w3c / webappsec-csp

WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
209 stars 78 forks source link

Hashes bypass source-based allowlisting only on pre-request, not on post-request #523

Open antosart opened 2 years ago

antosart commented 2 years ago

On script/style pre-request checks, if the integrity hashes match then we skip source-based matching check. This means that script-src 'self' 'sha512-abc' passes the pre-request check for a cross-origin script with matching hash.

However, that would be blocked on post-request, since we have no logic for hashes there anymore.

As with nonces, I believe we would like to allow the request in this case.

antosart commented 2 years ago

CC @koto

koto commented 2 years ago

Thanks for filing, Antonio. For context, linking also to https://github.com/w3c/webappsec-csp/issues/78.