67008 – Content Security Policy in Chrome doesn't let whitelisted script run

RESOLVED DUPLICATE of bug 68921 67008

Content Security Policy in Chrome doesn't let whitelisted script run

https://bugs.webkit.org/show_bug.cgi?id=67008

Summary Content Security Policy in Chrome doesn't let whitelisted script run

Adrienne Porter Felt

Reported 2011-08-25 18:03:12 PDT

Load http:///gradgrind.erso.berkeley.edu/appendscripttest.php in Chrome and Firefox and you will get two different interpretations of the same CSP. The site has the following CSP set: header("X-Content-Security-Policy: allow 'self'; img-src *"); header("X-WebKit-CSP: default-src 'self'; img-src *"); On the page, a whitelisted script dynamically appends a "script" element to the head, with a source on the same domain. window.onload = function() { var headID = document.getElementsByTagName("head")[0]; var newScript = document.createElement('script'); newScript.type = 'text/javascript'; newScript.src = 'csp-4.js'; headID.appendChild(newScript); } In Firefox, the new script executes. In Chrome, the new script does not execute even though the src is whitelisted. It seems to me like the Firefox behavior is correct and the Chrome behavior is wrong. (My tests done on Google Chrome 15.0.862.0 canary and Firefox 6.0.)

Attachments
Add attachment proposed patch, testcase, etc.

Adam Barth

Comment 1 2011-09-28 11:06:56 PDT

*** This bug has been marked as a duplicate of bug 68921 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 68921

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Adam Barth

Reported

2011-08-25 18:03 PDT

Modified

2011-09-28 11:06 PDT History

CC List

1 user Show

URL

http://gradgrind.erso.berkeley.edu/appendscripttest.php

Keywords

Depends on

Blocks