NEW158103
Multiple CSP policies (report-only and enforcing) do not intersect correctly 
https://bugs.webkit.org/show_bug.cgi?id=158103
Summary Multiple CSP policies (report-only and enforcing) do not intersect correctly
devd
Reported 2016-05-25 18:04:00 PDT
Test case: http://lingro.com:81/cgi-bin/csp-2-enforcing.py Content-Security-Policy: script-src 'nonce-foobar123'; report-uri /enforcing, script-src www.google.com; report-uri /enforcing2 <html> <head> <!-- This should execute without violations because it satisfies both policies --> <script nonce="foobar123" src="https://www.google.com/jsapi?callback=alert&1-ok"></script> <!-- This should NOT execute because it violates the (enforcing) whitelist policy --> <script nonce="foobar123" src="https://www.google.com.PL/jsapi?callback=alert&2-reporting-bad"></script> <!-- This should NOT execute because it violates the (enforcing) nonce policy --> <script src="https://www.google.com/jsapi?callback=alert&3-bad"></script> </head> <body> </body> </html> -- These have two policies: one with nonce and another with host based policies. A script should execute when it has the right nonce and the host matches the host-src whitelist. But, all script tags get blocked. Firefox handles this correctly (at least based on my reading of the spec) but Chrome also breaks (but is fixing). Relatedly, there is a similar bug when one policy is report-only and another is enforcing: http://lingro.com:81/cgi-bin/csp-both-modes-safari.py thank you!
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-05-27 12:09:27 PDT
<rdar://problem/26522376>
devd
Comment 2 2017-11-11 16:36:03 PST
Hi WebKit friends! Any updates on this bug? This keeps biting us and reduces the security of our csp policy. Would love to see this resolved!
goschwald
Comment 3 2019-05-20 13:23:55 PDT
I also ran into this issue.
sideshowbarker
Comment 4 2019-07-08 04:10:36 PDT
There’s a question at Stack Overflow that seems to be a case of this same problem — https://stackoverflow.com/a/56933431/441757
Ella
Comment 5 2021-08-12 03:07:08 PDT
Hi Any updates on this bug? I still ran into this bug with Safari Version 13.1 (15609.1.20.111.8)
Brent Fulgham
Comment 6 2022-02-08 14:36:56 PST
Hi folks. I *think* that this bug is an earlier report of Bug 235199, which was fixed in r288132. This should be available in an STP build soon.
Brent Fulgham
Comment 7 2022-02-08 14:37:31 PST
(In reply to Brent Fulgham from comment #6) > Hi folks. I *think* that this bug is an earlier report of Bug 235199, which > was fixed in r288132. > > This should be available in an STP build soon. I think this because of the error, but the original test case from years ago is no longer available, so I can't definitely confirm.
Note You need to log in before you can comment on or make changes to this bug.