Changeset 224290 in webkit


Ignore:
Timestamp:
Nov 1, 2017 1:38:58 PM (6 years ago)
Author:
rniwa@webkit.org
Message:

Assert that NoEventDispatchAssertion is not in the stack when executing a script
https://bugs.webkit.org/show_bug.cgi?id=179107

Reviewed by Simon Fraser.

Assert that NoEventDispatchAssertion::isEventAllowedInMainThread() is true when we're about to execute a script
by adding the assertion in ScriptController::canExecuteScripts which gets called with AboutToExecuteScript
whenever we're about to run scripts in event handlers, etc...

We don't assert the construction of event handlers in JSLazyEventListener since this happens while copying
the DOM tree inside a SVG use element and creating a event handler's JS function won't execute arbitrary scripts.

No new tests since there should be no behavioral change other

  • bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction const): Use newly added AboutToCreateEventListener.
(WebCore::JSLazyEventListener::create): Ditto.

  • bindings/js/ScriptController.cpp:

(WebCore::ScriptController::canExecuteScripts): Added the assertion.

  • bindings/js/ScriptController.h:
Location:
trunk/Source/WebCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r224287 r224290  
     12017-11-01  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Assert that NoEventDispatchAssertion is not in the stack when executing a script
     4        https://bugs.webkit.org/show_bug.cgi?id=179107
     5
     6        Reviewed by Simon Fraser.
     7
     8        Assert that NoEventDispatchAssertion::isEventAllowedInMainThread() is true when we're about to execute a script
     9        by adding the assertion in ScriptController::canExecuteScripts which gets called with AboutToExecuteScript
     10        whenever we're about to run scripts in event handlers, etc...
     11
     12        We don't assert the construction of event handlers in JSLazyEventListener since this happens while copying
     13        the DOM tree inside a SVG use element and creating a event handler's JS function won't execute arbitrary scripts.
     14
     15        No new tests since there should be no behavioral change other
     16
     17        * bindings/js/JSLazyEventListener.cpp:
     18        (WebCore::JSLazyEventListener::initializeJSFunction const): Use newly added AboutToCreateEventListener.
     19        (WebCore::JSLazyEventListener::create): Ditto.
     20        * bindings/js/ScriptController.cpp:
     21        (WebCore::ScriptController::canExecuteScripts): Added the assertion.
     22        * bindings/js/ScriptController.h:
     23
    1242017-11-01  Chris Dumez  <cdumez@apple.com>
    225

  • trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp

    r223476 r224290  
    9898
    9999    ScriptController& script = document.frame()->script();
    100     if (!script.canExecuteScripts(AboutToExecuteScript) || script.isPaused())
     100    if (!script.canExecuteScripts(AboutToCreateEventListener) || script.isPaused())
    101101        return nullptr;
    102102
     
    169169    String sourceURL;
    170170    if (Frame* frame = arguments.document.frame()) {
    171         if (!frame->script().canExecuteScripts(AboutToExecuteScript))
     171        if (!frame->script().canExecuteScripts(AboutToCreateEventListener))
    172172            return nullptr;
    173173        position = frame->script().eventHandlerPosition();

  • trunk/Source/WebCore/bindings/js/ScriptController.cpp

    r223777 r224290  
    4444#include "ModuleFetchParameters.h"
    4545#include "NP_jsobject.h"
     46#include "NoEventDispatchAssertion.h"
    4647#include "Page.h"
    4748#include "PageConsoleClient.h"
     
    677678bool ScriptController::canExecuteScripts(ReasonForCallingCanExecuteScripts reason)
    678679{
     680    if (reason == AboutToExecuteScript)
     681        ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::isEventAllowedInMainThread());
     682
    679683    if (m_frame.document() && m_frame.document()->isSandboxed(SandboxScripts)) {
    680684        // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.
    681         if (reason == AboutToExecuteScript)
     685        if (reason == AboutToExecuteScript || reason == AboutToCreateEventListener)
    682686            m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Blocked script execution in '" + m_frame.document()->url().stringCenterEllipsizedToLength() + "' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.");
    683687        return false;

  • trunk/Source/WebCore/bindings/js/ScriptController.h

    r223777 r224290  
    6565
    6666enum ReasonForCallingCanExecuteScripts {
     67    AboutToCreateEventListener,
    6768    AboutToExecuteScript,
    6869    NotAboutToExecuteScript
Note: See TracChangeset for help on using the changeset viewer.