Summary: | Add support for registering url schemes to bypass Content Security Policy | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Zach Li <a.tion.surf> | ||||||||
Component: | WebKit2 | Assignee: | Nobody <webkit-unassigned> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | ap, a.tion.surf, commit-queue, dbates, jberlin, mkwst, sam | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Zach Li
2015-01-21 12:11:00 PST
Created attachment 245078 [details]
Patch
Comment on attachment 245078 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245078&action=review > Source/WebKit2/ChangeLog:4 > + [WK2] Add support for registering url schemes to bypass Content Security Policy. > + https://bugs.webkit.org/show_bug.cgi?id=140736 Is this the right thing to do? Or should we just ignore CSP for script in non-main worlds? I am not entirely familiar with network security in general, but if we ignore CSP for script in non-main worlds, would it be possible for someone to inject malicious code in non-main worlds, bypass CSP, and exploit? Created attachment 245962 [details]
Patch
I added the FIXME to remind us that if we have better approach, we should get rid of this patch. Comment on attachment 245962 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review > Source/WebKit2/WebProcess/WebProcess.cpp:422 > +// FIXME: We should have better approach to allow URL schemes to bypass > +// Content Security Policy instead of adding this API. What is bad about this approach? Comment on attachment 245962 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review >> Source/WebKit2/WebProcess/WebProcess.cpp:422 >> +// Content Security Policy instead of adding this API. > > What is bad about this approach? This shouldn't really be per process, it should be per page or "groups of pages" ideally. It's OK for now though. Created attachment 246283 [details]
Patch
Comment on attachment 246283 [details] Patch Clearing flags on attachment: 246283 Committed r179870: <http://trac.webkit.org/changeset/179870> All reviewed patches have been landed. Closing bug. |