237281 2022-02-28 10:55:49 -0800 Sandbox CSP directives allows websites to block execution of browser features implemented in JavaScript 2023-01-08 15:19:49 -0800 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build PC Linux NEW https://bugs.webkit.org/show_bug.cgi?id=192753 https://bugs.webkit.org/show_bug.cgi?id=178040 InRadar P2 Normal --- 1 mcatanzaro webkit-unassigned anhvy2013 bfulgham bugs-noreply mcatanzaro pgriffis simonepas webkit-bug-importer wilander oldest_to_newest 1846703 0 mcatanzaro 2022-02-28 10:55:49 -0800 It seems web content is able to prevent the application from executing JavaScript using APIs like webkit_web_view_run_javascript() by using the "sandbox" CSP directive, see https://gitlab.gnome.org/GNOME/epiphany/-/issues/1698. Needless to say, this CSP directive should only block *web content* from executing JS. It shouldn't block the browser itself from executing its own JS. Currently the web content is able to disable browser features, e.g. Epiphany's security warning when focusing an insecure password form, Epiphany's warning before closing a web page with an unsubmitted form, Epiphany's entire password manager, and even things like the code to compute a web app's name and title when creating a new web app. JS is used for a lot of stuff and it has to work. See also: bug #192753. 1848829 1 webkit-bug-importer 2022-03-07 10:56:16 -0800 <rdar://problem/89917757> 1853490 2 wilander 2022-03-21 20:18:10 -0700 Thanks for filing! I don't know if you are writing patches for WebKit these days, Michael. If so, is this something you intend/want to work on? 1853640 3 mcatanzaro 2022-03-22 07:05:26 -0700 I looked at it briefly, but not closely enough to prepare a patch. The error is coming from ScriptController::executeScriptInWorld, which decides scripts are not allowed because ScriptController::canExecuteScripts returns false. Maybe we need a new ReasonForCallingCanExecuteScripts for scripts executed by WebKit API that bypass some of the checks. 1880374 4 mcatanzaro 2022-07-02 09:11:04 -0700 Somebody is complaining on Matrix that this also breaks WebKit's HTMLMediaElement controls. So it's not just browser-level features, but also WebKit features that are affected. 1880375 5 mcatanzaro 2022-07-02 09:12:57 -0700 (In reply to Michael Catanzaro from comment #4) > Somebody is complaining on Matrix that this also breaks WebKit's > HTMLMediaElement controls. So it's not just browser-level features, but also > WebKit features that are affected. And it means the strategy suggested in my comment #3 would be insufficient to fully fix this. We'd need to identify other places within WebKit that use internal JavaScript and fix those too. I'm not sure what else there would be besides media controls, but I bet there's more I don't know about....