158103 – Multiple CSP policies (report-only and enforcing) do not intersect correctly

Bug 158103 - Multiple CSP policies (report-only and enforcing) do not intersect correctly

Summary: Multiple CSP policies (report-only and enforcing) do not intersect correctly

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	Safari Technology Preview
Hardware:	Mac OS X 10.11

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:	159841
Blocks:
	Show dependency tree / graph

Reported:	2016-05-25 18:04 PDT by devd
Modified:	2022-02-08 14:37 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description devd 2016-05-25 18:04:00 PDT

Test case: http://lingro.com:81/cgi-bin/csp-2-enforcing.py


Content-Security-Policy: script-src 'nonce-foobar123'; report-uri /enforcing, script-src www.google.com; report-uri /enforcing2

<html>
	<head>
		<!-- This should execute without violations because it satisfies both policies -->
		<script nonce="foobar123" src="https://www.google.com/jsapi?callback=alert&1-ok"></script>

		<!-- This should NOT execute because it violates the (enforcing) whitelist policy -->
		<script nonce="foobar123" src="https://www.google.com.PL/jsapi?callback=alert&2-reporting-bad"></script>

		<!-- This should NOT execute because it violates the (enforcing) nonce policy -->
		<script src="https://www.google.com/jsapi?callback=alert&3-bad"></script>
	</head>
	<body>
	</body>
</html>


--

These have two policies: one with nonce and another with host based policies. A script should execute when it has the right nonce and the host matches the host-src whitelist. But, all script tags get blocked. Firefox handles this correctly (at least based on my reading of the spec) but Chrome also breaks (but is fixing). 

Relatedly, there is a similar bug when one policy is report-only and another is enforcing: 
http://lingro.com:81/cgi-bin/csp-both-modes-safari.py


thank you!

Comment 1 Radar WebKit Bug Importer 2016-05-27 12:09:27 PDT

<rdar://problem/26522376>

Comment 2 devd 2017-11-11 16:36:03 PST

Hi WebKit friends!

Any updates on this bug? This keeps biting us and reduces the security of our csp policy. Would love to see this resolved!

Comment 3 goschwald 2019-05-20 13:23:55 PDT

I also ran into this issue.

Comment 4 sideshowbarker 2019-07-08 04:10:36 PDT

There’s a question at Stack Overflow that seems to be a case of this same problem —

https://stackoverflow.com/a/56933431/441757

Comment 5 Ella 2021-08-12 03:07:08 PDT

Hi 

   Any updates on this bug? I still ran into this bug with Safari Version 13.1 (15609.1.20.111.8)

Comment 6 Brent Fulgham 2022-02-08 14:36:56 PST

Hi folks. I *think* that this bug is an earlier report of Bug 235199, which was fixed in r288132.

This should be available in an STP build soon.

Comment 7 Brent Fulgham 2022-02-08 14:37:31 PST

(In reply to Brent Fulgham from comment #6)
> Hi folks. I *think* that this bug is an earlier report of Bug 235199, which
> was fixed in r288132.
> 
> This should be available in an STP build soon.

I think this because of the error, but the original test case from years ago is no longer available, so I can't definitely confirm.