270784 2024-03-11 03:46:39 -0700 CSP: External script with matching SRI hash is blocked when 'strict-dynamic' is present in script-src 2024-08-21 14:14:37 -0700 1 1 1 Unclassified WebKit WebCore Misc. Safari 17 Mac (Apple Silicon) macOS 14 RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=175277 BrowserCompat, InRadar P2 Normal --- 1 fotis.papadogeorgopoulos lwarlow bfulgham karlcow webkit-bug-importer wilander oldest_to_newest 2020034 0 470284 fotis.papadogeorgopoulos 2024-03-11 03:46:39 -0700 Created attachment 470284 HTML file that loads an external script with SRI hash When `script-src 'strict-dynamic'` is present in a CSP, external scripts with matching SRI hashes (via `integrity`) are blocked. If 'strict-dynamic' is removed, then scripts with a matching SRI are allowed (subject to the regular CSP hash checks). We recently ran into this at wolt.com, when migrating to a new CSP design. We rely on 'strict-dynamic' with external script SRI hashes for our script loading. This works as expected on Firefox and Chrome, but I admit that I am not super familiar with the spec, to make a call either way :) At the moment, we have to use user agent sniffing to avoid the scripts getting blocked on Safari, which is not ideal. We would like to understand whether this blocking is intended or incidental. CSP for external script SRI hashes was implemented at https://bugs.webkit.org/show_bug.cgi?id=233911, but it does not specifically address 'strict-dynamic', as far as I can tell. I have a reproduction at https://github.com/fpapado/csp-strict-dynamic-external-script-hash and a PR for WPT, if that runner is more familiar https://github.com/web-platform-tests/wpt/pull/44769. I am also attaching an index.html file, but there is a single attachment limit, so it is not useful by itself. Please let me know if there is any other information that I can provide, and I will get back to you promptly! It's likely I missed something. 2020035 1 470285 fotis.papadogeorgopoulos 2024-03-11 03:47:25 -0700 Created attachment 470285 External script file 2020255 2 webkit-bug-importer 2024-03-11 15:16:49 -0700 <rdar://problem/124410909> 2027294 3 karlcow 2024-04-09 17:46:26 -0700 Maybe it would be worth to create additional WPT tests for this. https://wpt.fyi/results/content-security-policy?label=master&label=experimental&aligned&q=safari%3Afail%20firefox%3Apass%20chrome%3Apass 2027416 4 fotis.papadogeorgopoulos 2024-04-10 05:53:01 -0700 (In reply to Karl Dubost from comment #3) > Maybe it would be worth to create additional WPT tests for this. > https://wpt.fyi/results/content-security- > policy?label=master&label=experimental&aligned&q=safari%3Afail%20firefox%3Apa > ss%20chrome%3Apass Definitely, if I am reading it right, there is a gap for this case in WPT at the moment. I made a start in this PR https://github.com/web-platform-tests/wpt/pull/44769, adding a case to the existing content-security-policy/script-src/script-src-strict_dynamic_hashes tests. I am not super familiar with authoring WPT though, so I might have missed more idiomatic ways of making those assertions :) Here is the deployed preview branch from WPT's CI: https://wpt.fyi/results/content-security-policy/script-src/script-src-strict_dynamic_hashes.html?label=pr_head&max-count=1&pr=44769 2027679 5 karlcow 2024-04-10 22:33:29 -0700 Fotis, Anne left a comment on https://github.com/web-platform-tests/wpt/pull/44769#issuecomment-2048945493 and opened https://github.com/w3c/webappsec-csp/issues/653 2028705 6 fotis.papadogeorgopoulos 2024-04-15 21:51:27 -0700 Hi Karl! Thank you and Anne for the help with this. The spec has now been changed to clarify this behaviour (https://github.com/w3c/webappsec-csp/issues/653) and the WPT test is merged (relevant view: https://wpt.fyi/results/content-security-policy/script-src/script-src-strict_dynamic_hashes.html?label=master&label=experimental&aligned&q=safari%3Afail%20firefox%3Apass%20chrome%3Apass). Please let me know if there is anything else I can do on my side. Otherwise, happy to leave this to you all. Thanks again :) 2028712 7 karlcow 2024-04-15 22:10:31 -0700 Thanks a lot Fotis. This is super helpful. This is being tracked internally too. 2053608 8 yesudeep 2024-08-18 16:51:51 -0700 Pull request: https://github.com/WebKit/WebKit/pull/32365 2054035 9 lwarlow 2024-08-20 03:04:04 -0700 Pull request: https://github.com/WebKit/WebKit/pull/32449 2054507 10 ews-feeder 2024-08-21 14:14:35 -0700 Committed 282577@main (88833ba4cdcb): <https://commits.webkit.org/282577@main> Reviewed commits have been landed. Closing PR #32449 and removing active labels. 470284 2024-03-11 03:46:39 -0700 2024-03-11 03:46:39 -0700 HTML file that loads an external script with SRI hash index.html text/html 916 fotis.papadogeorgopoulos PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+YHN0cmljdC1keW5hbWlj YCBhbGxvd3Mgc2NyaXB0cyBtYXRjaGluZyBoYXNoZXMgcHJlc2VudCBpbiB0aGUgcG9saWN5Ljwv dGl0bGU+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVNlY3VyaXR5LVBvbGljeSIgY29u dGVudD0ic2NyaXB0LXNyYyAnc3RyaWN0LWR5bmFtaWMnICdub25jZS1kdW1teScgJ3NoYTI1Ni13 SWMzS3RxT3VURkV1NnQxN3NJQnVPc3dna1Y0MDZWSnZoU2s3OUd3NlUwPSciPgo8L2hlYWQ+Cgo8 Ym9keT4KICAgIDxoMT5gc3RyaWN0LWR5bmFtaWNgIGFsbG93cyBzY3JpcHRzIG1hdGNoaW5nIGhh c2hlcyBwcmVzZW50IGluIHRoZSBwb2xpY3kuPC9oMT4KICAgIDxwPklmIHRoZSB0ZXN0IHN1Y2Nl ZWRzLCBub3RoaW5nIHdpbGwgYmUgbG9nZ2VkIGJlbG93LjwvcD4KICAgIDxkaXYgaWQ9J2xvZyc+ PC9kaXY+CgogICAgPHNjcmlwdCBub25jZT0nZHVtbXknPgogICAgICAgIHdpbmRvdy5hZGRFdmVu dExpc3RlbmVyKCdzZWN1cml0eXBvbGljeXZpb2xhdGlvbicsIGZ1bmN0aW9uKGUpIHsKICAgICAg ICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2xvZycpLmFwcGVuZCgndW5leHBlY3RlZCBD U1AgdmlvbGF0aW9uIHJlcG9ydCcpCiAgICAgICAgICAgIGNvbnNvbGUuZXJyb3IoZSkKICAgICAg ICB9KTsKICAgIDwvc2NyaXB0PgoKICAgIDxzY3JpcHQgbm9uY2U9J2R1bW15Jz4KICAgICAgICB2 YXIgZXh0ZXJuYWxSYW4gPSBmYWxzZTsKICAgIDwvc2NyaXB0PgogICAgPHNjcmlwdCBzcmM9Jy4v ZXh0ZXJuYWxTY3JpcHQuanMnCiAgICAgICAgaW50ZWdyaXR5PSJzaGEyNTYtd0ljM0t0cU91VEZF dTZ0MTdzSUJ1T3N3Z2tWNDA2Vkp2aFNrNzlHdzZVMD0iPjwvc2NyaXB0Pgo8L2JvZHk+Cgo8L2h0 bWw+Cg== 470285 2024-03-11 03:47:25 -0700 2024-03-11 03:47:25 -0700 External script file externalScript.js text/javascript 19 fotis.papadogeorgopoulos ZXh0ZXJuYWxSYW4gPSB0cnVlOw==