RESOLVED FIXED157252
CSP: Add workaround for XtraMath 
https://bugs.webkit.org/show_bug.cgi?id=157252
Summary CSP: Add workaround for XtraMath
Daniel Bates
Reported 2016-05-01 17:33:19 PDT
Similar to the purpose of bug #157005, the app XtraMath depends on * matching an arbitrary protocol. Following bug #154122, we restrict matching of * to protocols HTTP, HTTPS in most circumstances. Add a app-specific workaround for this XtraMath. <rdar://problem/25881955>
Attachments
Patch (3.56 KB, patch)
2016-05-01 17:36 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-05-01 17:36:11 PDT
Created attachment 277880 [details] Patch
Darin Adler
Comment 2 2016-05-01 17:40:18 PDT
Comment on attachment 277880 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=277880&action=review Was about to say review+, but Andy beat me to it. I do have this one comment: > Source/WebKit/mac/WebView/WebView.mm:868 > static bool shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol() We should consider grouping these functions that make decisions about these kinds of quirks and workarounds in a header analogous to the RuntimeApplicationChecks one. This header would never mention specific application but would just list all the different quirks. The implementation file would contain all the expressions used to decide when each quirk applies, and comments about why each implements the right policy. The implementations of the quirks would continue to be distributed throughout the code, but the policy of which quirks apply when would be grouped together.
Daniel Bates
Comment 3 2016-05-02 09:14:10 PDT
(In reply to comment #2) > [...] > I do have this one comment: > > > Source/WebKit/mac/WebView/WebView.mm:868 > > static bool shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol() > > We should consider grouping these functions that make decisions about these > kinds of quirks and workarounds in a header analogous to the > RuntimeApplicationChecks one. This header would never mention specific > application but would just list all the different quirks. The implementation > file would contain all the expressions used to decide when each quirk > applies, and comments about why each implements the right policy. > > The implementations of the quirks would continue to be distributed > throughout the code, but the policy of which quirks apply when would be > grouped together. I hope you do not mind that I defer such work to bug #157267 and keep this bug focused on the workaround.
Daniel Bates
Comment 4 2016-05-02 09:15:21 PDT
Comment on attachment 277880 [details] Patch Clearing flags on attachment: 277880 Committed r200323: <http://trac.webkit.org/changeset/200323>
Daniel Bates
Comment 5 2016-05-02 09:15:25 PDT
All reviewed patches have been landed. Closing bug.
Timothy Hatcher
Comment 6 2016-05-02 09:27:05 PDT
Comment on attachment 277880 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=277880&action=review > Source/WebKit/mac/WebView/WebView.mm:871 > + static bool shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol = (IOSApplication::isEcobee() || IOSApplication::isQuora() || IOSApplication::isXtraMath()) && !WebKitLinkedOnOrAfter(WEBKIT_FIRST_VERSION_WITH_CONTENT_SECURITY_POLICY_SOURCE_STAR_PROTOCOL_RESTRICTION); If we run into more apps doing this, I think we should consider dropping the bundle checks and just allow star to match any protocol for any app linked on older WebKit versions.
Note You need to log in before you can comment on or make changes to this bug.