Bug 104305

Summary: Scripts injected from an isolated world should bypass a page's CSP
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: abarth, bfulgham, dbates, felipe
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 97398    
Bug Blocks:    

Mike West
Reported 2012-12-06 14:27:45 PST
Following on from https://bugs.webkit.org/show_bug.cgi?id=97398, it would be nice if inline script blocks injected from an isolated world into the page would run as expected. Not sure it's easily possible. :( LastPass, for instance, is a Chrome extension which injects inline scripts to do its thing. Ideally, it wouldn't do that, but it does.
Attachments
Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2012-12-06 17:24:03 PST
I'd rather than extension authors used scripts from their extension package. Injecting an inline script is likely to lead to XSS.
Mike West
Comment 2 2012-12-06 22:54:50 PST
(In reply to comment #1) > I'd rather than extension authors used scripts from their extension package. Injecting an inline script is likely to lead to XSS. What about out-of-line scripts hosted on origins that the extension's CSP allows? I think we're currently blocking those as well.
Mike West
Comment 3 2013-02-07 11:00:53 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Daniel Bates
Comment 4 2016-03-23 11:09:28 PDT
This issue was resolved with the patch for bug #144830.
Daniel Bates
Comment 5 2016-03-23 11:23:05 PDT
(In reply to comment #4) > This issue was resolved with the patch for bug #144830. Disregard this remark. Following the patch for bug #144830 subresource loads/JavaScript execution initiated from markup always honor the Content Security Policy of the page regardless of whether such markup was programmatically inserted into the document from an isolated world. That is, markup injected by an extension is not exempt from the Content Security Policy of the page (programmatic resource fetching, say via XHR, is exempt from CSP when initiated in an isolated world). As of the time of writing, we have not heard of any compatibility issues in Safari extension from this change. For completeness, the patch for bug #144830 did exempt user agent shadow DOM markup from CSP because such markup is used to implement browser features and is considered an implementation detail.
Daniel Bates
Comment 6 2016-03-23 11:31:45 PDT
I marked this issue RESOLVED WONTFIX because I do not feel we should fix this bug as it encourages a bad idiom. I agree with Adam Barth's remarked in comment #1, we want extension authors to use scripts included in their extension bundle as opposed to programmatically injecting inline script that could make the page susceptible to an XSS vulnerability.
Note You need to log in before you can comment on or make changes to this bug.