Bug 140736

Summary: Add support for registering url schemes to bypass Content Security Policy
Product: WebKit Reporter: Zach Li <a.tion.surf>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, a.tion.surf, commit-queue, dbates, jberlin, mkwst, sam
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Zach Li
Reported 2015-01-21 12:11:00 PST
As stated by Mike West in https://bugs.webkit.org/show_bug.cgi?id=89373, we want to load resources regardless of a page's Content Security Policy. We would like to extend this support to WebKit2.
Attachments
Patch (10.70 KB, patch)
2015-01-21 12:33 PST, Zach Li 		no flags
DetailsFormatted DiffDiff
Patch (10.78 KB, patch)
2015-02-03 13:40 PST, Zach Li 		no flags
DetailsFormatted DiffDiff
Patch (10.66 KB, patch)
2015-02-09 12:42 PST, Zach Li 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Zach Li
Comment 1 2015-01-21 12:33:38 PST
Created attachment 245078 [details] Patch
Jessie Berlin
Comment 2 2015-01-21 14:09:36 PST
rdar://problem/19541288
Alexey Proskuryakov
Comment 3 2015-01-21 16:57:55 PST
Comment on attachment 245078 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245078&action=review > Source/WebKit2/ChangeLog:4 > + [WK2] Add support for registering url schemes to bypass Content Security Policy. > + https://bugs.webkit.org/show_bug.cgi?id=140736 Is this the right thing to do? Or should we just ignore CSP for script in non-main worlds?
Zach Li
Comment 4 2015-01-21 21:27:38 PST
I am not entirely familiar with network security in general, but if we ignore CSP for script in non-main worlds, would it be possible for someone to inject malicious code in non-main worlds, bypass CSP, and exploit?
Zach Li
Comment 5 2015-02-03 13:40:59 PST
Created attachment 245962 [details] Patch
Zach Li
Comment 6 2015-02-03 13:42:21 PST
I added the FIXME to remind us that if we have better approach, we should get rid of this patch.
Alexey Proskuryakov
Comment 7 2015-02-03 13:59:40 PST
Comment on attachment 245962 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review > Source/WebKit2/WebProcess/WebProcess.cpp:422 > +// FIXME: We should have better approach to allow URL schemes to bypass > +// Content Security Policy instead of adding this API. What is bad about this approach?
Anders Carlsson
Comment 8 2015-02-05 14:25:21 PST
Comment on attachment 245962 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review >> Source/WebKit2/WebProcess/WebProcess.cpp:422 >> +// Content Security Policy instead of adding this API. > > What is bad about this approach? This shouldn't really be per process, it should be per page or "groups of pages" ideally. It's OK for now though.
Zach Li
Comment 9 2015-02-09 12:42:28 PST
Created attachment 246283 [details] Patch
WebKit Commit Bot
Comment 10 2015-02-10 08:01:35 PST
Comment on attachment 246283 [details] Patch Clearing flags on attachment: 246283 Committed r179870: <http://trac.webkit.org/changeset/179870>
WebKit Commit Bot
Comment 11 2015-02-10 08:01:41 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.