Bug 238014

Summary:

REGRESSION (Safari 15.4): Nonce from link isn't used when loading style sheet

Product:

WebKit

Reporter:

Martijn Dashorst <martijn.dashorst>

Component:

Page Loading

Assignee:

Kate Cheney <katherine_cheney>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, beidson, bfulgham, cdumez, changseok, emond.papegaaij, esprehn+autocc, ews-watchlist, gyuyoung.kim, katherine_cheney, mkwst, pgriffis, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=222484

Attachments:

Description	Flags
Expected page render	none
Actual page render	none
Patch	none
Patch	none
Patch for landing	none

Description Martijn Dashorst 2022-03-17 02:59:25 PDT

Created attachment 454946 [details]
Expected page render

Loading pages that have CSP enabled and use nonce's in their <link> tags fail to load the style sheets with the message below:

[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css because it does not appear in the style-src directive of the Content Security Policy.
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css because it does not appear in the style-src directive of the Content Security Policy.
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css because it does not appear in the style-src directive of the Content Security Policy.

You can find such an example here: https://examples9x.wicket.apache.org/index.html 

This works in Safari < 5.4, but is broken in Safari 5.4. I have tested this in Epiphany latest and it is broken there as well, so this seems to be a webkit issue.

Relevant specification part: https://www.w3.org/TR/CSP3/#style-src-pre-request

> If the result of executing § 6.6.2.2 Does nonce match source list? on request’s cryptographic nonce metadata and this directive’s value is "Matches", return "Allowed".

Comment 1 Martijn Dashorst 2022-03-17 02:59:53 PDT

Created attachment 454947 [details]
Actual page render

Comment 2 Alexey Proskuryakov 2022-03-18 17:30:28 PDT

> This works in Safari < 5.4, but is broken in Safari 5.4.

I'm guessing that this is Safari 15.4, not 5.4, could you please confirm?

Comment 3 Martijn Dashorst 2022-03-21 01:33:18 PDT

Yes, 15.4

Comment 4 Radar WebKit Bug Importer 2022-03-21 16:14:29 PDT

<rdar://problem/90599352>

Comment 5 Kate Cheney 2022-03-24 08:48:32 PDT

Hi! Thanks for reporting, I am taking a look at this. I noticed in the reduction you linked (https://examples9x.wicket.apache.org/index.html) when I inspect the page the nonce is not specified for the stylesheets elements (I see "nonce" instead of something like "nonce='abc'"). Is this a mistake in the creation of the reduction, or could this be the issue? Maybe I am missing something.. Thanks!

Comment 6 Martijn Dashorst 2022-03-24 09:15:27 PDT

If you "View Source" you will see the nonce's.

<link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" />
<link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" />
<link rel="stylesheet" type="text/css" href="./wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css" media="screen" nonce="oSJryZj3W7yFgWz7apvYaNxw" />

Comment 7 Martijn Dashorst 2022-03-24 09:19:30 PDT

Also, please see: https://stackoverflow.com/questions/55670985/google-chrome-stripping-nonce-values-from-script-tags

Comment 8 Kate Cheney 2022-03-24 09:35:28 PDT

I see - thanks for the clarification!

Comment 9 Kate Cheney 2022-03-24 12:12:47 PDT

Created attachment 455663 [details]
Patch

Comment 10 Patrick Griffis 2022-03-24 12:37:32 PDT

Comment on attachment 455663 [details]
Patch

Looks good to me.

Comment 11 Brent Fulgham 2022-03-24 12:41:35 PDT

Comment on attachment 455663 [details]
Patch

r=me

Comment 12 Kate Cheney 2022-03-24 14:04:28 PDT Comment hidden (obsolete)

Created attachment 455679 [details]
Patch

Comment 13 Kate Cheney 2022-03-24 14:08:49 PDT

Created attachment 455680 [details]
Patch for landing

Comment 14 EWS 2022-03-24 15:23:45 PDT

Committed r291816 (248843@main): <https://commits.webkit.org/248843@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 455680 [details].

Comment 15 Brent Fulgham 2022-05-26 14:54:24 PDT

This fix shipped with Safari 15.5 (all platforms).