[Webkit-unassigned] [Bug 237281] New: Sandbox CSP directives allows websites to block execution of browser features implemented in JavaScript
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 28 10:55:49 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=237281
Bug ID: 237281
Summary: Sandbox CSP directives allows websites to block
execution of browser features implemented in
JavaScript
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at gnome.org
CC: bugs-noreply at webkitgtk.org, pgriffis at igalia.com
It seems web content is able to prevent the application from executing JavaScript using APIs like webkit_web_view_run_javascript() by using the "sandbox" CSP directive, see https://gitlab.gnome.org/GNOME/epiphany/-/issues/1698.
Needless to say, this CSP directive should only block *web content* from executing JS. It shouldn't block the browser itself from executing its own JS. Currently the web content is able to disable browser features, e.g. Epiphany's security warning when focusing an insecure password form, Epiphany's warning before closing a web page with an unsubmitted form, Epiphany's entire password manager, and even things like the code to compute a web app's name and title when creating a new web app. JS is used for a lot of stuff and it has to work.
See also: bug #192753.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220228/9c31e54a/attachment.htm>
More information about the webkit-unassigned
mailing list