Bug 232781 - Difference in handling of CSP policies in Safari Web Extensions
Summary: Difference in handling of CSP policies in Safari Web Extensions
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Safari 15
Hardware: Mac (Intel) macOS 11
: P2 Normal
Assignee: Nobody
URL: https://github.com/birtles/csp-bug
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-11-05 22:14 PDT by Brian Birtles
Modified: 2021-11-12 21:15 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Birtles 2021-11-05 22:14:05 PDT 
I am encountering a difference in the way Safari Web Extensions interact with a page's CSP policies compared to Chrome/Firefox.

Background: Google Docs are rolling out a new canvas mode. In order for Web Extensions to cause an annotated canvas to be produced such that they can inspect the text of the document, they are required to inject a global into the Docs page as follows:

```
var scriptElem = document.createElement('script');
scriptElem.textContent = "(function() { window['_docs_annotate_canvas_by_ext'] = '<extension id>'; })();";
(document.head || document.documentElement).appendChild(scriptElem);
scriptElem.remove();
```

This works as expected in Chrome and Firefox but produces CSP errors in Safari and fails to run.

STR:

1. `git clone https://github.com/birtles/csp-bug.git`
2. Load `CSP bug repro/CSP bug repro.xcodeproj` from the repository in XCode 13.
3. Run the project
4. It should provide a window with a button to jump to Safari and enable the
   extension
5. You will need to enable unsigned extensions using Develop → Allow Unsigned
   Extensions
6. Navigate to [docs.google.com](https://docs.google.com)
7. Load any Google doc
8. Press the star button on the toolbar, granting permission to run if needed.
9. Open the Javascript console from the Develop menu
10. Look for the line beginning, `"Script ran..."`.
11. As per the message look for CSP errors prior to that line.
12. Enter `window.testme` + <kbd>Enter</kbd> an observe the result.

Expected results:

- No CSP errors
- `"ok"` is returned

Actual results:

- Several CSP errors of the form "Refused to execute a script because its hash,
  its nonce, or 'unsafe-inline' does not appear in the script-src directive of
  the Content Security Policy".
- `undefined` is returned.

To compare with Firefox / Chrome:

1. Install [`npx`](https://www.npmjs.com/package/npx) globally.
2. From the root `csp-bug` folder, run `npx web-ext run` for Firefox, or
   `npx web-ext run -t chromium` for Chrome.
3. Similarly, load any document from [docs.google.com](https://docs.google.com)
   and check the Developer console (<kbd>F12</kbd> → Console).
Comment 1 Radar WebKit Bug Importer 2021-11-12 21:15:20 PST 
<rdar://problem/85367497>