Summary: | CSP: Always use UTF-8 encoded content when checking hashes | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Patrick Griffis <pgriffis> | ||||||||||
Component: | WebCore Misc. | Assignee: | Patrick Griffis <pgriffis> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Normal | CC: | bfulgham, ews-watchlist, katherine_cheney, mkwst, webkit-bug-importer | ||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||
Version: | WebKit Nightly Build | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=234518 | ||||||||||||
Attachments: |
|
Description
Patrick Griffis
2021-12-10 11:18:50 PST
Created attachment 446767 [details]
Patch
This isn't quite ready as testing locally `run-minibrowser` passes all tests for encoding, yet `run-webkit-tests` fails on the non-UTF-8 ones. I didn't see any relevant env vars or anything that should affect encoding. Created attachment 446903 [details]
Patch
Created attachment 446904 [details]
Patch
Still not sure why running the browser directly has different results, however this certainly is more in-line with the spec and passes more WPT tests. Created attachment 446935 [details]
Patch
The test failure really only happens when running via WebKit's HTTP server. For example: `hash-always-converted-to-utf-8/iso-8859-1.html` - `wpt serve` succeeds. - https://wpt.live succeeds. - `run-webkit-httpd` fails. So its something specific to how the tests are run. I would assume its not specific to the HTTP server as macOS and GTK have different servers that both fail. > So its something specific to how the tests are run. I would assume its not > specific to the HTTP server as macOS and GTK have different servers that > both fail. Sorry forgot to mention that the issue is in the raw data received at the HTTP layer. libsoup logs this as incoming HTTP data: `run-webkit-httpd`: > <!-- ? (micro sign) has the value of 0xB5 in latin-1 and of 0xC2B5 in utf-8 but the hash value should be the same as the utf-8 computed one --> https://wpt.live: > <!-- \xb5 (micro sign) has the value of 0xB5 in latin-1 and of 0xC2B5 in utf-8 but the hash value should be the same as the utf-8 computed one --> So the browser gets already invalid data from the HTTP server. Comment on attachment 446935 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=446935&action=review r=me. Could you file a bug about the unexpected http server results? > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:-371 > - // FIXME: Compute the digest with respect to the raw bytes received from the page. We should remember to mark this bug resolved once this patch lands. Committed r287270 (245426@main): <https://commits.webkit.org/245426@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 446935 [details]. This change should be present in STP 139, iOS 15.4 Beta, and macOS 12.3 Beta. |