Changeset 126947 in webkit
- Timestamp:
- Aug 28, 2012 6:16:22 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 6 added
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r126946 r126947 1 2012-08-28 Tom Sepez <tsepez@chromium.org> 2 3 CSP doesn't turn off eval, etc. in Web Workers 4 https://bugs.webkit.org/show_bug.cgi?id=93392 5 6 Reviewed by Adam Barth. 7 8 On the JSC side, the blocking of eval() in workers was handled correctly, so it is 9 a matter of adding calls check the policy for setTimeout and SetInterval. On the v8 10 side, it is a matter of handling the above, plus eval(). 11 12 * http/tests/security/contentSecurityPolicy/resources/worker-eval.js: Added. 13 * http/tests/security/contentSecurityPolicy/resources/worker-function-function.js: Added. 14 (fn): 15 * http/tests/security/contentSecurityPolicy/resources/worker-set-timeout.js: 16 * http/tests/security/contentSecurityPolicy/worker-eval-blocked-expected.txt: Added. 17 * http/tests/security/contentSecurityPolicy/worker-eval-blocked.html: Added. 18 * http/tests/security/contentSecurityPolicy/worker-function-function-blocked-expected.txt: Added. 19 * http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html: Added. 20 * http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked-expected.txt: 21 1 22 2012-08-28 Aaron Colwell <acolwell@chromium.org> 2 23 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-set-timeout.js
r125120 r126947 1 1 var id = 0; 2 2 try { 3 id = 17; // Test not yet fully enabled. Simply pretend that a call to setTimeout() here worked.3 id = setTimeout("postMessage('handler invoked')", 100); 4 4 } catch(e) { 5 5 } 6 postMessage(id === 0 ? "setTimeout blocked" : "setTim out allowed");6 postMessage(id === 0 ? "setTimeout blocked" : "setTimeout allowed"); -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked-expected.txt
r125120 r126947 1 ALERT: setTimout allowed 1 CONSOLE MESSAGE: Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'". 2 2 3 ALERT: setTimeout blocked 4 -
trunk/Source/WebCore/ChangeLog
r126946 r126947 1 2012-08-28 Tom Sepez <tsepez@chromium.org> 2 3 CSP doesn't turn off eval, etc. in Web Workers 4 https://bugs.webkit.org/show_bug.cgi?id=93392 5 6 Reviewed by Adam Barth. 7 8 On the JSC side, the blocking of eval() in workers was handled correctly, so it is 9 a matter of adding calls check the policy for setTimeout and SetInterval. On the v8 10 side, it is a matter of handling the above, plus eval(). 11 12 On the v8 side, the v8 context isn't available when the callers want to disable eval. 13 Rather than creating it earlier, which is problematic, remember the setting in the 14 WorkerContextExecutionProxy and apply before the next call to its evaluate() method. 15 16 Tests: http/tests/security/contentSecurityPolicy/worker-eval-blocked.html 17 http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html 18 19 * bindings/js/JSWorkerContextCustom.cpp: 20 (WebCore::JSWorkerContext::setTimeout): 21 (WebCore::JSWorkerContext::setInterval): 22 * bindings/v8/WorkerContextExecutionProxy.cpp: 23 (WebCore::WorkerContextExecutionProxy::WorkerContextExecutionProxy): 24 (WebCore::WorkerContextExecutionProxy::evaluate): 25 (WebCore::WorkerContextExecutionProxy::setEvalAllowed): 26 (WebCore): 27 * bindings/v8/WorkerContextExecutionProxy.h: 28 (WorkerContextExecutionProxy): 29 * bindings/v8/WorkerScriptController.cpp: 30 (WebCore::WorkerScriptController::disableEval): 31 * bindings/v8/custom/V8WorkerContextCustom.cpp: 32 (WebCore::SetTimeoutOrInterval): 33 1 34 2012-08-28 Aaron Colwell <acolwell@chromium.org> 2 35 -
trunk/Source/WebCore/bindings/js/JSWorkerContextCustom.cpp
