246615 – protocol source matches for CSP of extensions

Bug 246615 - protocol source matches for CSP of extensions

Summary: protocol source matches for CSP of extensions

Status:	REOPENED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Extensions (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-10-17 04:46 PDT by Carlos J.
Modified:	2022-11-10 04:24 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos J. 2022-10-17 04:46:05 PDT

To allow developers to enforce are more strict CSP, allow wildmark matches. Basically without wildmark matches I have to leave out the directive completely. One use case is limiting the set of images an extension is able to load in their own context. Normally, any image can be loaded within the extension, yet when you set this as CSP: default-src: none; img-src: https:; Only images from https can be loaded. 


Previously reported as:
https://feedbackassistant.apple.com/feedback/8968973
https://developer.apple.com/forums/thread/669889

Comment 1 Alexey Proskuryakov 2022-10-17 10:35:24 PDT

Thank you for the report. This will continue to be tracked by Apple internal as a Safari issue, not a WebKit one.

rdar://73143960

Comment 2 Timothy Hatcher 2022-10-24 13:25:13 PDT

We are tracking bugs in Bugzilla for Web Extensions now as we move extensions support from Safari to WebKit.