Bug 140736

Summary: Add support for registering url schemes to bypass Content Security Policy
Product: WebKit Reporter: Zach Li <a.tion.surf>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, a.tion.surf, commit-queue, dbates, jberlin, mkwst, sam
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Zach Li 2015-01-21 12:11:00 PST 
As stated by Mike West in https://bugs.webkit.org/show_bug.cgi?id=89373, we want to load resources regardless of a page's Content Security Policy. We would like to extend this support to WebKit2.
Comment 1 Zach Li 2015-01-21 12:33:38 PST 
Created attachment 245078 [details]
Patch
Comment 2 Jessie Berlin 2015-01-21 14:09:36 PST 
rdar://problem/19541288
Comment 3 Alexey Proskuryakov 2015-01-21 16:57:55 PST 
Comment on attachment 245078 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=245078&action=review

> Source/WebKit2/ChangeLog:4
> +        [WK2] Add support for registering url schemes to bypass Content Security Policy.
> +        https://bugs.webkit.org/show_bug.cgi?id=140736

Is this the right thing to do? Or should we just ignore CSP for script in non-main worlds?
Comment 4 Zach Li 2015-01-21 21:27:38 PST 
I am not entirely familiar with network security in general, but if we ignore CSP for script in non-main worlds, would it be possible for someone to inject malicious code in non-main worlds, bypass CSP, and exploit?
Comment 5 Zach Li 2015-02-03 13:40:59 PST 
Created attachment 245962 [details]
Patch
Comment 6 Zach Li 2015-02-03 13:42:21 PST 
I added the FIXME to remind us that if we have better approach, we should get rid of this patch.
Comment 7 Alexey Proskuryakov 2015-02-03 13:59:40 PST 
Comment on attachment 245962 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review

> Source/WebKit2/WebProcess/WebProcess.cpp:422
> +// FIXME: We should have better approach to allow URL schemes to bypass
> +// Content Security Policy instead of adding this API.

What is bad about this approach?
Comment 8 Anders Carlsson 2015-02-05 14:25:21 PST 
Comment on attachment 245962 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review

>> Source/WebKit2/WebProcess/WebProcess.cpp:422
>> +// Content Security Policy instead of adding this API.
> 
> What is bad about this approach?

This shouldn't really be per process, it should be per page or "groups of pages" ideally. It's OK for now though.
Comment 9 Zach Li 2015-02-09 12:42:28 PST 
Created attachment 246283 [details]
Patch
Comment 10 WebKit Commit Bot 2015-02-10 08:01:35 PST 
Comment on attachment 246283 [details]
Patch

Clearing flags on attachment: 246283

Committed r179870: <http://trac.webkit.org/changeset/179870>
Comment 11 WebKit Commit Bot 2015-02-10 08:01:41 PST 
All reviewed patches have been landed.  Closing bug.