[Webkit-unassigned] [Bug 237281] Sandbox CSP directives allows websites to block execution of browser features implemented in JavaScript
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 22 07:05:26 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=237281
Michael Catanzaro <mcatanzaro at gnome.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mcatanzaro at gnome.org
See Also|https://bugs.webkit.org/sho |
|w_bug.cgi?id=237513 |
--- Comment #3 from Michael Catanzaro <mcatanzaro at gnome.org> ---
I looked at it briefly, but not closely enough to prepare a patch. The error is coming from ScriptController::executeScriptInWorld, which decides scripts are not allowed because ScriptController::canExecuteScripts returns false. Maybe we need a new ReasonForCallingCanExecuteScripts for scripts executed by WebKit API that bypass some of the checks.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220322/731634c6/attachment.htm>
More information about the webkit-unassigned
mailing list