Bug 159832
| Summary: | CSP: Do not send report violation for policies that have hash but not 'unsafe-inline' | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Daniel Bates <dbates> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, pgriffis, wilander |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | All | ||
| OS: | All | ||
| Bug Depends on: | 159841 | ||
| Bug Blocks: | |||
Daniel Bates
Suppose a page has the following markup:
...
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-A'">
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</head>
<script>/* A script whose CSP SHA is 'sha256-A'. */</script>
...
Then we should send exactly one CSP violation report that explains that the script was blocked because it violated the second CSP meta tag.
We should have similar behavior for policies that have hashes for style elements.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Patrick Griffis
Fixed by r288132