Bug 155184 - CSP: Compute digest with respect to the raw bytes received from the page
Summary: CSP: Compute digest with respect to the raw bytes received from the page
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on: 155007
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-08 12:59 PST by Daniel Bates
Modified: 2021-12-20 13:12 PST (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-03-08 12:59:39 PST
Following up from Brent Fulgham's remark in bug #155007, comment 5, we should compute the digest for an inline script/stylesheet using the raw bytes from the page instead of the output from the parser to ensure that the computed hash matches the hash specified in the CSP. The output from the parser may differ in Unicode normalization and XML/HTML entity decoding from the raw byte representation of the inline script/stylesheet among other differences.
Comment 1 Radar WebKit Bug Importer 2016-03-08 13:00:01 PST
<rdar://problem/25041563>
Comment 2 Patrick Griffis 2021-12-20 13:12:32 PST
Closing this as it is no longer relevant to modern CSP.

All other browsers implemented CSP as hashing the UTF-8 encoded version of content and as of CSP3 this is now documented in the spec[0]. WebKit now follows that behavior as of r287270.


[0] https://www.w3.org/TR/CSP3/#match-element-to-source-list