Bug 155709

Summary: CSP: Should only execute <script> or apply <style> if its hash appears in all policies
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, bfulgham, commit-queue, mkwst, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Example (script hash)
none
Patch and Layout Tests darin: review+

Daniel Bates
Reported 2016-03-20 20:52:15 PDT
Created attachment 274568 [details] Example (script hash) We should execute an inline script or apply an inline stylesheet only if its hash is listed in all of the policies on the page. Otherwise a malicious person can run/apply an arbitrary script/stylesheet s with hash h_s by injecting S together with a CSP that lists H_s on a page with an XSS vulnerability. The following demonstrates the issue with script hashes: Steps to reproduce: 1. Open the attached example. Then you will see three JavaScript alerts with messages (in order) "FAIL did execute first script", "FAIL did execute second script", and "PASS", respectively. But you should see exactly one JavaScript alert with message "PASS" because the inline script that shows this JavaScript alert is the only script on the page whose hash is listed in both of the CSP policies delivered with the page.
Attachments
Example (script hash) (1.04 KB, text/html)
2016-03-20 20:52 PDT, Daniel Bates 		no flags
Details
Patch and Layout Tests (10.97 KB, patch)
2016-03-20 20:58 PDT, Daniel Bates 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-03-20 20:53:26 PDT
<rdar://problem/25263368>
Daniel Bates
Comment 2 2016-03-20 20:58:23 PDT
Created attachment 274569 [details] Patch and Layout Tests
Daniel Bates
Comment 3 2016-03-22 14:27:12 PDT
Committed r198551: <http://trac.webkit.org/changeset/198551>
Note You need to log in before you can comment on or make changes to this bug.