242054 – CSP functional bug: Safari checks callerRealm for eval

NEW 242054

CSP functional bug: Safari checks callerRealm for eval

https://bugs.webkit.org/show_bug.cgi?id=242054

Summary CSP functional bug: Safari checks callerRealm for eval

Seongil Wi

Reported 2022-06-28 00:21:35 PDT

Hello, As far as I know, If a parent frame forbids 'unsafe-eval' and a child frame allows 'unsafe-eval', and both are on the same origin, childIframeElement.contentWindow.eval('foo') should be allowed. (Check only callerRealm for eval) [*] https://github.com/w3c/webappsec-csp/pull/540 [*] https://github.com/w3c/webappsec-csp/issues/438 However, I observed that Safari does not follow the spec. To reproduce the bug, please visit the following page ```test.html <html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123';"> </head> <body> <iframe id=GGGdCcdaGGG src=self.html></iframe><script nonce=123>GGGdCcdaGGG.onload=_=>GGGdCcdaGGG.contentWindow.eval("alert(1)");GGGdCcdaGGG.contentWindow.location.reload();</script> </body> </html> ``` ```self.html empty ```

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-06-28 08:44:06 PDT

<rdar://problem/96064179>

Seongil Wi

Comment 2 2022-06-28 08:47:07 PDT

Change statement: Check only callerRealm for eval => The spec states that only calleeRealm should be checked for eval.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 15

Hardware Unspecified

OS Unspecified

Product WebKit

Component DOM

Assignee

Nobody

Reported

2022-06-28 00:21 PDT

Modified

2022-06-28 08:47 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks