Bug 246615
| Summary: | protocol source matches for CSP of extensions | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Carlos J. <carlosj-webkit-bugzilla> |
| Component: | WebKit Extensions | Assignee: | Nobody <webkit-unassigned> |
| Status: | REOPENED | ||
| Severity: | Normal | CC: | ap, timothy, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Carlos J.
To allow developers to enforce are more strict CSP, allow wildmark matches. Basically without wildmark matches I have to leave out the directive completely. One use case is limiting the set of images an extension is able to load in their own context. Normally, any image can be loaded within the extension, yet when you set this as CSP: default-src: none; img-src: https:; Only images from https can be loaded.
Previously reported as:
https://feedbackassistant.apple.com/feedback/8968973
https://developer.apple.com/forums/thread/669889
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
Thank you for the report. This will continue to be tracked by Apple internal as a Safari issue, not a WebKit one.
rdar://73143960
Timothy Hatcher
We are tracking bugs in Bugzilla for Web Extensions now as we move extensions support from Safari to WebKit.