[CSP] 'strict-dynamic' not propagating trust into link tags with rel="preload"
Reported by
martin.b...@gmail.com,
Aug 7 2017
|
|||||
Issue description
Chrome Version : 60.0.3112.90
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
What steps will reproduce the problem?
1. Define a CSP using a nonce and 'strict-dynamic'.
2. Dynamically add a <link rel="preload" href="/foo.js" as="script">
What is the expected result?
Trust is propagated and /foo.js is loaded.
What happens instead of that?
A CSP violation is triggered and the request for /foo.js is blocked.
Please provide any additional information below. Attach a screenshot if
possible.
<!DOCTYPE html>
<head>
<title>CSP strict-dynamic + preload link in Chrome</title>
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123' 'strict-dynamic'" />
</head>
<body>
<script nonce="123">
var f = document.createElement("link");
f.rel = "preload"; // prefetch works perfectly fine
f.href = "/foo.js"
f.as = "script";
document.head.appendChild(f)
</script>
<!-- preloaded foo.js is never requested as a CSP violation is triggered in latest Chrome (Version 60.0.3112.90 (Official Build) (64-bit)) -->
</body>
</html>
UserAgentString: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
,
Aug 11 2017
I don't think we have an open issue for this
,
Oct 10 2017
I was wrong, we do have an open issue for this. merging into https://bugs.chromium.org/p/chromium/issues/detail?id=733970
,
Jul 3
Eventually, this is not really a duplicate, as the issue it was merged into was fixed but this is not. Taking a look at what this is about
,
Jul 3
Seems like the "created by parser" info is not passed along the request options for preloads. Working on a fix
,
Jul 6
,
Jul 6
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8e65298a71402000ec517226793beef5aaed7a02 commit 8e65298a71402000ec517226793beef5aaed7a02 Author: Yoav Weiss <yoav@yoav.ws> Date: Fri Jul 06 06:05:27 2018 Make preload play nice with CSP strict-dynamic Dynamically loaded preloaded scripts were not loaded when a strict-dynamic CSP directive was used. This was because the state regarding whether the element was parser created or not was not properly propoagated to the CSP checks. This CL fixes that and adds tests that make sure that such scripts can be preloaded (and that markup based preloaded scripts with no nonce cannot). Bug: 752922 Change-Id: Ib4f3bce8583ccc9770c261d76167243033e5a112 Reviewed-on: https://chromium-review.googlesource.com/1125064 Reviewed-by: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Yoav Weiss <yoav@yoav.ws> Cr-Commit-Position: refs/heads/master@{#572908} [add] https://crrev.com/8e65298a71402000ec517226793beef5aaed7a02/third_party/WebKit/LayoutTests/external/wpt/preload/preload-strict-dynamic.html [modify] https://crrev.com/8e65298a71402000ec517226793beef5aaed7a02/third_party/blink/renderer/core/html/html_link_element.cc [modify] https://crrev.com/8e65298a71402000ec517226793beef5aaed7a02/third_party/blink/renderer/core/html/html_link_element.h [modify] https://crrev.com/8e65298a71402000ec517226793beef5aaed7a02/third_party/blink/renderer/core/loader/link_loader.cc [modify] https://crrev.com/8e65298a71402000ec517226793beef5aaed7a02/third_party/blink/renderer/core/loader/link_loader_client.h [modify] https://crrev.com/8e65298a71402000ec517226793beef5aaed7a02/third_party/blink/renderer/core/loader/link_loader_test.cc |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mkwst@chromium.org
, Aug 7 2017Components: Internals>Preload Blink>SecurityFeature>ContentSecurityPolicy
Labels: OS-Android OS-Chrome OS-Linux OS-Mac
Owner: andypaicu@chromium.org
Status: Assigned (was: Unconfirmed)