Giters

lapcat / SafariExtensions

Resources for the development of Safari extensions

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

FB11899088 - Cross-Origin-Embedder-Policy require-corp blocks Safari app extension resources

lapcat opened this issue · comments

commented

Safari 16.2 (17614.3.7.1.7, 17614)

If a website loads with the headers Cross-Origin-Resource-Policy: cross-origin and Cross-Origin-Embedder-Policy: require-corp, then Safari app extension resources are blocked when loaded from <script> or elements. This happens even with SFSafariWebsiteAccess Level All. This issue does not occur with Safari web extensions, and it does not occur with Cross-Origin-Embedder-Policy: unsafe-none.

Steps to reproduce:

  1. Unzip the attached sample Xcode project COEPBug
  2. Build and run the sample Xcode project
  3. In Safari, enable AppExtension and WebExtension
  4. In Terminal, cd COEPBug/
  5. In Terminal, python3 coep.py
  6. In Safari, load http://localhost:8000/

Expected results: The first line has a red background, and the web inspector console shows the following.

[Log] app content.js href: safari-extension://1AF95B8E-AC57-4095-9C12-0DD49A80EEA0/style.css (content.js, line 10) 
[Log] app content.js src: safari-extension://1AF95B8E-AC57-4095-9C12-0DD49A80EEA0/script.js (content.js, line 16) 
[Log] app script.js (script.js, line 1) 
[Log] web content.js href: safari-web-extension://140BB581-A2C0-422A-9DD3-6982A5ABEE5E/style.css (content.js, line 10)
[Log] web content.js src: safari-web-extension://140BB581-A2C0-422A-9DD3-6982A5ABEE5E/script.js (content.js, line 16) [Log] web script.js (script.js, line 1)

Actual results: The first line does not have a red background, and the web inspector console shows the following.

[Log] app content.js href: safari-extension://4D76AB3D-A125-4DD7-840F-DDF91AEA3F11/style.css (content.js, line 10) [Log] app content.js src: safari-extension://4D76AB3D-A125-4DD7-840F-DDF91AEA3F11/script.js (content.js, line 16)
[Error] Cancelled load to safari-extension://4D76AB3D-A125-4DD7-840F-DDF91AEA3F11/style.css because it violates the resource's Cross-Origin-Resource-Policy response header.
[Error] Failed to load resource: Cancelled load to safari-extension://4D76AB3D-A125-4DD7-840F-DDF91AEA3F11/style.css because it violates the resource's Cross-Origin-Resource-Policy response header. (style.css, line 0)
[Error] Cancelled load to safari-extension://4D76AB3D-A125-4DD7-840F-DDF91AEA3F11/script.js because it violates the resource's Cross-Origin-Resource-Policy response header.
[Error] Failed to load resource: Cancelled load to safari-extension://4D76AB3D-A125-4DD7-840F-DDF91AEA3F11/script.js because it violates the resource's Cross-Origin-Resource-Policy response header. (script.js, line 0)
[Error] Cross-origin script load denied by Cross-Origin Resource Sharing policy.
[Log] web content.js href: safari-web-extension://CBF4B4D2-C1E6-408B-BD36-34B306874E71/style.css (content.js, line 10)
[Log] web content.js src: safari-web-extension://CBF4B4D2-C1E6-408B-BD36-34B306874E71/script.js (content.js, line 16)
[Log] web script.js (script.js, line 1)

This bug also occurs in Safari Technology Preview 160 (Safari 16.4, WebKit 17615.1.14.3).

COEPBug.zip