Changeset 193939 in webkit
- Timestamp:
- Dec 10, 2015 6:08:31 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 6 edited
- 1 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r193936 r193939 1 2015-12-10 Daniel Bates <dabates@apple.com> 2 3 [CSP] eval() is not blocked for stringified literals 4 https://bugs.webkit.org/show_bug.cgi?id=152158 5 <rdar://problem/15775625> 6 7 Reviewed by Saam Barati. 8 9 Update test LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html to be 10 more comprehensive. 11 12 Add tests to ensure that we block eval() from within an external JavaScript script when the 13 policy of the page disallows eval() and that we block eval() inside a subframe that disallows 14 eval() when the page in the main frame allows eval(). 15 16 * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt: 17 * http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt: Added. 18 * http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html: Added. 19 * http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt. 20 * http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html: Added. 21 * http/tests/security/contentSecurityPolicy/eval-blocked.html: 22 * http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js: Added. 23 1 24 2015-12-10 Brady Eidson <beidson@apple.com> 2 25 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt
r128670 r193939 1 CONSOLE MESSAGE: line 1 2: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".1 CONSOLE MESSAGE: line 14: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 2 2 3 3 CONSOLE MESSAGE: line 15: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 4 4 5 CONSOLE MESSAGE: line 32: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 5 6 7 CONSOLE MESSAGE: line 33: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 8 9 CONSOLE MESSAGE: line 34: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 10 11 CONSOLE MESSAGE: line 35: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 12 13 CONSOLE MESSAGE: line 36: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 14 15 CONSOLE MESSAGE: line 37: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 16 17 CONSOLE MESSAGE: line 38: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 18 19 CONSOLE MESSAGE: line 39: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 20 21 CONSOLE MESSAGE: line 40: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 22 23 CONSOLE MESSAGE: line 41: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 24 25 CONSOLE MESSAGE: line 42: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 26 27 CONSOLE MESSAGE: line 43: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 28 29 CONSOLE MESSAGE: line 44: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 30 31 CONSOLE MESSAGE: line 45: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 32 33 CONSOLE MESSAGE: line 46: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 34 35 CONSOLE MESSAGE: line 47: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'". 36 37 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html
r193938 r193939 2 2 <html> 3 3 <head> 4 <meta http-equiv="Content-Security-Policy" content="script-src ' unsafe-inline'">4 <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"> 5 5 <script> 6 6 if (window.testRunner) 7 7 testRunner.dumpAsText(); 8 8 </script> 9 <script src="resources/eval-blocked-in-external-script.js"></script> 9 10 </head> 10 <body>11 <script>12 eval("alert('FAIL (1 of 2)')");13 </script>14 <script>15 window.eval("alert('FAIL (2 of 2)')");16 </script>17 </body>18 11 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html
r133095 r193939 6 6 if (window.testRunner) 7 7 testRunner.dumpAsText(); 8 9 var dummy = 79; 8 10 </script> 9 11 </head> 10 12 <body> 11 <script> 12 eval("alert('FAIL (1 of 2)')"); 13 </script> 14 <script> 15 window.eval("alert('FAIL (2 of 2)')"); 16 </script> 13 <!-- eval() string literal "alert()" --> 14 <script>eval("alert('FAIL')")</script> 15 <script>window.eval("alert('FAIL')")</script> 16 <!-- eval() non-string literal (should be allowed) --> 17 <script>eval(0)</script> 18 <script>window.eval(0)</script> 19 <script>eval(1)</script> 20 <script>window.eval(1)</script> 21 <script>eval(7)</script> 22 <script>window.eval(7)</script> 23 <script>eval(3.14)</script> 24 <script>window.eval(3.14)</script> 25 <script>eval(true)</script> 26 <script>window.eval(true)</script> 27 <script>eval(false)</script> 28 <script>window.eval(false)</script> 29 <script>eval(Function)</script> 30 <script>window.eval(Function)</script> 31 <!-- eval() string literal --> 32 <script>eval("")</script> 33 <script>window.eval("")</script> 34 <script>eval("0")</script> 35 <script>window.eval("0")</script> 36 <script>eval("1")</script> 37 <script>window.eval("1")</script> 38 <script>eval("2.73")</script> 39 <script>window.eval("2.73")</script> 40 <script>eval("true")</script> 41 <script>window.eval("true")</script> 42 <script>eval("false")</script> 43 <script>window.eval("false")</script> 44 <script>eval("Object")</script> 45 <script>window.eval("Object")</script> 46 <script>eval("dummy")</script> 47 <script>window.eval("dummy")</script> 17 48 </body> 18 49 </html> -
trunk/Source/JavaScriptCore/ChangeLog
r193938 r193939 1 2015-12-10 Daniel Bates <dabates@apple.com> 2 3 [CSP] eval() is not blocked for stringified literals 4 https://bugs.webkit.org/show_bug.cgi?id=152158 5 <rdar://problem/15775625> 6 7 Reviewed by Saam Barati. 8 9 Fixes an issue where stringified literals can be eval()ed despite being disallowed by 10 Content Security Policy of the page. 11 12 * interpreter/Interpreter.cpp: 13 (JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page 14 and return undefined. 15 * runtime/JSGlobalObjectFunctions.cpp: 16 (JSC::globalFuncEval): Ditto. 17 1 18 2015-12-10 Joseph Pecoraro <pecoraro@apple.com> 2 19 -
trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp
r193766 r193939 145 145 if (!program.isString()) 146 146 return program; 147 147 148 148 TopCallFrameSetter topCallFrame(callFrame->vm(), callFrame); 149 JSGlobalObject* globalObject = callFrame->lexicalGlobalObject(); 150 if (!globalObject->evalEnabled()) { 151 callFrame->vm().throwException(callFrame, createEvalError(callFrame, globalObject->evalDisabledErrorMessage())); 152 return jsUndefined(); 153 } 149 154 String programSource = asString(program)->value(callFrame); 150 155 if (callFrame->hadException()) -
trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
r193766 r193939 568 568 return JSValue::encode(x); 569 569 570 JSGlobalObject* globalObject = exec->lexicalGlobalObject(); 571 if (!globalObject->evalEnabled()) { 572 exec->vm().throwException(exec, createEvalError(exec, globalObject->evalDisabledErrorMessage())); 573 return JSValue::encode(jsUndefined()); 574 } 575 570 576 String s = x.toString(exec)->value(exec); 571 577
Note: See TracChangeset
for help on using the changeset viewer.