Bug 242054
| Summary: | CSP functional bug: Safari checks callerRealm for eval | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Seongil Wi <seongil.wi> |
| Component: | DOM | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | bfulgham, katherine_cheney, webkit-bug-importer, wilander |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 15 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Seongil Wi
Hello,
As far as I know, If a parent frame forbids 'unsafe-eval' and a child frame allows 'unsafe-eval', and both are on the same origin, childIframeElement.contentWindow.eval('foo') should be allowed.
(Check only callerRealm for eval)
[*] https://github.com/w3c/webappsec-csp/pull/540
[*] https://github.com/w3c/webappsec-csp/issues/438
However, I observed that Safari does not follow the spec.
To reproduce the bug, please visit the following page
```test.html
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123';">
</head>
<body>
<iframe id=GGGdCcdaGGG src=self.html></iframe><script nonce=123>GGGdCcdaGGG.onload=_=>GGGdCcdaGGG.contentWindow.eval("alert(1)");GGGdCcdaGGG.contentWindow.location.reload();</script>
</body>
</html>
```
```self.html
empty
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/96064179>
Seongil Wi
Change statement:
Check only callerRealm for eval => The spec states that only calleeRealm should be checked for eval.