1768040 - CSP check is done against the text at the time of preparing but evaluation uses different text if updated after preparation

Status: NEW

(Core :: DOM: Security, defect, P3)

Description

[hiroshige]

Steps to reproduce:

Originally reported in https://github.com/whatwg/html/issues/7882.
WPT: https://github.com/web-platform-tests/wpt/pull/33903

1. Load a page with a CSP policy that allows the hash of the original script text at Step 1 but forbids the hash of the updated script text at Step 3.
2. Add an inline script <script>...original text...</script> to DOM. This triggers #prepare-a-script.
3. Update the text content of the script element.
4. Execute the script.

(This can be done e.g. by adding stylesheets that block immediate evaluation of inline scripts.)

This is related to https://bugzilla.mozilla.org/show_bug.cgi?id=1651092, but not only the updated text was evaluated, but also the CSP check was inconsistent (done against the original text).

Actual results:

The updated script text was evaluated.
This indicates that the CSP check was done against the original text at the time of #prepare-a-script but evaluation was done using the updated text.

Expected results:

According to the spec, both the CSP check and evaluation should uses the text at the time of #prepare-a-script (source text in https://html.spec.whatwg.org/multipage/scripting.html#prepare-a-script).

So the original text should be evaluated.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.