[Webkit-unassigned] [Bug 204558] New: Expose public API for registering URL schemes as secure and as bypassing content security policy
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Nov 24 08:49:43 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204558
Bug ID: 204558
Summary: Expose public API for registering URL schemes as
secure and as bypassing content security policy
Product: WebKit
Version: Safari 13
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit2
Assignee: webkit-unassigned at lists.webkit.org
Reporter: kc at omnigroup.com
While trying to implement password autofill in OmniWeb, I registered a WKUserScript which catches events on password fields. I first tried implementing a WKScriptMessageHandler to look up password entries and return them to the app, but that approach was blocked by CORS because the message handler could only return results in the context of the main frame (see bug 204557).
So my next approach was to try inserting a <script> tag into the DOM, with its `src` set to a custom URL scheme which would retrieve the appropriate keychain entries for the current site and return results to my password-filling function.
Unfortunately, this approach only works on insecure websites (which aren't great places to be entering passwords anyway). On secure websites, the <script> is blocked from loading content with the message:
> [blocked] The page at [website] was not allowed to run insecure content from omniweb:///get-password.
It would be great to have some public API which I could use to indicate that a custom URL scheme (or specific content provided by that scheme) is secure. It looks like a similar request was marked fixed back in 2010 (in bug 47557) with the introduction of the WKContextRegisterURLSchemeAsSecure() API. It would be great to have some equivalent public API in the WebKit framework.
But I'm not sure that will be enough by itself: even with the scheme marked secure, that content might get blocked by CORS. It would be great to enable custom URL schemes to bypass content security policies altogether. This was implemented (and justified by the spec) in bug 89373 (and later bug 140736) as WKContextRegisterURLSchemeAsBypassingContentSecurityPolicy(). It would be great to have some equivalent public API exposed in the Objective C WebKit framework API.
(As always, thanks for considering this! I don't have strong opinions about how this should be implemented, though I can certainly offer some suggestions if that would be helpful: I could imagine some optional methods on the WKURLSchemeHandler protocol, or some optional additional parameters on -setURLSchemeHandler:forURLScheme:, or some new methods which forward along to the existing SPI.)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191124/6d5f78e5/attachment.htm>
More information about the webkit-unassigned
mailing list