[Webkit-unassigned] [Bug 246615] New: protocol source matches for CSP of extensions

Mon Oct 17 04:46:05 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=246615

            Bug ID: 246615
           Summary: protocol source matches for CSP of extensions
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Extensions
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: carlosj-webkit-bugzilla at jeurissen.co
                CC: timothy at apple.com

To allow developers to enforce are more strict CSP, allow wildmark matches. Basically without wildmark matches I have to leave out the directive completely. One use case is limiting the set of images an extension is able to load in their own context. Normally, any image can be loaded within the extension, yet when you set this as CSP: default-src: none; img-src: https:; Only images from https can be loaded. 

Previously reported as:
https://feedbackassistant.apple.com/feedback/8968973
https://developer.apple.com/forums/thread/669889

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221017/053e9190/attachment.htm>