Changeset 181925 in webkit


Ignore:
Timestamp:
Mar 24, 2015 6:28:28 PM (9 years ago)
Author:
commit-queue@webkit.org
Message:

Scripts running in isolated world should not subject to a page's CSP about 'eval'.
https://bugs.webkit.org/show_bug.cgi?id=141316.

Patch by Zhuo Li <zachli@apple.com> on 2015-03-24
Reviewed by Geoffrey Garen.

Source/WebCore:

  • bindings/js/ScriptController.cpp:

(WebCore::ScriptController::initScript):
We should not impose the main world Content Security Policy onto the isolated world.

LayoutTests:

I added a new Content Security Policy directive, "script-src", so that we do not
allow 'unsafe-eval' in the main world.

Also I have to copy the whole function instead of using eval because
eval is subject to the main world Content Security Policy now.

  • http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt:
  • http/tests/security/isolatedWorld/bypass-main-world-csp.html:
Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r181924 r181925  
     12015-03-24  Zhuo Li  <zachli@apple.com>
     2
     3        Scripts running in isolated world should not subject to a page's CSP about 'eval'.
     4        https://bugs.webkit.org/show_bug.cgi?id=141316.
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        I added a new Content Security Policy directive, "script-src", so that we do not
     9        allow 'unsafe-eval' in the main world.
     10
     11        Also I have to copy the whole function instead of using eval because
     12        eval is subject to the main world Content Security Policy now.
     13
     14        * http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt:
     15        * http/tests/security/isolatedWorld/bypass-main-world-csp.html:
     16
    1172015-03-24  Joseph Pecoraro  <pecoraro@apple.com>
    218

  • trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt

    r148076 r181925  
    33ALERT: BLOCKED in main world
    44ALERT: LOADED in isolated world
     5CONSOLE MESSAGE: line 38: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
     6
     7ALERT: BLOCKED eval() in main world
     8ALERT: Called eval() in isolated world
    59This test ensures that scripts run in isolated worlds aren't affected by the page's content security policy. Extensions, for example, should be able to load any resource they like.
    610

  • trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html

    r148076 r181925  
    22<html>
    33<head>
    4 <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
     4<meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'unsafe-inline'">
    55<script>
    66    if (window.testRunner) {
     
    99    }
    1010
    11     tests = 2;
     11    tests = 4;
    1212    window.addEventListener("message", function(message) {
    1313        tests -= 1;
     
    3030        }
    3131
     32        function callEval(isolated) {
     33            try {
     34                eval("true");
     35                alert('Called eval() in ' + (isolated ? "isolated world" : "main world"));
     36                window.postMessage("next", "*");
     37            } catch (error) {
     38                console.log(error);
     39                alert('BLOCKED eval() in ' + (isolated ? "isolated world" : "main world"));
     40                window.postMessage("next", "*");
     41            }
     42        }
     43
    3244        switch (tests) {
    33             case 2:
     45            case 4:
    3446                setImgSrc(false);
    3547                break;
     48            case 3:
     49                testRunner.evaluateScriptInIsolatedWorld(1, String(setImgSrc) + "\nsetImgSrc(true);");
     50                break;
     51            case 2:
     52                callEval(false);
     53                break;
    3654            case 1:
    37                 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true);");
     55                testRunner.evaluateScriptInIsolatedWorld(1, String(callEval) + "\ncallEval(true);");
    3856                break;
    3957            case 0:

  • trunk/Source/WebCore/ChangeLog

    r181923 r181925  
     12015-03-24  Zhuo Li  <zachli@apple.com>
     2
     3        Scripts running in isolated world should not subject to a page's CSP about 'eval'.
     4        https://bugs.webkit.org/show_bug.cgi?id=141316.
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        * bindings/js/ScriptController.cpp:
     9        (WebCore::ScriptController::initScript):
     10        We should not impose the main world Content Security Policy onto the isolated world.
     11
    1122015-03-24  Chris Dumez  <cdumez@apple.com>
    213

  • trunk/Source/WebCore/bindings/js/ScriptController.cpp

    r180225 r181925  
    254254    windowShell->window()->updateDocument();
    255255
    256     if (m_frame.document())
    257         windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
     256    if (m_frame.document()) {
     257        bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal();
     258        if (shouldBypassMainWorldContentSecurityPolicy)
     259            windowShell->window()->setEvalEnabled(true);
     260        else
     261            windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
     262    }
    258263
    259264    if (Page* page = m_frame.page()) {
Note: See TracChangeset for help on using the changeset viewer.