We currently have the ability to set a Content Security Policy string on an isolated world, but we're only using it to bypass the main world's policy. We should extend this support in order to apply that policy to the script running in the isolated world.
If it injects resources into the main world's DOM, they should run through its policy first. Likewise for XHR, script execution, and etc.
Unassigning myself; let's be realistic about what I'm actually working on. :/
This is a fairly large architecture change that would allow WebKit Extensions to create potentially more restrictive behavior than they are given by default. However, the WebKit Extension design as it stands in 2016 is already very restrictive, and respects the page’s CSP, so it’s not clear how much additional protection would be provided by this large change.
At the time Mike filed the original Bugzilla bug that I imported into this Radar, we allowed extensions to do anything — even violate the CSP rules on the web pages being processed by the sandbox. Since then, we have changed to a pessemistic approach of the extension, and require the extension to follow the CSP of the source page.
One could argue that an altruistic extension writer might wish to provide additional sandboxing that applied only to their extension. WebKit would not support this. But it seems very unlikely this would be used in practice, and our experience with extension writers support this impression.
Consequently, this change seems to have little merit and I am closing as not to be fixed.