159832 – CSP: Do not send report violation for policies that have hash but not 'unsafe-inline'

RESOLVED FIXED 159832

CSP: Do not send report violation for policies that have hash but not 'unsafe-inline'

https://bugs.webkit.org/show_bug.cgi?id=159832

Summary CSP: Do not send report violation for policies that have hash but not 'unsafe...

Daniel Bates

Reported 2016-07-15 14:00:13 PDT

Suppose a page has the following markup: ... <head> <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-A'"> <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'"> </head> <script>/* A script whose CSP SHA is 'sha256-A'. */</script> ... Then we should send exactly one CSP violation report that explains that the script was blocked because it violated the second CSP meta tag. We should have similar behavior for policies that have hashes for style elements.

Attachments
Add attachment proposed patch, testcase, etc.

Patrick Griffis

Comment 1 2022-01-18 13:35:09 PST

Fixed by r288132

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2016-07-15 14:00 PDT

Modified

2022-01-18 13:35 PST History

CC List

3 users Show

URL

Keywords

Depends on

159841

Blocks

Dependencies

tree graph