Bug 242054 - CSP functional bug: Safari checks callerRealm for eval
Summary: CSP functional bug: Safari checks callerRealm for eval
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Safari 15
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2022-06-28 00:21 PDT by Seongil Wi
Modified: 2022-06-28 08:47 PDT (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Seongil Wi 2022-06-28 00:21:35 PDT

As far as I know, If a parent frame forbids 'unsafe-eval' and a child frame allows 'unsafe-eval', and both are on the same origin, childIframeElement.contentWindow.eval('foo') should be allowed.
(Check only callerRealm for eval)

[*] https://github.com/w3c/webappsec-csp/pull/540
[*] https://github.com/w3c/webappsec-csp/issues/438

However, I observed that Safari does not follow the spec.
To reproduce the bug, please visit the following page

<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123';">
 <iframe id=GGGdCcdaGGG src=self.html></iframe><script nonce=123>GGGdCcdaGGG.onload=_=>GGGdCcdaGGG.contentWindow.eval("alert(1)");GGGdCcdaGGG.contentWindow.location.reload();</script>

Comment 1 Radar WebKit Bug Importer 2022-06-28 08:44:06 PDT
Comment 2 Seongil Wi 2022-06-28 08:47:07 PDT
Change statement: 
Check only callerRealm for eval => The spec states that only calleeRealm should be checked for eval.