[webkit-changes] [291816] trunk

Thu, 24 Mar 2022 15:23:32 -0700

Title: [291816] trunk
Revision
291816
Author
katherine_che...@apple.com
Date
2022-03-24 15:22:33 -0700 (Thu, 24 Mar 2022)

Log Message

REGRESSION (Safari 15.4): Nonce from link isn't used when loading style sheet
https://bugs.webkit.org/show_bug.cgi?id=238014
<rdar://problem/90599352>

Reviewed by Brent Fulgham.

Source/WebCore:

In https://bugs.webkit.org/show_bug.cgi?id=179728 we implemented
nonce hiding from the DOM. It seems we missed once location
where we need to reference the element.nonce() instead of the
nonce attribute.

* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::process):

LayoutTests:

* http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce.py: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (291815 => 291816)


--- trunk/LayoutTests/ChangeLog	2022-03-24 21:41:42 UTC (rev 291815)
+++ trunk/LayoutTests/ChangeLog	2022-03-24 22:22:33 UTC (rev 291816)
@@ -1,3 +1,14 @@
+2022-03-24  Kate Cheney  <katherine_che...@apple.com>
+
+        REGRESSION (Safari 15.4): Nonce from link isn't used when loading style sheet
+        https://bugs.webkit.org/show_bug.cgi?id=238014
+        <rdar://problem/90599352>
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce.py: Added.
+
 2022-03-24  Jean-Yves Avenard  <j...@apple.com>
 
         Safari can't play video completely at bilibili.com

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce-expected.txt (0 => 291816)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce-expected.txt	2022-03-24 22:22:33 UTC (rev 291816)
@@ -0,0 +1,3 @@
+Test that a stylesheet with a nonce is allowed with CSP served via header
+
+PASS

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce.py (0 => 291816)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce.py	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce.py	2022-03-24 22:22:33 UTC (rev 291816)
@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+import sys
+
+sys.stdout.write(
+    'Content-Security-Policy: script-src \'unsafe-inline\' \'self\'; style-src \'nonce-test\'\r\n'
+    'Content-Type: text/html\r\n\r\n'
+    '<!DOCTYPE html>\n'
+    '<html>\n'
+    '<body>\n'
+    '<p>Test that a stylesheet with a nonce is allowed with CSP served via header</p>\n'
+    '<link rel="stylesheet" href="" nonce="test">'
+    '<script>\n'
+    '    if (window.testRunner)'
+    '       testRunner.dumpAsText();'
+    '    document.write(document.styleSheets.length > 0 ? \'PASS\' : \'FAIL\');'
+    '</script>\n'
+    '\n'
+    '</body>\n'
+    '</html>\n'
+)
Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-allowed-with-nonce.py
___________________________________________________________________

Added: svn:executable

+* \ No newline at end of property

Modified: trunk/Source/WebCore/ChangeLog (291815 => 291816)


--- trunk/Source/WebCore/ChangeLog	2022-03-24 21:41:42 UTC (rev 291815)
+++ trunk/Source/WebCore/ChangeLog	2022-03-24 22:22:33 UTC (rev 291816)
@@ -1,3 +1,19 @@
+2022-03-24  Kate Cheney  <katherine_che...@apple.com>
+
+        REGRESSION (Safari 15.4): Nonce from link isn't used when loading style sheet
+        https://bugs.webkit.org/show_bug.cgi?id=238014
+        <rdar://problem/90599352>
+
+        Reviewed by Brent Fulgham.
+
+        In https://bugs.webkit.org/show_bug.cgi?id=179728 we implemented
+        nonce hiding from the DOM. It seems we missed once location
+        where we need to reference the element.nonce() instead of the
+        nonce attribute.
+
+        * html/HTMLLinkElement.cpp:
+        (WebCore::HTMLLinkElement::process):
+
 2022-03-24  Jean-Yves Avenard  <j...@apple.com>
 
         Safari can't play video completely at bilibili.com

Modified: trunk/Source/WebCore/html/HTMLLinkElement.cpp (291815 => 291816)


--- trunk/Source/WebCore/html/HTMLLinkElement.cpp	2022-03-24 21:41:42 UTC (rev 291815)
+++ trunk/Source/WebCore/html/HTMLLinkElement.cpp	2022-03-24 22:22:33 UTC (rev 291816)
@@ -314,7 +314,7 @@
         m_integrityMetadataForPendingSheetRequest = attributeWithoutSynchronization(HTMLNames::integrityAttr);
 
         ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
-        options.nonce = attributeWithoutSynchronization(HTMLNames::nonceAttr);
+        options.nonce = nonce();
         options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
         if (document().contentSecurityPolicy()->allowStyleWithNonce(options.nonce))
             options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to