<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - REGRESSION (r197724): [GTK] Web Inspector: Images being blocked by CSP 2.0"
href="https://bugs.webkit.org/show_bug.cgi?id=155432#c12">Comment # 12</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - REGRESSION (r197724): [GTK] Web Inspector: Images being blocked by CSP 2.0"
href="https://bugs.webkit.org/show_bug.cgi?id=155432">bug 155432</a>
from <span class="vcard"><a class="email" href="mailto:cgarcia@igalia.com" title="Carlos Garcia Campos <cgarcia@igalia.com>"> <span class="fn">Carlos Garcia Campos</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=155432#c11">comment #11</a>)
<span class="quote">> (In reply to <a href="show_bug.cgi?id=155432#c9">comment #9</a>)
> >
> > > Unless we know that there are popular web sites that make use of resource
> > > URLs and define a CSP that depends on * allowing such URLs then we should
> > > revert <<a href="http://trac.webkit.org/changeset/198201">http://trac.webkit.org/changeset/198201</a>> and take a similar approach
> > > as in the fix for <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - Web Inspector: Images being blocked by CSP 2.0"
href="show_bug.cgi?id=155182">bug 155182</a> to add resource: to the image-src and media-src
> > > directives in the CSP policy for the Web Inspector.
> >
> > No there isn't any website using resource URLs, because GResources are
> > something internal to the application in the client side. We use GResources
> > inside WebKit itself to compile all the resources (inspector files, but also
> > webcire icons) in the shared library. That way we don't need to install the
> > resources and find them in the file system at runtime, they are always
> > available to any application linking to the library. GTK+ applications also
> > compile their own GResources in their injected bundle library to make their
> > own resources available to the web process. It's typically used for user
> > scripts, custom error pages, about: pages, etc. So, GResources shouldn't be
> > affected by the CSP at all, because they are never used by websites, but by
> > applications as an implementation detail.
> >
>
> Then please revert <<a href="http://trac.webkit.org/changeset/198201">http://trac.webkit.org/changeset/198201</a>> and add
> resource: to the list of schemes allowed by the web inspector.</span >
My concern is whether that could affect an applications using for example a user style sheet with url(resource://).</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>