[webkit-reviews] review denied: [Bug 215444] Add API to allow CSP by-passing : [Attachment 409042] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 17 09:47:00 PDT 2020

Sam Weinig <sam at webkit.org> has denied Philippe Normand <pnormand at igalia.com>'s
request for review:
Bug 215444: Add API to allow CSP by-passing

Attachment 409042: Patch


--- Comment #9 from Sam Weinig <sam at webkit.org> ---
Comment on attachment 409042
  --> https://bugs.webkit.org/attachment.cgi?id=409042

View in context: https://bugs.webkit.org/attachment.cgi?id=409042&action=review

> Source/WebCore/ChangeLog:10
> +	   A new CSP disabler singleton is introduced, using a similar pattern
as for CORS disabling.
> +	   The disabler is configured on the WebProcess through IPC.

Please do not use singletons for settings in new code. This is incompatible
with using WebKit as a framework (as you might want different pages to have
different settings). There is an undergoing effort to remove uses of these
singletons from the code base (see
https://bugs.webkit.org/show_bug.cgi?id=216182 and

A model to follow is to add new settings via Settings.yaml, which can be
accessed from the Page/Frame/Document, etc.

> Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h:131
> + at property (nonatomic, setter=_setContentSecurityPolicyByPassEnabled:) BOOL
_contentSecurityPolicyByPassEnabled WK_API_AVAILABLE(macos(WK_MAC_TBA),

Unless someone is actually asking for this SPI, I don't see any reason to add
it to the cocoa API.

More information about the webkit-reviews mailing list