Bug 155184
| Summary: | CSP: Compute digest with respect to the raw bytes received from the page | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Daniel Bates <dbates> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | bfulgham, pgriffis, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | All | ||
| OS: | All | ||
| Bug Depends on: | 155007 | ||
| Bug Blocks: | |||
Daniel Bates
Following up from Brent Fulgham's remark in bug #155007, comment 5, we should compute the digest for an inline script/stylesheet using the raw bytes from the page instead of the output from the parser to ensure that the computed hash matches the hash specified in the CSP. The output from the parser may differ in Unicode normalization and XML/HTML entity decoding from the raw byte representation of the inline script/stylesheet among other differences.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/25041563>
Patrick Griffis
Closing this as it is no longer relevant to modern CSP.
All other browsers implemented CSP as hashing the UTF-8 encoded version of content and as of CSP3 this is now documented in the spec[0]. WebKit now follows that behavior as of r287270.
[0] https://www.w3.org/TR/CSP3/#match-element-to-source-list