Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d74bc8454ad40a5e567fd619b4f2cfff37b93df5
      
https://github.com/WebKit/WebKit/commit/d74bc8454ad40a5e567fd619b4f2cfff37b93df5
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module-expected.txt
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html.headers
    M Source/WebCore/dom/ScriptElement.cpp
    M Source/WebCore/dom/ScriptElement.h
    M Source/WebCore/loader/LinkLoader.cpp
    M Source/WebCore/loader/cache/CachedResource.cpp
    M Source/WebCore/loader/cache/CachedResource.h
    M Source/WebCore/loader/cache/CachedResourceLoader.cpp
    M Source/WebCore/loader/cache/CachedResourceRequest.h

  Log Message:
  -----------
  Preloaded module scripts are blocked under a strict-dynamic CSP
https://bugs.webkit.org/show_bug.cgi?id=317890
rdar://179684592

Reviewed by Ryan Reno.

When a page uses a Content Security Policy with strict-dynamic and preloads a 
module script,
that script is blocked even though the policy should allow it.

Under strict-dynamic a script request is only blocked when its parser metadata 
is
"parser-inserted" (CSP3 spec 6.7.1.1), and a <link rel=modulepreload> fetches 
the module
as "not-parser-inserted" and stores it in the document's module map (HTML spec 
4.6.8.12).
A later parser-inserted <script type=module> for the same URL reuses that entry 
and issues no
new request to check, so it must not be blocked.

Fix by treating the module script as non-parser-inserted using a dedicated 
isLinkModulePreload
flag that only a modulepreload sets.

Tests: 
imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html

* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module-expected.txt:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html.headers:
 Added.
* Source/WebCore/dom/ScriptElement.cpp:
(WebCore::ScriptElement::effectiveParserInsertedForModule const):
(WebCore::ScriptElement::requestModuleScript):
* Source/WebCore/dom/ScriptElement.h:
* Source/WebCore/loader/LinkLoader.cpp:
(WebCore::LinkLoader::preloadIfNeeded):
* Source/WebCore/loader/cache/CachedResource.cpp:
(WebCore::CachedResource::CachedResource):
* Source/WebCore/loader/cache/CachedResource.h:
(WebCore::CachedResource::isLinkModulePreload const):
(WebCore::CachedResource::setLinkModulePreload):
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
* Source/WebCore/loader/cache/CachedResourceRequest.h:
(WebCore::CachedResourceRequest::isLinkModulePreload const):
(WebCore::CachedResourceRequest::setIsLinkModulePreload):

Canonical link: https://commits.webkit.org/316290@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to