WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
140736
Add support for registering url schemes to bypass Content Security Policy
https://bugs.webkit.org/show_bug.cgi?id=140736
Summary
Add support for registering url schemes to bypass Content Security Policy
Zach Li
Reported
2015-01-21 12:11:00 PST
As stated by Mike West in
https://bugs.webkit.org/show_bug.cgi?id=89373
, we want to load resources regardless of a page's Content Security Policy. We would like to extend this support to WebKit2.
Attachments
Patch
(10.70 KB, patch)
2015-01-21 12:33 PST
,
Zach Li
no flags
Details
Formatted Diff
Diff
Patch
(10.78 KB, patch)
2015-02-03 13:40 PST
,
Zach Li
no flags
Details
Formatted Diff
Diff
Patch
(10.66 KB, patch)
2015-02-09 12:42 PST
,
Zach Li
no flags
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
Zach Li
Comment 1
2015-01-21 12:33:38 PST
Created
attachment 245078
[details]
Patch
Jessie Berlin
Comment 2
2015-01-21 14:09:36 PST
rdar://problem/19541288
Alexey Proskuryakov
Comment 3
2015-01-21 16:57:55 PST
Comment on
attachment 245078
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=245078&action=review
> Source/WebKit2/ChangeLog:4 > + [WK2] Add support for registering url schemes to bypass Content Security Policy. > +
https://bugs.webkit.org/show_bug.cgi?id=140736
Is this the right thing to do? Or should we just ignore CSP for script in non-main worlds?
Zach Li
Comment 4
2015-01-21 21:27:38 PST
I am not entirely familiar with network security in general, but if we ignore CSP for script in non-main worlds, would it be possible for someone to inject malicious code in non-main worlds, bypass CSP, and exploit?
Zach Li
Comment 5
2015-02-03 13:40:59 PST
Created
attachment 245962
[details]
Patch
Zach Li
Comment 6
2015-02-03 13:42:21 PST
I added the FIXME to remind us that if we have better approach, we should get rid of this patch.
Alexey Proskuryakov
Comment 7
2015-02-03 13:59:40 PST
Comment on
attachment 245962
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=245962&action=review
> Source/WebKit2/WebProcess/WebProcess.cpp:422 > +// FIXME: We should have better approach to allow URL schemes to bypass > +// Content Security Policy instead of adding this API.
What is bad about this approach?
Anders Carlsson
Comment 8
2015-02-05 14:25:21 PST
Comment on
attachment 245962
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=245962&action=review
>> Source/WebKit2/WebProcess/WebProcess.cpp:422 >> +// Content Security Policy instead of adding this API. > > What is bad about this approach?
This shouldn't really be per process, it should be per page or "groups of pages" ideally. It's OK for now though.
Zach Li
Comment 9
2015-02-09 12:42:28 PST
Created
attachment 246283
[details]
Patch
WebKit Commit Bot
Comment 10
2015-02-10 08:01:35 PST
Comment on
attachment 246283
[details]
Patch Clearing flags on attachment: 246283 Committed
r179870
: <
http://trac.webkit.org/changeset/179870
>
WebKit Commit Bot
Comment 11
2015-02-10 08:01:41 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug