CSP leaks into epiphany pages in one specific case
either in flathub stable or tech preview 46.0-90-g7a8350b43+:
- go to https://forum.snap.berkeley.edu/t/snap-spotlight/14768
- click the link in the topic
a warning page about the invalid certificate opens
- open js console
there are errors:
[Error] Refused to execute a script because it does not appear in the script-src directive of the Content Security Policy. (about:blank, line 208)
[Error] [Report Only] Refused to execute a script because it does not appear in the script-src directive of the Content Security Policy. (about:blank, line 208)
- click "technical information" on the error page
- try to click "risk and continue"
nothing happens on the click. it prints more messages:
[Error] Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (about:blank, line 226)
[Error] [Report Only] Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (about:blank, line 226)
- open the network tab:
it also reports the error to https://forum.snap.berkeley.edu/csp_reports, which it shouldn't because i'm not on that website any more
i cannot reproduce this with other links, like https://exprired.badssl.com
Edited by two