[webkit-changes] [WebKit/WebKit] 3b36e1: Safari ignores style-src-elem in CSP

Thu, 31 Jul 2025 15:04:51 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3b36e1e3244a97eff6b779d1c97d9c3d9a1e1705
      
https://github.com/WebKit/WebKit/commit/3b36e1e3244a97eff6b779d1c97d9c3d9a1e1705
  Author: Ryan Reno <[email protected]>
  Date:   2025-07-31 (Thu, 31 Jul 2025)

  Changed paths:
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-link-expected.txt
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-link.html
    M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

  Log Message:
  -----------
  Safari ignores style-src-elem in CSP
https://bugs.webkit.org/show_bug.cgi?id=276931
rdar://132783992

Reviewed by Brent Fulgham.

We should be checking the more specific directive before falling back to the 
more general one.

For CSS stylesheet resource loads we were ignoring the style-src-elem directive 
and instead
skipping straight to style-src. This means if you had a CSP like
    `style-src 'self'; style-src-elem 'self' example.com;`
and then tried to load a stylesheet from example.com we would block the load.

This change makes us first check the style-src-elem directive before falling 
back to style-src
if style-src-elem is not present, matching the CSP3 spec.

* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-link-expected.txt:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-link.html:
 Added.
        Added wpt to cover the case where `style-src-elem` allows but 
`style-src` would disallow.

* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle const):

Canonical link: https://commits.webkit.org/298104@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to