Bug 314008

Summary: CSP strict-dynamic does not block parser-inserted external module scripts without a nonce
Product: WebKit Reporter: roberto_rodriguez2
Component: New BugsAssignee: roberto_rodriguez2
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

roberto_rodriguez2
Reported 2026-05-04 13:17:45 PDT
rdar://175951114 When a CSP policy contains script-src 'nonce-X' 'strict-dynamic', parser-inserted external module scripts without a valid nonce execute without any CSP check.
Attachments
Add attachment proposed patch, testcase, etc.
roberto_rodriguez2
Comment 1 2026-05-04 13:33:14 PDT
Pull request: https://github.com/WebKit/WebKit/pull/64206
EWS
Comment 2 2026-05-06 22:02:07 PDT
Committed 312769@main (97937c9886e2): <https://commits.webkit.org/312769@main> Reviewed commits have been landed. Closing PR #64206 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.