Skip to content

Apply strict-dynamic to inline scripts. #787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 29, 2025
Merged

Apply strict-dynamic to inline scripts. #787

merged 1 commit into from
Oct 29, 2025

Conversation

@mikewest
Copy link
Member

@mikewest mikewest commented Oct 23, 2025
edited by pr-preview bot
Loading

As noted in #426, the current "Does element match source list for type and source?" algorithm does not properly handle strict-dynamic checks for non-parser-inserted inline scripts. This patch adds a relevant step to the algorithm to match both browser behavior and our existing tests:

https://wpt.fyi/results/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html?label=experimental&label=master&aligned

Fixes #426.

Preview | Diff

@mikewest
Apply strict-dynamic to inline scripts.
73fb5d6 
As noted in #426, the current "Does element match source list for type
and source?" algorithm does not properly handle `strict-dynamic` checks
for non-parser-inserted inline scripts. This patch adds a relevant step
to the algorithm to match both browser behavior and our existing tests:

https://wpt.fyi/results/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html?label=experimental&label=master&aligned

Fixes #426.
@mikewest mikewest requested a review from antosart October 23, 2025 08:16
@mikewest
Copy link
Member Author

mikewest commented Oct 23, 2025

Would you mind taking a look at this, Antonio? All browsers are currently aligned on the behavior, and it's locked in with tests.

@mikewest
Copy link
Member Author

mikewest commented Oct 29, 2025

Friendly ping, Antonio. :)

antosart
antosart approved these changes Oct 29, 2025
View reviewed changes
Copy link
Member

@antosart antosart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks and sorry for the delay, I missed this.

@mikewest mikewest merged commit 13c7d8e into main Oct 29, 2025
2 checks passed
@mikewest mikewest deleted the fix-426 branch October 29, 2025 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antosart antosart antosart approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Does strict-dynamic allow dynamically adding inline scripts?

3 participants

@mikewest @antosart