314008 – CSP strict-dynamic does not block parser-inserted external module scripts without a nonce

RESOLVED FIXED314008

CSP strict-dynamic does not block parser-inserted external module scripts without a nonce

https://bugs.webkit.org/show_bug.cgi?id=314008

Summary CSP strict-dynamic does not block parser-inserted external module scripts wit...

roberto_rodriguez2

Reported 2026-05-04 13:17:45 PDT

rdar://175951114 When a CSP policy contains script-src 'nonce-X' 'strict-dynamic', parser-inserted external module scripts without a valid nonce execute without any CSP check.

Attachments
Add attachment proposed patch, testcase, etc.

roberto_rodriguez2

Comment 1 2026-05-04 13:33:14 PDT

Pull request: https://github.com/WebKit/WebKit/pull/64206

EWS

Comment 2 2026-05-06 22:02:07 PDT

Committed 312769@main (97937c9886e2): <https://commits.webkit.org/312769@main> Reviewed commits have been landed. Closing PR #64206 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

roberto_rodriguez2

Reported

2026-05-04 13:17 PDT

Modified

2026-05-06 22:02 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks