Changeset 181925 in webkit
- Timestamp:
- Mar 24, 2015 6:28:28 PM (9 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r181924 r181925 1 2015-03-24 Zhuo Li <zachli@apple.com> 2 3 Scripts running in isolated world should not subject to a page's CSP about 'eval'. 4 https://bugs.webkit.org/show_bug.cgi?id=141316. 5 6 Reviewed by Geoffrey Garen. 7 8 I added a new Content Security Policy directive, "script-src", so that we do not 9 allow 'unsafe-eval' in the main world. 10 11 Also I have to copy the whole function instead of using eval because 12 eval is subject to the main world Content Security Policy now. 13 14 * http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt: 15 * http/tests/security/isolatedWorld/bypass-main-world-csp.html: 16 1 17 2015-03-24 Joseph Pecoraro <pecoraro@apple.com> 2 18 -
trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt
r148076 r181925 3 3 ALERT: BLOCKED in main world 4 4 ALERT: LOADED in isolated world 5 CONSOLE MESSAGE: line 38: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 6 7 ALERT: BLOCKED eval() in main world 8 ALERT: Called eval() in isolated world 5 9 This test ensures that scripts run in isolated worlds aren't affected by the page's content security policy. Extensions, for example, should be able to load any resource they like. 6 10 -
trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html
r148076 r181925 2 2 <html> 3 3 <head> 4 <meta http-equiv="Content-Security-Policy" content="img-src 'none' ">4 <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'unsafe-inline'"> 5 5 <script> 6 6 if (window.testRunner) { … … 9 9 } 10 10 11 tests = 2;11 tests = 4; 12 12 window.addEventListener("message", function(message) { 13 13 tests -= 1; … … 30 30 } 31 31 32 function callEval(isolated) { 33 try { 34 eval("true"); 35 alert('Called eval() in ' + (isolated ? "isolated world" : "main world")); 36 window.postMessage("next", "*"); 37 } catch (error) { 38 console.log(error); 39 alert('BLOCKED eval() in ' + (isolated ? "isolated world" : "main world")); 40 window.postMessage("next", "*"); 41 } 42 } 43 32 44 switch (tests) { 33 case 2:45 case 4: 34 46 setImgSrc(false); 35 47 break; 48 case 3: 49 testRunner.evaluateScriptInIsolatedWorld(1, String(setImgSrc) + "\nsetImgSrc(true);"); 50 break; 51 case 2: 52 callEval(false); 53 break; 36 54 case 1: 37 testRunner.evaluateScriptInIsolatedWorld(1, String( eval("setImgSrc")) + "\nsetImgSrc(true);");55 testRunner.evaluateScriptInIsolatedWorld(1, String(callEval) + "\ncallEval(true);"); 38 56 break; 39 57 case 0: -
trunk/Source/WebCore/ChangeLog
r181923 r181925 1 2015-03-24 Zhuo Li <zachli@apple.com> 2 3 Scripts running in isolated world should not subject to a page's CSP about 'eval'. 4 https://bugs.webkit.org/show_bug.cgi?id=141316. 5 6 Reviewed by Geoffrey Garen. 7 8 * bindings/js/ScriptController.cpp: 9 (WebCore::ScriptController::initScript): 10 We should not impose the main world Content Security Policy onto the isolated world. 11 1 12 2015-03-24 Chris Dumez <cdumez@apple.com> 2 13 -
trunk/Source/WebCore/bindings/js/ScriptController.cpp
r180225 r181925 254 254 windowShell->window()->updateDocument(); 255 255 256 if (m_frame.document()) 257 windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage()); 256 if (m_frame.document()) { 257 bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal(); 258 if (shouldBypassMainWorldContentSecurityPolicy) 259 windowShell->window()->setEvalEnabled(true); 260 else 261 windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage()); 262 } 258 263 259 264 if (Page* page = m_frame.page()) {
Note: See TracChangeset
for help on using the changeset viewer.