Bug 267579

Summary: Enforce requirement that keyword sources in CSP source expressions must be separated by whitespace
Product: WebKit Reporter: Luke Warlow <lwarlow>
Component: New BugsAssignee: sideshowbarker <mike>
Status: NEW    
Severity: Normal CC: karlcow, mike, rreno, webkit-bug-importer
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Safari 17   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=289904

Luke Warlow
Reported 2024-01-16 05:29:18 PST
Load `data:text/html,<meta http-equiv="Content-Security-Policy" content="script-src 'self''foo';">` in Chromium and you will correctly see a warning in the console. Load the same URL in Safari and you won't see any errors. Safari appears to only be matching that the buffer contains 'self' and not checking that the immediate next character is whitespace.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-01-18 08:56:09 PST
<rdar://problem/121196747>
sideshowbarker
Comment 2 2024-02-10 17:40:09 PST
Pull request: https://github.com/WebKit/WebKit/pull/24217
Note You need to log in before you can comment on or make changes to this bug.