289904 – require-trusted-types-for CSP parsing allows invalid sink groups

RESOLVED FIXED289904

require-trusted-types-for CSP parsing allows invalid sink groups

https://bugs.webkit.org/show_bug.cgi?id=289904

Summary require-trusted-types-for CSP parsing allows invalid sink groups

Luke Warlow

Reported 2025-03-17 10:16:28 PDT

Currently, 'script''script' parses as if it was 'script'. This should be changed to be treated as invalid. The parsing also early returns if it finds an invalid sink group. This is incorrect behaviour. It should report this invalid sink group but keep parsing in case it finds a valid one.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-03-24 10:17:28 PDT

<rdar://problem/147760089>

Luke Warlow

Comment 2 2025-03-27 11:02:21 PDT

Pull request: https://github.com/WebKit/WebKit/pull/43118

EWS

Comment 3 2025-09-30 12:06:00 PDT

Committed 300770@main (18919c9e6b22): <https://commits.webkit.org/300770@main> Reviewed commits have been landed. Closing PR #43118 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Luke Warlow

Reported

2025-03-17 10:16 PDT

Modified

2025-09-30 12:06 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks