[Webkit-unassigned] [Bug 237281] New: Sandbox CSP directives allows websites to block execution of browser features implemented in JavaScript

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=237281

            Bug ID: 237281
           Summary: Sandbox CSP directives allows websites to block
                    execution of browser features implemented in
                    JavaScript
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org, pgriffis at igalia.com

It seems web content is able to prevent the application from executing JavaScript using APIs like webkit_web_view_run_javascript() by using the "sandbox" CSP directive, see https://gitlab.gnome.org/GNOME/epiphany/-/issues/1698.

Needless to say, this CSP directive should only block *web content* from executing JS. It shouldn't block the browser itself from executing its own JS. Currently the web content is able to disable browser features, e.g. Epiphany's security warning when focusing an insecure password form, Epiphany's warning before closing a web page with an unsubmitted form, Epiphany's entire password manager, and even things like the code to compute a web app's name and title when creating a new web app. JS is used for a lot of stuff and it has to work.

See also: bug #192753.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220228/9c31e54a/attachment.htm>