Bug 246615

Summary: protocol source matches for CSP of extensions
Product: WebKit Reporter: Carlos J. <carlosj-webkit-bugzilla>
Component: WebKit ExtensionsAssignee: Nobody <webkit-unassigned>
Status: REOPENED ---    
Severity: Normal CC: ap, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Carlos J. 2022-10-17 04:46:05 PDT 
To allow developers to enforce are more strict CSP, allow wildmark matches. Basically without wildmark matches I have to leave out the directive completely. One use case is limiting the set of images an extension is able to load in their own context. Normally, any image can be loaded within the extension, yet when you set this as CSP: default-src: none; img-src: https:; Only images from https can be loaded. 


Previously reported as:
https://feedbackassistant.apple.com/feedback/8968973
https://developer.apple.com/forums/thread/669889
Comment 1 Alexey Proskuryakov 2022-10-17 10:35:24 PDT 
Thank you for the report. This will continue to be tracked by Apple internal as a Safari issue, not a WebKit one.

rdar://73143960
Comment 2 Timothy Hatcher 2022-10-24 13:25:13 PDT 
We are tracking bugs in Bugzilla for Web Extensions now as we move extensions support from Safari to WebKit.