Bug 273148 - Plain text document generates CSP error
Summary: Plain text document generates CSP error
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2024-04-23 14:01 PDT by Tim Guan-tin Chien [:timdream]
Modified: 2024-05-15 00:50 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Guan-tin Chien [:timdream] 2024-04-23 14:01:20 PDT 
STR:

1. Setup a website with strict content security policy, returning response header like `"Content-Security-Policy: default-src 'none';`.
2. Serve a `Content-type: text/plain` document.

Expected:

1. Text document is rendered correctly without any errors in the console.

Actual:

1. Text document is rendered correctly but with error complaining about inline style.

```
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
```

Note:

The inline style is inserted from the fake document here:
https://github.com/WebKit/WebKit/blob/dca6ec38e14d781a8298cfb23ebbbc63351db19a/Source/WebCore/html/parser/TextDocumentParser.cpp#L60

Maybe we should switch to User Agent Shadow Root instead of generate fake document in the parser? Is it possible (and safe) to insert the hash to CSP?
Comment 1 Radar WebKit Bug Importer 2024-04-23 14:01:52 PDT 
<rdar://problem/126942181>