[webkit-reviews] review denied: [Bug 215444] Add API to allow CSP by-passing : [Attachment 409042] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 17 09:47:00 PDT 2020
Sam Weinig <sam at webkit.org> has denied Philippe Normand <pnormand at igalia.com>'s
request for review:
Bug 215444: Add API to allow CSP by-passing
https://bugs.webkit.org/show_bug.cgi?id=215444
Attachment 409042: Patch
https://bugs.webkit.org/attachment.cgi?id=409042&action=review
--- Comment #9 from Sam Weinig <sam at webkit.org> ---
Comment on attachment 409042
--> https://bugs.webkit.org/attachment.cgi?id=409042
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=409042&action=review
> Source/WebCore/ChangeLog:10
> + A new CSP disabler singleton is introduced, using a similar pattern
as for CORS disabling.
> + The disabler is configured on the WebProcess through IPC.
Please do not use singletons for settings in new code. This is incompatible
with using WebKit as a framework (as you might want different pages to have
different settings). There is an undergoing effort to remove uses of these
singletons from the code base (see
https://bugs.webkit.org/show_bug.cgi?id=216182 and
https://bugs.webkit.org/show_bug.cgi?id=215962).
A model to follow is to add new settings via Settings.yaml, which can be
accessed from the Page/Frame/Document, etc.
> Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h:131
> + at property (nonatomic, setter=_setContentSecurityPolicyByPassEnabled:) BOOL
_contentSecurityPolicyByPassEnabled WK_API_AVAILABLE(macos(WK_MAC_TBA),
ios(WK_IOS_TBA));
Unless someone is actually asking for this SPI, I don't see any reason to add
it to the cocoa API.
More information about the webkit-reviews
mailing list