r116828 r126947 123 123 JSValue JSWorkerContext::setTimeout(ExecState* exec) 124 124 { 125 // FIXME: Should we enforce a Content-Security-Policy on workers? 126 OwnPtr<ScheduledAction> action = ScheduledAction::create(exec, currentWorld(exec), 0); 125 OwnPtr<ScheduledAction> action = ScheduledAction::create(exec, currentWorld(exec), impl()->contentSecurityPolicy()); 127 126 if (exec->hadException()) 128 127 return jsUndefined(); 128 if (!action) 129 return jsNumber(0); 129 130 int delay = exec->argument(1).toInt32(exec); 130 131 return jsNumber(impl()->setTimeout(action.release(), delay)); … … 133 134 JSValue JSWorkerContext::setInterval(ExecState* exec) 134 135 { 135 // FIXME: Should we enforce a Content-Security-Policy on workers? 136 OwnPtr<ScheduledAction> action = ScheduledAction::create(exec, currentWorld(exec), 0); 136 OwnPtr<ScheduledAction> action = ScheduledAction::create(exec, currentWorld(exec), impl()->contentSecurityPolicy()); 137 137 if (exec->hadException()) 138 138 return jsUndefined(); 139 if (!action) 140 return jsNumber(0); 139 141 int delay = exec->argument(1).toInt32(exec); 140 142 return jsNumber(impl()->setInterval(action.release(), delay)); -
trunk/Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp
r126796 r126947 87 87 WorkerContextExecutionProxy::WorkerContextExecutionProxy(WorkerContext* workerContext) 88 88 : m_workerContext(workerContext) 89 , m_disableEvalPending(false) 89 90 { 90 91 initIsolate(); … … 210 211 return ScriptValue(); 211 212 213 if (m_disableEvalPending) { 214 m_context->AllowCodeGenerationFromStrings(false); 215 m_disableEvalPending = false; 216 } 217 212 218 v8::Context::Scope scope(m_context); 213 219 … … 244 250 } 245 251 252 void WorkerContextExecutionProxy::setEvalAllowed(bool enable) 253 { 254 m_disableEvalPending = !enable; 255 } 256 246 257 v8::Local<v8::Value> WorkerContextExecutionProxy::runScript(v8::Handle<v8::Script> script) 247 258 { -
trunk/Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h
r126796 r126947 69 69 void trackEvent(Event*); 70 70 71 // Alow use of eval() and is equivalents in scripts. 72 void setEvalAllowed(bool enable); 73 71 74 // Evaluate a script file in the current execution environment. 72 75 ScriptValue evaluate(const String& script, const String& fileName, const TextPosition& scriptStartPosition, WorkerContextExecutionState*); … … 95 98 96 99 OwnPtr<V8PerContextData> m_perContextData; 100 101 bool m_disableEvalPending; 97 102 }; 98 103 -
trunk/Source/WebCore/bindings/v8/WorkerScriptController.cpp
r126399 r126947 135 135 void WorkerScriptController::disableEval() 136 136 { 137 m_proxy->setEvalAllowed(false); 137 138 } 138 139 -
trunk/Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp
r126399 r126947 34 34 #include "V8WorkerContext.h" 35 35 36 #include "ContentSecurityPolicy.h" 36 37 #include "DOMTimer.h" 37 38 #include "ExceptionCode.h" 38 39 #include "ScheduledAction.h" 40 #include "ScriptCallStack.h" 41 #include "ScriptCallStackFactory.h" 39 42 #include "V8Binding.h" 40 43 #include "V8Utilities.h" … … 64 67 v8::Handle<v8::Context> v8Context = proxy->context(); 65 68 if (function->IsString()) { 69 if (ContentSecurityPolicy* policy = workerContext->contentSecurityPolicy()) { 70 RefPtr<ScriptCallStack> callStack = createScriptCallStackForInspector(); 71 if (!policy->allowEval(callStack.release())) 72 return v8Integer(0, args.GetIsolate()); 73 } 66 74 WTF::String stringFunction = toWebCoreString(function); 67 75 timerId = DOMTimer::install(workerContext, adoptPtr(new ScheduledAction(v8Context, stringFunction, workerContext->url())), timeout, singleShot);
Note: See TracChangeset
for help on using the changeset viewer.