172871 – Incorrect CSP warnings if nonce-value is listed only in the Report-Only header

RESOLVED CONFIGURATION CHANGED 172871

Incorrect CSP warnings if nonce-value is listed only in the Report-Only header

https://bugs.webkit.org/show_bug.cgi?id=172871

Summary Incorrect CSP warnings if nonce-value is listed only in the Report-Only header

Phil Dokas

Reported 2017-06-02 13:44:44 PDT

A minimal test case is available here: https://www.flickr.com/csp_webkit_bug_report.gne If a page uses a correctly specified nonce attribute on inline scripts and includes a script-src 'nonce-foo' directive in just the Report-Only header then webkit incorrectly reports CSP errors on each script. The error is: "[Error] [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy." No errors are reported (correctly) if: 1) Neither CSP header includes 'nonce-foo' 2) Both CSP headers include 'nonce-foo' 3) Only the blocking CSP header includes 'nonce-foo' But if only the Report-Only CSP header includes 'nonce-foo' then errors will be logged to the console. This identically affects: * macOS 10.12.5 (16F73) * Safari Version 10.1.1 (12603.2.4) * Safari Technology Preview Release 31 (Safari 10.2, WebKit 12604.1.23.0.1) * Webkit Nightly Version 10.1.1 (12603.2.4, r217709)

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2017-06-02 13:45:00 PDT

<rdar://problem/32543347>

Darin Adler

Comment 2 2017-06-02 14:08:20 PDT

Doesn’t sound like a security bug to me. A false positive is clearly a bug, and could be quite inconvenient for a developer, but I don’t see how it leads to vulnerability.

Phil Dokas

Comment 3 2017-06-02 14:18:56 PDT

Makes sense. I wanted to err on the side of caution. Should I resubmit this as a Webkit bug or can it just be reassigned in bugzilla?

Darin Adler

Comment 4 2017-06-02 14:29:56 PDT

I think it can be moved.

Brent Fulgham

Comment 5 2017-06-07 13:43:28 PDT

(In reply to Darin Adler from comment #4) > I think it can be moved. Done!

Brent Fulgham

Comment 6 2022-02-08 12:27:57 PST

Thank you for this report. We believe this is no longer an issue in STP 139, iOS 15.4 Beta, and macOS 12.3 Beta.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution CONFIGURATION CHANGED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2017-06-02 13:44 PDT

Modified

2022-02-08 12:28 PST History

CC List

4 users Show

URL

https://www.flickr.com/csp_webkit_bug_report.gne

Keywords InRadar

Depends on

Blocks