[Webkit-unassigned] [Bug 155432] REGRESSION (r197724): [GTK] Web Inspector: Images being blocked by CSP 2.0

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 17 07:39:51 PDT 2016


https://bugs.webkit.org/show_bug.cgi?id=155432

--- Comment #12 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to comment #11)
> (In reply to comment #9)
> >
> > > Unless we know that there are popular web sites that make use of resource
> > > URLs and define a CSP that depends on * allowing such URLs then we should
> > > revert <http://trac.webkit.org/changeset/198201> and take a similar approach
> > > as in the fix for bug 155182 to add resource: to the image-src and media-src
> > > directives in the CSP policy for the Web Inspector.
> > 
> > No there isn't any website using resource URLs, because GResources are
> > something internal to the application in the client side. We use GResources
> > inside WebKit itself to compile all the resources (inspector files, but also
> > webcire icons) in the shared library. That way we don't need to install the
> > resources and find them in the file system at runtime, they are always
> > available to any application linking to the library. GTK+ applications also
> > compile their own GResources in their injected bundle library to make their
> > own resources available to the web process. It's typically used for user
> > scripts, custom error pages, about: pages, etc. So, GResources shouldn't be
> > affected by the CSP at all, because they are never used by websites, but by
> > applications as an implementation detail.
> > 
> 
> Then please revert <http://trac.webkit.org/changeset/198201> and add
> resource: to the list of schemes allowed by the web inspector.

My concern is whether that could affect an applications using for example a user style sheet with url(resource://).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160317/8c7ab4cc/attachment-0001.html>


More information about the webkit-unassigned mailing list