[Webkit-unassigned] [Bug 204558] New: Expose public API for registering URL schemes as secure and as bypassing content security policy

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Nov 24 08:49:43 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=204558

            Bug ID: 204558
           Summary: Expose public API for registering URL schemes as
                    secure and as bypassing content security policy
           Product: WebKit
           Version: Safari 13
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: kc at omnigroup.com

While trying to implement password autofill in OmniWeb, I registered a WKUserScript which catches events on password fields. I first tried implementing a WKScriptMessageHandler to look up password entries and return them to the app, but that approach was blocked by CORS because the message handler could only return results in the context of the main frame (see bug 204557).

So my next approach was to try inserting a <script> tag into the DOM, with its `src` set to a custom URL scheme which would retrieve the appropriate keychain entries for the current site and return results to my password-filling function.

Unfortunately, this approach only works on insecure websites (which aren't great places to be entering passwords anyway). On secure websites, the <script> is blocked from loading content with the message:

> [blocked] The page at [website] was not allowed to run insecure content from omniweb:///get-password.

It would be great to have some public API which I could use to indicate that a custom URL scheme (or specific content provided by that scheme) is secure. It looks like a similar request was marked fixed back in 2010 (in bug 47557) with the introduction of the WKContextRegisterURLSchemeAsSecure() API. It would be great to have some equivalent public API in the WebKit framework.

But I'm not sure that will be enough by itself: even with the scheme marked secure, that content might get blocked by CORS. It would be great to enable custom URL schemes to bypass content security policies altogether. This was implemented (and justified by the spec) in bug 89373 (and later bug 140736) as WKContextRegisterURLSchemeAsBypassingContentSecurityPolicy(). It would be great to have some equivalent public API exposed in the Objective C WebKit framework API.

(As always, thanks for considering this! I don't have strong opinions about how this should be implemented, though I can certainly offer some suggestions if that would be helpful: I could imagine some optional methods on the WKURLSchemeHandler protocol, or some optional additional parameters on -setURLSchemeHandler:forURLScheme:, or some new methods which forward along to the existing SPI.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191124/6d5f78e5/attachment.htm>

More information about the webkit-unassigned mailing list