZWN1cml0eVBvbGljeS9zY3JpcHQtc3JjLXN0cmljdC1keW5hbWljLWFuZC11bnNhZmUt aW5saW5lLXBvbGljaWVzLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0 cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvc2NyaXB0LXNyYy1zdHJpY3QtZHluYW1p Yy1hbmQtdW5zYWZlLWlubGluZS1wb2xpY2llcy5odG1sOiBBZGRlZC4KKwogMjAyMi0wNC0yOCAg WXVzdWtlIFN1enVraSAgPHlzdXp1a2lAYXBwbGUuY29tPgogCiAgICAgICAgIFtXVEZdIFVzZSBx dWFkcmF0aWMtcHJvYmluZyBpbnN0ZWFkIG9mIGRvdWJsZS1oYXNoaW5nCmRpZmYgLS1naXQgYS9M YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9zY3Jp cHQtc3JjLXN0cmljdC1keW5hbWljLWFuZC11bnNhZmUtaW5saW5lLXBvbGljaWVzLWV4cGVjdGVk LnR4dCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9s aWN5L3NjcmlwdC1zcmMtc3RyaWN0LWR5bmFtaWMtYW5kLXVuc2FmZS1pbmxpbmUtcG9saWNpZXMt ZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLmVlMzhhYzYyNGU0Njc3MzI2MWRlYjg0ZGY5MTg4M2Zh NWExNTIwMDcKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3Vy aXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9zY3JpcHQtc3JjLXN0cmljdC1keW5hbWljLWFuZC11 bnNhZmUtaW5saW5lLXBvbGljaWVzLWV4cGVjdGVkLnR4dApAQCAtMCwwICsxLDIgQEAKK0NPTlNP TEUgTUVTU0FHRTogYWxsb3dlZAorCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9odHRwL3Rlc3Rz L3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9zY3JpcHQtc3JjLXN0cmljdC1keW5hbWlj LWFuZC11bnNhZmUtaW5saW5lLXBvbGljaWVzLmh0bWwgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3Rz L3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9zY3JpcHQtc3JjLXN0cmljdC1keW5hbWlj LWFuZC11bnNhZmUtaW5saW5lLXBvbGljaWVzLmh0bWwKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5k ZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uMDE4NmY5OWZmMjUx YThhMjZjZmQyYjJhNzcyMjQ5NWU2Njg0ODg5NwotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRl c3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3NjcmlwdC1zcmMt c3RyaWN0LWR5bmFtaWMtYW5kLXVuc2FmZS1pbmxpbmUtcG9saWNpZXMuaHRtbApAQCAtMCwwICsx LDE3IEBACis8IURPQ1RZUEUgaHRtbD4KKzxodG1sIGxhbmc9ImVuIj4KKyAgPGhlYWQ+CisgICAg PCEtLSBUaGlzIHRlc3RzIHRoYXQgd2UgcHJvcGVybHkgaGFuZGxlIG11bHRpcGxlIHBvbGljaWVz IHdoZW4gb25lIGluY2x1ZGVzIHN0cmljdC1keW5hbWljIGFuZCBhbm90aGVyIHVuc2FmZS1pbmxp bmUuIC0tPgorICAgIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtU2VjdXJpdHktUG9saWN5IiBj b250ZW50PSJzY3JpcHQtc3JjICdub25jZS1kdW1teScgJ3N0cmljdC1keW5hbWljJyI+CisgICAg PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1TZWN1cml0eS1Qb2xpY3kiIGNvbnRlbnQ9InNjcmlw dC1zcmMgJ3Vuc2FmZS1pbmxpbmUnIj4KKyAgICA8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5 cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CisgICAgPHNjcmlwdCBub25j ZT0iZHVtbXkiPgorICAgICAgaWYgKHdpbmRvdy50ZXN0UnVubmVyKSB7CisgICAgICAgIHRlc3RS dW5uZXIuZHVtcEFzVGV4dCgpOworICAgICAgfQorICAgIDwvc2NyaXB0PgorICA8L2hlYWQ+Cisg IDxib2R5PgorICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBub25jZT0iZHVtbXki PmNvbnNvbGUubG9nKCdhbGxvd2VkJyk7PC9zY3JpcHQ+CisgIDwvYm9keT4KKzwvaHRtbD4KXCBO byBuZXdsaW5lIGF0IGVuZCBvZiBmaWxlCg==