Register URL pattern as bypassing CSP?

[alexstrat]

Since v0.30.3 we can register URL schemes (http, file, chrome-extension.. ) as bypassing CSP via webFrame.registerURLSchemeAsBypassingCSP.

Is there a way to register URL patterns (like https://mydomain.com/trusted-scripts/*) as bypassing CSPs?
If no, would it make sense to add such an API (webFrame.registerURLPatternAsBypassingCSP I guess)?
Any idea where I should start the implementation from on Chromium side?

[alexstrat]

Use blink::WebSecurityPolicy::addOriginAccessWhitelistEntry ?
Took inspiration from this

[felixrieseberg]

You could already enable this behavior by combining a custom protocol with a custom protocol handler. That said, I could see this API working out. If you'd be willing to make a PR, you might find this in core.

[alexstrat]

@felixrieseberg by "combining a custom protocol with a custom protocol handler" you meant this:

• load URLs mydomain://trusted-scripts/a.js instead of https://mydomain.com/trusted-scripts/a.js
• handle custom protocol mydomain: in handler fetch external scripts (https://mydomain.com/trusted-scripts/a.js) and serve as it
• registerURLSchemeAsBypassingCSP('mydomain')

That's it?

Actually, I'm not controlling the URLs loaded, it's external content loaded via webview, so can't use this workaround.