As stated by Mike West in https://bugs.webkit.org/show_bug.cgi?id=89373, we want to load resources regardless of a page's Content Security Policy. We would like to extend this support to WebKit2.
Created attachment 245078 [details] Patch
rdar://problem/19541288
Comment on attachment 245078 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245078&action=review > Source/WebKit2/ChangeLog:4 > + [WK2] Add support for registering url schemes to bypass Content Security Policy. > + https://bugs.webkit.org/show_bug.cgi?id=140736 Is this the right thing to do? Or should we just ignore CSP for script in non-main worlds?
I am not entirely familiar with network security in general, but if we ignore CSP for script in non-main worlds, would it be possible for someone to inject malicious code in non-main worlds, bypass CSP, and exploit?
Created attachment 245962 [details] Patch
I added the FIXME to remind us that if we have better approach, we should get rid of this patch.
Comment on attachment 245962 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review > Source/WebKit2/WebProcess/WebProcess.cpp:422 > +// FIXME: We should have better approach to allow URL schemes to bypass > +// Content Security Policy instead of adding this API. What is bad about this approach?
Comment on attachment 245962 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=245962&action=review >> Source/WebKit2/WebProcess/WebProcess.cpp:422 >> +// Content Security Policy instead of adding this API. > > What is bad about this approach? This shouldn't really be per process, it should be per page or "groups of pages" ideally. It's OK for now though.
Created attachment 246283 [details] Patch
Comment on attachment 246283 [details] Patch Clearing flags on attachment: 246283 Committed r179870: <http://trac.webkit.org/changeset/179870>
All reviewed patches have been landed. Closing bug.