parser_inserted flag used in 'strict-dynamic' check is not sufficient

[andypaicu]

The parser-inserted flag is unset in step 2 and reset in step 8 in prepare a script. If the algorithm quits in between these two steps, the flag stays unset.

While this is intentional as noted in the algorithm to allow other scripts to mutate them and correct them, for the purposes of the CSP 'strict-dynamic check' (step 4) this is actually incorrect as it opens invalid scripts to be blessed by strict-dynamic.

[domenic]

Can you explain more the vulnerability here?

Right now the spec maintains that the following are equivalent:

// Insert an empty script, which is a no-op
document.write('<script></script>');

// Dynamically update the empty script
document.querySelector('script').textContent = 'alert(1)';

vs.

// Insert an empty script, which is a no-op
const s = document.createElement('script');
document.body.append(s);

// Dynamically update the empty script
s.textContent = 'alert(1)';

But you are saying that the first code block should instead be equivalent, for the purposes of CSP strict-dynamic, to

// Insert a non-empty script, whose contents are determined by the parser
document.write('<script>alert(1)</script>');

This seems backward to me. Dynamically inserted scripts should be treated the same, even if the element into which they were inserted was originally created by the parser.

In other words, it seems like CSP should be trying to govern parser inserted script contents, not parser-inserted script elements. Which is what the current spec does.

[shhnjk]

I'm not sure if this is also in scope, but sometimes whole payload is injected, but later appended to document by legit script which causes script execution.