[Webkit-unassigned] [Bug 104305] Scripts injected from an isolated world should bypass a page's CSP
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 23 11:23:05 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=104305
Daniel Bates <dbates at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |WONTFIX
--- Comment #5 from Daniel Bates <dbates at webkit.org> ---
(In reply to comment #4)
> This issue was resolved with the patch for bug #144830.
Disregard this remark. Following the patch for bug #144830 subresource loads/JavaScript execution initiated from markup always honor the Content Security Policy of the page regardless of whether such markup was programmatically inserted into the document from an isolated world. That is, markup injected by an extension is not exempt from the Content Security Policy of the page (programmatic resource fetching, say via XHR, is exempt from CSP when initiated in an isolated world). As of the time of writing, we have not heard of any compatibility issues in Safari extension from this change.
For completeness, the patch for bug #144830 did exempt user agent shadow DOM markup from CSP because such markup is used to implement browser features and is considered an implementation detail.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160323/3ae53e76/attachment-0001.html>
More information about the webkit-unassigned
mailing list