Bug 243324

Summary: webkit-pdfjs-viewer URI scheme should not be blocked by CSP
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: PDFAssignee: Patrick Griffis <pgriffis>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, mcatanzaro, thorton, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Michael Catanzaro
Reported 2022-07-28 16:44:34 PDT
Try loading: https://www.ameren.com/-/media/rates/files/missouri/uecsheet54rate1mres.ashx It gets blocked by the page's CSP: [Error] Refused to load webkit-pdfjs-viewer://pdfjs/web/viewer.html?file=#pagemode=none because it appears in neither the frame-src directive nor the default-src directive of the Content Security Policy. [Error] Refused to load webkit-pdfjs-viewer://pdfjs/extras/adwaita/style.css because it appears in neither the style-src directive nor the default-src directive of the Content Security Policy. [Error] Refused to load webkit-pdfjs-viewer://pdfjs/extras/content-script.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy. We should exempt our own internal webkit-pdfjs-viewer URI scheme from CSP checks. It's an implementation detail of the website. We actually added new public WPE/GTK port API to allow Epiphany to do this, webkit_web_view_set_cors_allowlist(), (which is suddenly longer needed now that we've moved PDF.js to WebKit).
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2022-07-28 16:45:52 PDT
(In reply to Michael Catanzaro from comment #0) > It's an implementation detail of the website. I meant to write: it's an implementation detail of WebKit, not something that the website could be expected to know about.
Michael Catanzaro
Comment 2 2022-08-01 14:07:00 PDT
Patrick says we need to call LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy from somewhere. Not clear where would be the nicest place to do this, since it only needs to happen once, not once for each PDFDocument.
Michael Catanzaro
Comment 3 2022-08-01 14:08:06 PDT
(In reply to Michael Catanzaro from comment #2) > Patrick says we need to call > LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy from > somewhere. Not clear where would be the nicest place to do this, since it > only needs to happen once, not once for each PDFDocument. Well that was a dumb question. We should do it wherever we register the scheme.
Michael Catanzaro
Comment 4 2022-08-01 14:38:49 PDT
(In reply to Michael Catanzaro from comment #3) > Well that was a dumb question. We should do it wherever we register the > scheme. Well it's more complicated than this. The scheme is never actually explicitly registered anywhere. It's just hardcoded into LegacySchemeRegistry.cpp.
Radar WebKit Bug Importer
Comment 5 2022-08-01 14:55:24 PDT
<rdar://problem/97938315>
Patrick Griffis
Comment 6 2022-08-01 15:04:51 PDT
Pull request: https://github.com/WebKit/WebKit/pull/2922
EWS
Comment 7 2022-08-02 10:09:04 PDT
Committed 253040@main (e9c47d55c988): <https://commits.webkit.org/253040@main> Reviewed commits have been landed. Closing PR #2922 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.