| Summary: | CSP functional bug: Safari checks callerRealm for eval | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Seongil Wi <seongil.wi> |
| Component: | DOM | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | bfulgham, katherine_cheney, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 15 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Change statement: Check only callerRealm for eval => The spec states that only calleeRealm should be checked for eval. |
Hello, As far as I know, If a parent frame forbids 'unsafe-eval' and a child frame allows 'unsafe-eval', and both are on the same origin, childIframeElement.contentWindow.eval('foo') should be allowed. (Check only callerRealm for eval) [*] https://github.com/w3c/webappsec-csp/pull/540 [*] https://github.com/w3c/webappsec-csp/issues/438 However, I observed that Safari does not follow the spec. To reproduce the bug, please visit the following page ```test.html <html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123';"> </head> <body> <iframe id=GGGdCcdaGGG src=self.html></iframe><script nonce=123>GGGdCcdaGGG.onload=_=>GGGdCcdaGGG.contentWindow.eval("alert(1)");GGGdCcdaGGG.contentWindow.location.reload();</script> </body> </html> ``` ```self.html empty ```