[webkit-changes] [WebKit/WebKit] 97937c: CSP strict-dynamic does not block parser-inserted ...

Roberto Rodriguez Wed, 06 May 2026 22:02:40 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 97937c9886e28f407ded77821664ce97f51c4ac5
      
https://github.com/WebKit/WebKit/commit/97937c9886e28f407ded77821664ce97f51c4ac5
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-05-06 (Wed, 06 May 2026)


  Changed paths:
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_module-expected.txt
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_module.html
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_module.html.headers
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_module-expected.txt
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_module.html
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_module.html.headers
    A 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/simpleSourcedModule.js
    M Source/WebCore/dom/ScriptElement.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicy.h

  Log Message:
  -----------
  CSP strict-dynamic does not block parser-inserted external module scripts 
without a nonce
https://bugs.webkit.org/show_bug.cgi?id=314008
rdar://175951114

Reviewed by Brent Fulgham.

Given a CSP policy that contains "script-src 'nonce-X' 'strict-dynamic'", 
parser-inserted external
module scripts without a valid nonce execute without any CSP check. The 
strict-dynamic path splits
CSP validation into two stages: an early stage in 
ContentSecurityPolicy::allowNonParserInsertedScripts
that checks the parserInserted flag, and a fetch-time stage in 
ContentSecurityPolicy::allowScriptFromSource
that returns true when strict-dynamic is present, relying on 
allowNonParserInsertedScripts to have run.
ScriptElement::requestClassicScript and the inline module path both call 
allowNonParserInsertedScripts,
but the external module path in ScriptElement::requestModuleScript does not.

Add the allowNonParserInsertedScripts call to the external module branch of 
ScriptElement::requestModuleScript.

Rename allowNonParserInsertedScripts to allowScriptForStrictDynamic for better 
clarity and intent.

Add new WPT tests for parser-inserted and non-parser-inserted external module 
scripts under strict-dynamic.

Tests: 
imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_module.html
       
imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_module.html

* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_module-expected.txt:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_module.html:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted_module.html.headers:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_module-expected.txt:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_module.html:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted_module.html.headers:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/simpleSourcedModule.js:
 Added.
* Source/WebCore/dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestClassicScript):
(WebCore::ScriptElement::requestModuleScript):
(WebCore::ScriptElement::executeClassicScript):
(WebCore::ScriptElement::registerImportMap):
(WebCore::ScriptElement::registerSpeculationRules):
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowScriptForStrictDynamic const):
(WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const): Deleted.
* Source/WebCore/page/csp/ContentSecurityPolicy.h:

Canonical link: https://commits.webkit.org/312769@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

[webkit-changes] [WebKit/WebKit] 97937c: CSP strict-dynamic does not block parser-inserted ...

Reply via email to