Bug 234934

Summary: Implement CSP strict-dynamic for module scripts
Product: WebKit Reporter: Kate Cheney <katherine_cheney>
Component: New BugsAssignee: Kate Cheney <katherine_cheney>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, esprehn+autocc, ews-watchlist, kangil.han, mkwst
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Kate Cheney
Reported 2022-01-06 13:26:09 PST
Implement CSP strict-dynamic for module scripts
Attachments
Patch (9.03 KB, patch)
2022-01-06 13:28 PST, Kate Cheney 		no flags
DetailsFormatted DiffDiff
Patch for landing (9.02 KB, patch)
2022-01-07 09:24 PST, Kate Cheney 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Kate Cheney
Comment 1 2022-01-06 13:28:50 PST
Created attachment 448534 [details] Patch
Kate Cheney
Comment 2 2022-01-06 13:29:21 PST
rdar://83728374
Brent Fulgham
Comment 3 2022-01-06 14:05:54 PST
Comment on attachment 448534 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=448534&action=review r=me > Source/WebCore/dom/ScriptElement.cpp:379 > + if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_startLineNumber, m_element.nonce(), sourceCode.source(), m_parserInserted)) Is there a specific CSP spec step we should reference for this decision? I know most of the CSP code doesn't add such comments, but I find them helpful when reviewing other areas of WebKit. > LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html:6 > + <script src="/js-test-resources/testharnessreport.js" nonce='dummy'></script> Nit: Weird spacing here
Kate Cheney
Comment 4 2022-01-06 14:37:55 PST
Comment on attachment 448534 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=448534&action=review >> Source/WebCore/dom/ScriptElement.cpp:379 >> + if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_startLineNumber, m_element.nonce(), sourceCode.source(), m_parserInserted)) > > Is there a specific CSP spec step we should reference for this decision? I know most of the CSP code doesn't add such comments, but I find them helpful when reviewing other areas of WebKit. Do you mean the m_startLineNumber change or why we check for allowNonParserInsertedScripts here? If it is the latter, generally yes but not specifically to module scripts. Under https://www.w3.org/TR/CSP3/#strict-dynamic-usage the spec explains "Script requests which are triggered by non-"parser-inserted" script elements are allowed." requestModuleScript is a place we were formerly not checking a requested script's parser-inserted status.
Brent Fulgham
Comment 5 2022-01-06 14:42:03 PST
Comment on attachment 448534 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=448534&action=review >>> Source/WebCore/dom/ScriptElement.cpp:379 >>> + if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_startLineNumber, m_element.nonce(), sourceCode.source(), m_parserInserted)) >> >> Is there a specific CSP spec step we should reference for this decision? I know most of the CSP code doesn't add such comments, but I find them helpful when reviewing other areas of WebKit. > > Do you mean the m_startLineNumber change or why we check for allowNonParserInsertedScripts here? > > If it is the latter, generally yes but not specifically to module scripts. Under https://www.w3.org/TR/CSP3/#strict-dynamic-usage the spec explains "Script requests which are triggered by non-"parser-inserted" script elements are allowed." requestModuleScript is a place we were formerly not checking a requested script's parser-inserted status. I meant the latter, so I think you've explained it.
Kate Cheney
Comment 6 2022-01-07 09:24:25 PST
Created attachment 448604 [details] Patch for landing
EWS
Comment 7 2022-01-07 10:06:09 PST
Committed r287756 (245819@main): <https://commits.webkit.org/245819@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 448604 [details].
Note You need to log in before you can comment on or make changes to this bug.