267579 – Enforce requirement that keyword sources in CSP source expressions must be separated by whitespace

NEW267579

Enforce requirement that keyword sources in CSP source expressions must be separated by whitespace

https://bugs.webkit.org/show_bug.cgi?id=267579

Summary Enforce requirement that keyword sources in CSP source expressions must be se...

Luke Warlow

Reported 2024-01-16 05:29:18 PST

Load `data:text/html,<meta http-equiv="Content-Security-Policy" content="script-src 'self''foo';">` in Chromium and you will correctly see a warning in the console. Load the same URL in Safari and you won't see any errors. Safari appears to only be matching that the buffer contains 'self' and not checking that the immediate next character is whitespace.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-01-18 08:56:09 PST

<rdar://problem/121196747>

sideshowbarker

Comment 2 2024-02-10 17:40:09 PST

Pull request: https://github.com/WebKit/WebKit/pull/24217

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 17

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

sideshowbarker

Reported

2024-01-16 05:29 PST

Modified

2025-03-17 10:16 PDT History

CC List

4 users Show

URL

Keywords BrowserCompat, InRadar

Depends on

Blocks