Bug 167810

Summary: [Mac][WK2] Add SPI to override the Content Security Policy of a page
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebKit2Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, cdumez, commit-queue, esprehn+autocc, japhet, jer.noble, kangil.han, mkwst, sam
Priority: P2 Keywords: InRadar, PlatformOnly
Version: WebKit Nightly Build   
Hardware: Mac   
OS: macOS 10.12   
Attachments:
Description Flags
Patch and unit tests
none
Patch and unit tests andersca: review+

Description Daniel Bates 2017-02-03 12:16:42 PST 
An embedding client may want to impose content restrictions when loading third-party web pages to prevent content injections and ensure a consistent user experience regardless of how the third party content was produced.

One way to do this is to make use of a Content Security Policy to impose content restrictions. An embedding client could use API/SPI to define a Content Security Policy to be applied to all subsequently loaded pages that takes precedence over the Content Security Policy delivered with a page.
Comment 1 Daniel Bates 2017-02-03 12:22:36 PST 
Created attachment 300556 [details]
Patch and unit tests
Comment 2 WebKit Commit Bot 2017-02-03 12:25:34 PST 
Attachment 300556 [details] did not pass style-queue:


ERROR: Source/WebCore/page/csp/ContentSecurityPolicy.h:77:  enum members should use InterCaps with an initial capital letter or initial 'k' for C-style enums.  [readability/enum_casing] [4]
Total errors found: 1 in 21 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 3 Daniel Bates 2017-02-03 15:01:21 PST 
Created attachment 300568 [details]
Patch and unit tests

Moved _setOverrideContentSecurityPolicy: SPI from WKWebViewPrivate to WKWebViewConfigurationPrivate based on a conversation with Anders Carlsson. In its preferred embodiment an embedding client will call _setOverrideContentSecurityPolicy: once so that the custom Content Security Policy applies to all page loads. That is, it is unlikely that an embedding client will want to change the custom Content Security Policy per load. So, it more appropriate to add this SPI to WKWebViewConfigurationPrivate.
Comment 4 WebKit Commit Bot 2017-02-03 15:03:42 PST 
Attachment 300568 [details] did not pass style-queue:


ERROR: Source/WebCore/page/csp/ContentSecurityPolicy.h:77:  enum members should use InterCaps with an initial capital letter or initial 'k' for C-style enums.  [readability/enum_casing] [4]
Total errors found: 1 in 26 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 5 Daniel Bates 2017-02-03 15:06:07 PST 
<rdar://problem/30102568>
Comment 6 Daniel Bates 2017-02-03 15:16:26 PST 
Committed r211656: <http://trac.webkit.org/changeset/211656>