[webkit-dev] Best way to disable JavaScript

Mike West mkwst at chromium.org
Mon Mar 18 01:04:01 PDT 2013

On Mon, Mar 18, 2013 at 7:38 AM, Adam Barth <abarth at webkit.org> wrote:

> > What is the CSP-expected behavior if a user-supplied script inserts an
> attribute event handler, javascript: URL, regular event handler, timer, or
> <script> element in order to do its work?
> There's a SHOULD-level requirement that the user script act as normal.
>  That requirement is somewhat aspirational in the sense that no user
> agent implements it perfectly.  We've made some improvements in that
> resource loads initiated by content scripts correctly bypass the
> page's CSP policy, but we have more work to do in order to make inline
> event handlers and JavaScript URLs created by content scripts bypass
> the page's CSP policy.

On this note, I'd love some help with
https://bugs.webkit.org/show_bug.cgi?id=100815. I've had it on my list for
quite some time, and simply haven't prioritized it correctly. If someone
with more familiarity with JSC wanted to take it up or provide
implementation pointers, that'd be brilliant.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130318/6f41ad84/attachment.html>

More information about the webkit-dev mailing list