[webkit-changes] [WebKit/WebKit] 88833b: 'strict-dynamic' in script-src CSP breaks external...

Wed, 21 Aug 2024 14:15:06 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 88833ba4cdcb34cf4e173fec453dafac8c74ccda
      
https://github.com/WebKit/WebKit/commit/88833ba4cdcb34cf4e173fec453dafac8c74ccda
  Author: Luke Warlow <lwar...@igalia.com>
  Date:   2024-08-21 (Wed, 21 Aug 2024)

  Changed paths:
    M 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes-expected.txt
    M Source/WebCore/dom/ScriptElement.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicy.h
    M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

  Log Message:
  -----------
  'strict-dynamic' in script-src CSP breaks external script with matching 
integrity hash
https://bugs.webkit.org/show_bug.cgi?id=270784

Reviewed by Ryan Reno.

This patch updates the early CSP checks for when 'strict-dynamic' is present to 
also match sub-resource-integrity.

* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes-expected.txt:
* Source/WebCore/dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestClassicScript):
(WebCore::ScriptElement::requestModuleScript):
(WebCore::ScriptElement::requestImportMap):
(WebCore::ScriptElement::executeClassicScript):
(WebCore::ScriptElement::registerImportMap):
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
* Source/WebCore/page/csp/ContentSecurityPolicy.h:
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts
 const):
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h:

Canonical link: https://commits.webkit.org/282577@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to