Bug 238014 - REGRESSION (Safari 15.4): Nonce from link isn't used when loading style sheet
Summary: REGRESSION (Safari 15.4): Nonce from link isn't used when loading style sheet
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Kate Cheney
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-03-17 02:59 PDT by Martijn Dashorst
Modified: 2022-05-26 14:54 PDT (History)
14 users (show)

See Also:


Attachments
Expected page render (422.85 KB, image/png)
2022-03-17 02:59 PDT, Martijn Dashorst
no flags Details
Actual page render (198.19 KB, image/png)
2022-03-17 02:59 PDT, Martijn Dashorst
no flags Details
Patch (4.23 KB, patch)
2022-03-24 12:12 PDT, Kate Cheney
no flags Details | Formatted Diff | Diff
Patch (1.94 KB, patch)
2022-03-24 14:04 PDT, Kate Cheney
no flags Details | Formatted Diff | Diff
Patch for landing (4.22 KB, patch)
2022-03-24 14:08 PDT, Kate Cheney
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Martijn Dashorst 2022-03-17 02:59:25 PDT
Created attachment 454946 [details]
Expected page render

Loading pages that have CSP enabled and use nonce's in their <link> tags fail to load the style sheets with the message below:

[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css because it does not appear in the style-src directive of the Content Security Policy.
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css because it does not appear in the style-src directive of the Content Security Policy.
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css because it does not appear in the style-src directive of the Content Security Policy.

You can find such an example here: https://examples9x.wicket.apache.org/index.html 

This works in Safari < 5.4, but is broken in Safari 5.4. I have tested this in Epiphany latest and it is broken there as well, so this seems to be a webkit issue.

Relevant specification part: https://www.w3.org/TR/CSP3/#style-src-pre-request

> If the result of executing § 6.6.2.2 Does nonce match source list? on request’s cryptographic nonce metadata and this directive’s value is "Matches", return "Allowed".
Comment 1 Martijn Dashorst 2022-03-17 02:59:53 PDT
Created attachment 454947 [details]
Actual page render
Comment 2 Alexey Proskuryakov 2022-03-18 17:30:28 PDT
> This works in Safari < 5.4, but is broken in Safari 5.4.

I'm guessing that this is Safari 15.4, not 5.4, could you please confirm?
Comment 3 Martijn Dashorst 2022-03-21 01:33:18 PDT
Yes, 15.4
Comment 4 Radar WebKit Bug Importer 2022-03-21 16:14:29 PDT
<rdar://problem/90599352>
Comment 5 Kate Cheney 2022-03-24 08:48:32 PDT
Hi! Thanks for reporting, I am taking a look at this. I noticed in the reduction you linked (https://examples9x.wicket.apache.org/index.html) when I inspect the page the nonce is not specified for the stylesheets elements (I see "nonce" instead of something like "nonce='abc'"). Is this a mistake in the creation of the reduction, or could this be the issue? Maybe I am missing something.. Thanks!
Comment 6 Martijn Dashorst 2022-03-24 09:15:27 PDT
If you "View Source" you will see the nonce's.

<link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" />
<link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" />
<link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" />
Comment 8 Kate Cheney 2022-03-24 09:35:28 PDT
I see - thanks for the clarification!
Comment 9 Kate Cheney 2022-03-24 12:12:47 PDT
Created attachment 455663 [details]
Patch
Comment 10 Patrick Griffis 2022-03-24 12:37:32 PDT
Comment on attachment 455663 [details]
Patch

Looks good to me.
Comment 11 Brent Fulgham 2022-03-24 12:41:35 PDT
Comment on attachment 455663 [details]
Patch

r=me
Comment 12 Kate Cheney 2022-03-24 14:04:28 PDT Comment hidden (obsolete)
Comment 13 Kate Cheney 2022-03-24 14:08:49 PDT
Created attachment 455680 [details]
Patch for landing
Comment 14 EWS 2022-03-24 15:23:45 PDT
Committed r291816 (248843@main): <https://commits.webkit.org/248843@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 455680 [details].
Comment 15 Brent Fulgham 2022-05-26 14:54:24 PDT
This fix shipped with Safari 15.5 (all platforms).