Created attachment 274568 [details] Example (script hash) We should execute an inline script or apply an inline stylesheet only if its hash is listed in all of the policies on the page. Otherwise a malicious person can run/apply an arbitrary script/stylesheet s with hash h_s by injecting S together with a CSP that lists H_s on a page with an XSS vulnerability. The following demonstrates the issue with script hashes: Steps to reproduce: 1. Open the attached example. Then you will see three JavaScript alerts with messages (in order) "FAIL did execute first script", "FAIL did execute second script", and "PASS", respectively. But you should see exactly one JavaScript alert with message "PASS" because the inline script that shows this JavaScript alert is the only script on the page whose hash is listed in both of the CSP policies delivered with the page.
<rdar://problem/25263368>
Created attachment 274569 [details] Patch and Layout Tests
Committed r198551: <http://trac.webkit.org/changeset/198551>