Summary: | Sandbox CSP directives allows websites to block execution of browser features implemented in JavaScript | ||
---|---|---|---|
Product: | WebKit | Reporter: | Michael Catanzaro <mcatanzaro> |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | NEW --- | ||
Severity: | Normal | CC: | anhvy2013, bfulgham, bugs-noreply, mcatanzaro, pgriffis, simonepas, webkit-bug-importer, wilander |
Priority: | P2 | Keywords: | InRadar |
Version: | WebKit Nightly Build | ||
Hardware: | PC | ||
OS: | Linux | ||
See Also: |
https://bugs.webkit.org/show_bug.cgi?id=192753 https://bugs.webkit.org/show_bug.cgi?id=178040 |
Description
Michael Catanzaro
2022-02-28 10:55:49 PST
Thanks for filing! I don't know if you are writing patches for WebKit these days, Michael. If so, is this something you intend/want to work on? I looked at it briefly, but not closely enough to prepare a patch. The error is coming from ScriptController::executeScriptInWorld, which decides scripts are not allowed because ScriptController::canExecuteScripts returns false. Maybe we need a new ReasonForCallingCanExecuteScripts for scripts executed by WebKit API that bypass some of the checks. Somebody is complaining on Matrix that this also breaks WebKit's HTMLMediaElement controls. So it's not just browser-level features, but also WebKit features that are affected. (In reply to Michael Catanzaro from comment #4) > Somebody is complaining on Matrix that this also breaks WebKit's > HTMLMediaElement controls. So it's not just browser-level features, but also > WebKit features that are affected. And it means the strategy suggested in my comment #3 would be insufficient to fully fix this. We'd need to identify other places within WebKit that use internal JavaScript and fix those too. I'm not sure what else there would be besides media controls, but I bet there's more I don't know about.... |