Bug 238014

Summary: REGRESSION (Safari 15.4): Nonce from link isn't used when loading style sheet
Product: WebKit Reporter: Martijn Dashorst <martijn.dashorst>
Component: Page LoadingAssignee: Kate Cheney <katherine_cheney>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, beidson, bfulgham, cdumez, changseok, emond.papegaaij, esprehn+autocc, ews-watchlist, gyuyoung.kim, katherine_cheney, mkwst, pgriffis, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=222484
Attachments:
Description Flags
Expected page render
none
Actual page render
none
Patch
none
Patch
none
Patch for landing none

Martijn Dashorst
Reported 2022-03-17 02:59:25 PDT
Created attachment 454946 [details] Expected page render Loading pages that have CSP enabled and use nonce's in their <link> tags fail to load the style sheets with the message below: [Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css because it does not appear in the style-src directive of the Content Security Policy. [Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css because it does not appear in the style-src directive of the Content Security Policy. [Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css because it does not appear in the style-src directive of the Content Security Policy. You can find such an example here: https://examples9x.wicket.apache.org/index.html This works in Safari < 5.4, but is broken in Safari 5.4. I have tested this in Epiphany latest and it is broken there as well, so this seems to be a webkit issue. Relevant specification part: https://www.w3.org/TR/CSP3/#style-src-pre-request > If the result of executing § 6.6.2.2 Does nonce match source list? on request’s cryptographic nonce metadata and this directive’s value is "Matches", return "Allowed".
Attachments
Expected page render (422.85 KB, image/png)
2022-03-17 02:59 PDT, Martijn Dashorst 		no flags
Details
Actual page render (198.19 KB, image/png)
2022-03-17 02:59 PDT, Martijn Dashorst 		no flags
Details
Patch (4.23 KB, patch)
2022-03-24 12:12 PDT, Kate Cheney 		no flags
DetailsFormatted DiffDiff
Patch (1.94 KB, patch)
2022-03-24 14:04 PDT, Kate Cheney 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.22 KB, patch)
2022-03-24 14:08 PDT, Kate Cheney 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Martijn Dashorst
Comment 1 2022-03-17 02:59:53 PDT
Created attachment 454947 [details] Actual page render
Alexey Proskuryakov
Comment 2 2022-03-18 17:30:28 PDT
> This works in Safari < 5.4, but is broken in Safari 5.4. I'm guessing that this is Safari 15.4, not 5.4, could you please confirm?
Martijn Dashorst
Comment 3 2022-03-21 01:33:18 PDT
Yes, 15.4
Radar WebKit Bug Importer
Comment 4 2022-03-21 16:14:29 PDT
<rdar://problem/90599352>
Kate Cheney
Comment 5 2022-03-24 08:48:32 PDT
Hi! Thanks for reporting, I am taking a look at this. I noticed in the reduction you linked (https://examples9x.wicket.apache.org/index.html) when I inspect the page the nonce is not specified for the stylesheets elements (I see "nonce" instead of something like "nonce='abc'"). Is this a mistake in the creation of the reduction, or could this be the issue? Maybe I am missing something.. Thanks!
Martijn Dashorst
Comment 6 2022-03-24 09:15:27 PDT
If you "View Source" you will see the nonce's. <link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" /> <link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" /> <link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" />
Kate Cheney
Comment 8 2022-03-24 09:35:28 PDT
I see - thanks for the clarification!
Kate Cheney
Comment 9 2022-03-24 12:12:47 PDT
Created attachment 455663 [details] Patch
Patrick Griffis
Comment 10 2022-03-24 12:37:32 PDT
Comment on attachment 455663 [details] Patch Looks good to me.
Brent Fulgham
Comment 11 2022-03-24 12:41:35 PDT
Comment on attachment 455663 [details] Patch r=me
Kate Cheney
Comment 12 2022-03-24 14:04:28 PDT Comment hidden (obsolete)
Kate Cheney
Comment 13 2022-03-24 14:08:49 PDT
Created attachment 455680 [details] Patch for landing
EWS
Comment 14 2022-03-24 15:23:45 PDT
Committed r291816 (248843@main): <https://commits.webkit.org/248843@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 455680 [details].
Brent Fulgham
Comment 15 2022-05-26 14:54:24 PDT
This fix shipped with Safari 15.5 (all platforms).
Note You need to log in before you can comment on or make changes to this bug.