Bug 67008
| Summary: | Content Security Policy in Chrome doesn't let whitelisted script run | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adrienne Porter Felt <apf> |
| Component: | WebCore Misc. | Assignee: | Adam Barth <abarth> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | abarth |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://gradgrind.erso.berkeley.edu/appendscripttest.php | ||
Adrienne Porter Felt
Load http:///gradgrind.erso.berkeley.edu/appendscripttest.php in Chrome and Firefox and you will get two different interpretations of the same CSP.
The site has the following CSP set:
header("X-Content-Security-Policy: allow 'self'; img-src *");
header("X-WebKit-CSP: default-src 'self'; img-src *");
On the page, a whitelisted script dynamically appends a "script" element to the head, with a source on the same domain.
window.onload = function() {
var headID = document.getElementsByTagName("head")[0];
var newScript = document.createElement('script');
newScript.type = 'text/javascript';
newScript.src = 'csp-4.js';
headID.appendChild(newScript);
}
In Firefox, the new script executes.
In Chrome, the new script does not execute even though the src is whitelisted.
It seems to me like the Firefox behavior is correct and the Chrome behavior is wrong.
(My tests done on Google Chrome 15.0.862.0 canary and Firefox 6.0.)
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Barth
*** This bug has been marked as a duplicate of bug 68921 ***