Bug 104520 - CSP: Apply isolated world's own CSP to connections/requests/executions it generates.
Summary: CSP: Apply isolated world's own CSP to connections/requests/executions it gen...
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2012-12-10 01:17 PST by Mike West
Modified: 2016-11-07 15:56 PST (History)
6 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2012-12-10 01:17:17 PST
We currently have the ability to set a Content Security Policy string on an isolated world, but we're only using it to bypass the main world's policy. We should extend this support in order to apply that policy to the script running in the isolated world.

If it injects resources into the main world's DOM, they should run through its policy first. Likewise for XHR, script execution, and etc.
Comment 1 Mike West 2013-02-07 11:00:54 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Comment 2 Radar WebKit Bug Importer 2016-05-27 12:32:11 PDT
Comment 3 Brent Fulgham 2016-11-07 15:56:40 PST
This is a fairly large architecture change that would allow WebKit Extensions to create potentially more restrictive behavior than they are given by default. However, the WebKit Extension design as it stands in 2016 is already very restrictive, and respects the page’s CSP, so it’s not clear how much additional protection would be provided by this large change.

At the time Mike filed the original Bugzilla bug that I imported into this Radar, we allowed extensions to do anything — even violate the CSP rules on the web pages being processed by the sandbox. Since then, we have changed to a pessemistic approach of the extension, and require the extension to follow the CSP of the source page.

One could argue that an altruistic extension writer might wish to provide additional sandboxing that applied only to their extension. WebKit would not support this. But it seems very unlikely this would be used in practice, and our experience with extension writers support this impression.

Consequently, this change seems to have little merit and I am closing as not to be fixed.