Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d74bc8454ad40a5e567fd619b4f2cfff37b93df5
https://github.com/WebKit/WebKit/commit/d74bc8454ad40a5e567fd619b4f2cfff37b93df5
Author: Roberto Rodriguez <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html.headers
M Source/WebCore/dom/ScriptElement.cpp
M Source/WebCore/dom/ScriptElement.h
M Source/WebCore/loader/LinkLoader.cpp
M Source/WebCore/loader/cache/CachedResource.cpp
M Source/WebCore/loader/cache/CachedResource.h
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Source/WebCore/loader/cache/CachedResourceRequest.h
Log Message:
-----------
Preloaded module scripts are blocked under a strict-dynamic CSP
https://bugs.webkit.org/show_bug.cgi?id=317890
rdar://179684592
Reviewed by Ryan Reno.
When a page uses a Content Security Policy with strict-dynamic and preloads a
module script,
that script is blocked even though the policy should allow it.
Under strict-dynamic a script request is only blocked when its parser metadata
is
"parser-inserted" (CSP3 spec 6.7.1.1), and a <link rel=modulepreload> fetches
the module
as "not-parser-inserted" and stores it in the document's module map (HTML spec
4.6.8.12).
A later parser-inserted <script type=module> for the same URL reuses that entry
and issues no
new request to check, so it must not be blocked.
Fix by treating the module script as non-parser-inserted using a dedicated
isLinkModulePreload
flag that only a modulepreload sets.
Tests:
imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_modulepreload_parser_inserted_module.html.headers:
Added.
* Source/WebCore/dom/ScriptElement.cpp:
(WebCore::ScriptElement::effectiveParserInsertedForModule const):
(WebCore::ScriptElement::requestModuleScript):
* Source/WebCore/dom/ScriptElement.h:
* Source/WebCore/loader/LinkLoader.cpp:
(WebCore::LinkLoader::preloadIfNeeded):
* Source/WebCore/loader/cache/CachedResource.cpp:
(WebCore::CachedResource::CachedResource):
* Source/WebCore/loader/cache/CachedResource.h:
(WebCore::CachedResource::isLinkModulePreload const):
(WebCore::CachedResource::setLinkModulePreload):
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
* Source/WebCore/loader/cache/CachedResourceRequest.h:
(WebCore::CachedResourceRequest::isLinkModulePreload const):
(WebCore::CachedResourceRequest::setIsLinkModulePreload):
Canonical link: https://commits.webkit.org/316290@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications