Created attachment 398011 [details] Patch

<rdar://problem/61837474>

Comment on attachment 398011 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=398011&action=review > Source/WebKit/WebProcess/WebPage/WebPage.cpp:403 > + WebCore::SecurityPolicy::allowAccessTo(parsedPattern); This method says it is parsing things, however it is calling SecurityPolicy::allowAccessTo() too so it is doing way more than parsing. Another concern. Even though you now support updating those CORS-disabling patterns, you really only ever allow more patterns with regards to SecurityPolicy::originAccessPatterns(). Once a pattern is added there, it does not seem it gets removed. Another mismatch is that SecurityPolicy::originAccessPatterns() seems to apply at process level, while you patterns are per page.

The user of this SPI will only ever be adding patterns, so this concern isn't really valid for this use case. It is valid for hypothetical future users of this SPI that reduce patterns, but we should cross that bridge when we come to it. It is unfortunate that SecurityPolicy is global, but it is the way it is right now. All loading in the web process is global. Would you review this patch on the condition that parseCORSDisablingPatterns be renamed to parseAndAllowAccessToCORSDisablingPatterns?

Created attachment 398080 [details] patch with renamed parser

Committed r260962: <https://trac.webkit.org/changeset/260962> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398080 [details].