155184 – CSP: Compute digest with respect to the raw bytes received from the page

RESOLVED INVALID 155184

CSP: Compute digest with respect to the raw bytes received from the page

https://bugs.webkit.org/show_bug.cgi?id=155184

Summary CSP: Compute digest with respect to the raw bytes received from the page

Daniel Bates

Reported 2016-03-08 12:59:39 PST

Following up from Brent Fulgham's remark in bug #155007, comment 5, we should compute the digest for an inline script/stylesheet using the raw bytes from the page instead of the output from the parser to ensure that the computed hash matches the hash specified in the CSP. The output from the parser may differ in Unicode normalization and XML/HTML entity decoding from the raw byte representation of the inline script/stylesheet among other differences.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-03-08 13:00:01 PST

<rdar://problem/25041563>

Patrick Griffis

Comment 2 2021-12-20 13:12:32 PST

Closing this as it is no longer relevant to modern CSP. All other browsers implemented CSP as hashing the UTF-8 encoded version of content and as of CSP3 this is now documented in the spec[0]. WebKit now follows that behavior as of r287270. [0] https://www.w3.org/TR/CSP3/#match-element-to-source-list

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution INVALID

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2016-03-08 12:59 PST

Modified

2021-12-20 13:12 PST History

CC List

3 users Show

URL

Keywords InRadar

Depends on

155007

Blocks

Dependencies

tree graph