[Webkit-unassigned] [Bug 104520] CSP: Apply isolated world's own CSP to connections/requests/executions it generates.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 7 15:56:40 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=104520
Brent Fulgham <bfulgham at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #3 from Brent Fulgham <bfulgham at webkit.org> ---
This is a fairly large architecture change that would allow WebKit Extensions to create potentially more restrictive behavior than they are given by default. However, the WebKit Extension design as it stands in 2016 is already very restrictive, and respects the page’s CSP, so it’s not clear how much additional protection would be provided by this large change.
At the time Mike filed the original Bugzilla bug that I imported into this Radar, we allowed extensions to do anything — even violate the CSP rules on the web pages being processed by the sandbox. Since then, we have changed to a pessemistic approach of the extension, and require the extension to follow the CSP of the source page.
One could argue that an altruistic extension writer might wish to provide additional sandboxing that applied only to their extension. WebKit would not support this. But it seems very unlikely this would be used in practice, and our experience with extension writers support this impression.
Consequently, this change seems to have little merit and I am closing as not to be fixed.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161107/fee294ed/attachment.html>
More information about the webkit-unassigned
mailing list