<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - REGRESSION (r197724): [GTK] Web Inspector: Images being blocked by CSP 2.0"
href="https://bugs.webkit.org/show_bug.cgi?id=155432#c11">Comment # 11</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - REGRESSION (r197724): [GTK] Web Inspector: Images being blocked by CSP 2.0"
href="https://bugs.webkit.org/show_bug.cgi?id=155432">bug 155432</a>
from <span class="vcard"><a class="email" href="mailto:dbates@webkit.org" title="Daniel Bates <dbates@webkit.org>"> <span class="fn">Daniel Bates</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=155432#c9">comment #9</a>)
>
<span class="quote">> > Unless we know that there are popular web sites that make use of resource
> > URLs and define a CSP that depends on * allowing such URLs then we should
> > revert <<a href="http://trac.webkit.org/changeset/198201">http://trac.webkit.org/changeset/198201</a>> and take a similar approach
> > as in the fix for <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - Web Inspector: Images being blocked by CSP 2.0"
href="show_bug.cgi?id=155182">bug 155182</a> to add resource: to the image-src and media-src
> > directives in the CSP policy for the Web Inspector.
>
> No there isn't any website using resource URLs, because GResources are
> something internal to the application in the client side. We use GResources
> inside WebKit itself to compile all the resources (inspector files, but also
> webcire icons) in the shared library. That way we don't need to install the
> resources and find them in the file system at runtime, they are always
> available to any application linking to the library. GTK+ applications also
> compile their own GResources in their injected bundle library to make their
> own resources available to the web process. It's typically used for user
> scripts, custom error pages, about: pages, etc. So, GResources shouldn't be
> affected by the CSP at all, because they are never used by websites, but by
> applications as an implementation detail.
> </span >
Then please revert <<a href="http://trac.webkit.org/changeset/198201">http://trac.webkit.org/changeset/198201</a>> and add resource: to the list of schemes allowed by the web inspector.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>