Bug 140736 - Add support for registering url schemes to bypass Content Security Policy
Summary: Add support for registering url schemes to bypass Content Security Policy
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-01-21 12:11 PST by Zach Li
Modified: 2015-07-20 10:59 PDT (History)
7 users (show)

See Also:

Attachments
Patch (10.70 KB, patch)
2015-01-21 12:33 PST, Zach Li 		no flags Details | Formatted Diff | Diff
Patch (10.78 KB, patch)
2015-02-03 13:40 PST, Zach Li 		no flags Details | Formatted Diff | Diff
Patch (10.66 KB, patch)
2015-02-09 12:42 PST, Zach Li 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zach Li 2015-01-21 12:11:00 PST 
As stated by Mike West in https://bugs.webkit.org/show_bug.cgi?id=89373, we want to load resources regardless of a page's Content Security Policy. We would like to extend this support to WebKit2.
Comment 1 Zach Li 2015-01-21 12:33:38 PST 
Created attachment 245078 [details]
Patch
Comment 2 Jessie Berlin 2015-01-21 14:09:36 PST 
rdar://problem/19541288
Comment 3 Alexey Proskuryakov 2015-01-21 16:57:55 PST 
Comment on attachment 245078 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=245078&action=review

> Source/WebKit2/ChangeLog:4
> +        [WK2] Add support for registering url schemes to bypass Content Security Policy.
> +        https://bugs.webkit.org/show_bug.cgi?id=140736

Is this the right thing to do? Or should we just ignore CSP for script in non-main worlds?
Comment 4 Zach Li 2015-01-21 21:27:38 PST 
I am not entirely familiar with network security in general, but if we ignore CSP for script in non-main worlds, would it be possible for someone to inject malicious code in non-main worlds, bypass CSP, and exploit?
Comment 5 Zach Li 2015-02-03 13:40:59 PST 
Created attachment 245962 [details]
Patch
Comment 6 Zach Li 2015-02-03 13:42:21 PST 
I added the FIXME to remind us that if we have better approach, we should get rid of this patch.
Comment 7 Alexey Proskuryakov 2015-02-03 13:59:40 PST 
Comment on attachment 245962 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review

> Source/WebKit2/WebProcess/WebProcess.cpp:422
> +// FIXME: We should have better approach to allow URL schemes to bypass
> +// Content Security Policy instead of adding this API.

What is bad about this approach?
Comment 8 Anders Carlsson 2015-02-05 14:25:21 PST 
Comment on attachment 245962 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review

>> Source/WebKit2/WebProcess/WebProcess.cpp:422
>> +// Content Security Policy instead of adding this API.
> 
> What is bad about this approach?

This shouldn't really be per process, it should be per page or "groups of pages" ideally. It's OK for now though.
Comment 9 Zach Li 2015-02-09 12:42:28 PST 
Created attachment 246283 [details]
Patch
Comment 10 WebKit Commit Bot 2015-02-10 08:01:35 PST 
Comment on attachment 246283 [details]
Patch

Clearing flags on attachment: 246283

Committed r179870: <http://trac.webkit.org/changeset/179870>
Comment 11 WebKit Commit Bot 2015-02-10 08:01:41 PST 
All reviewed patches have been landed.  Closing bug.