Open Bug 1759002 Opened 2 years ago Updated 2 years ago

Dynamically added CSP not respected for preloaded resource discovery

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: noam.j.rosenthal, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

Steps to reproduce:

  • Preload an image using <link rel=preload>
  • Add a CSP <meta> tag to disable images
  • Added an image that matches the preloaded link

See https://github.com/web-platform-tests/wpt/pull/33109

Actual results:

The image was loaded

Expected results:

The image should have been blocked by CSP.

This is also the behavior on WebKit/Chromium.

See Fetch PR to make this explicit in the spec: https://github.com/whatwg/fetch/pull/1411

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Why is there a WPT test already if the spec has not actually been updated yet? We agree with this intent, but the process seems way ahead of itself.

Blocks: csp-w3c-3
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

(In reply to Daniel Veditz [:dveditz] from comment #3)

Why is there a WPT test already if the spec has not actually been updated yet? We agree with this intent, but the process seems way ahead of itself.

The WPT and spec change are both PRs pending consensus.
Merging a spec PRs requires WPTs and implementation bugs to be filed.
What would you suggest to do differently?

See Also: → CVE-2022-36315
Keywords: sec-low
You need to log in before you can comment on or make changes to this bug.