Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 88d6ffd3457fe4549eaca208e3bf6b83890ec983
https://github.com/WebKit/WebKit/commit/88d6ffd3457fe4549eaca208e3bf6b83890ec983
Author: Roberto Rodriguez <[email protected]>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
M LayoutTests/platform/ios-site-isolation/TestExpectations
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/html/parser/HTMLResourcePreloader.cpp
Log Message:
-----------
Meta-tag CSP redirect checks skipped for speculatively preloaded resources
declared after meta-tag
https://bugs.webkit.org/show_bug.cgi?id=312784
rdar://175172953
Reviewed by Anne van Kesteren.
When parser-blocking scripts are declared before a meta CSP tag, the preload
scanner fetches subsequent
resources before the CSP policy is parsed. For each preloaded
script/stylesheet, HTMLResourcePreloader
calls allowScriptWithNonce/allowStyleWithNonce with an empty nonce, and because
no policies exist yet
these functions return true, which HTMLResourcePreloader interprets as a valid
nonce match and sets
ContentSecurityPolicyImposition::SkipPolicyCheck on the resource's
ResourceLoaderOptions. This persists
on the SubresourceLoader for the resource's lifetime and results in redirect
targets that violate the
CSP policy loading without being blocked.
Consider this from
http/tests/security/contentSecurityPolicy/script-redirect-blocked.html:
<script src="resources/dump-as-text.js"></script>
<script src="resources/wait-until-done.js"></script>
<meta http-equiv="Content-Security-Policy" content="script-src
http://127.0.0.1:8000/resources/redirect.py 'unsafe-inline'">
<script
src="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A//127.0.0.1%3A8000/resources/redirect.py%3Furl=http%3A//localhost%3A8000/resources/alert-fail.js";></script>
The last script resource - declared after the meta CSP tag - should be blocked
for violating the CSP
because of the redirect URL, but the bug allows it to load. Per CSP3 spec ยง3.3,
resources from elements
that follow a meta-delivered policy must be subject to that policy.
Layout tests
http/tests/security/contentSecurityPolicy/script-redirect-blocked.html and
http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html were
timing out because of this
bug. Both tests load external helper scripts before a meta CSP tag, then load a
resource that redirects
to a cross-origin URL that CSP should block. Because SkipPolicyCheck was set
during preload scanning, the
redirect was never checked against CSP, no securitypolicyviolation event was
fired, and notifyDone() was never
called.
* LayoutTests/platform/ios-site-isolation/TestExpectations:
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/html/parser/HTMLResourcePreloader.cpp:
(WebCore::PreloadRequest::resourceRequest):
Canonical link: https://commits.webkit.org/311695@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
