Diff
Modified: trunk/Source/WebCore/ChangeLog (96666 => 96667)
--- trunk/Source/WebCore/ChangeLog 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/ChangeLog 2011-10-05 00:52:50 UTC (rev 96667)
@@ -1,3 +1,30 @@
+2011-10-04 Sam Weinig <[email protected]>
+
+ Wean ContentSecurityPolicy from the Document
+ https://bugs.webkit.org/show_bug.cgi?id=69387
+
+ Reviewed by Adam Barth.
+
+ * bindings/js/WorkerScriptController.cpp:
+ (WebCore::WorkerScriptController::disableEval):
+ * bindings/js/WorkerScriptController.h:
+ * dom/Document.cpp:
+ (WebCore::Document::disableEval):
+ * dom/Document.h:
+ * workers/WorkerContext.cpp:
+ (WebCore::WorkerContext::disableEval):
+ * workers/WorkerContext.h:
+ * dom/ScriptExecutionContext.h:
+ Add pure virtual disableEval to ScriptExecutionContext, so that ContentSecurityPolicy
+ can call it for both Documents and WorkerContexts.
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::didReceiveHeader):
+ Call the new ScriptExecutionContext::disableEval() function.
+
+ (WebCore::ContentSecurityPolicy::reportViolation):
+ Use ScriptExecutionContext::addMessage() instead of going directly to the DOMWindow.
+
2011-10-04 Anders Carlsson <[email protected]>
Move code into ScrollElasticityController::beginScrollGesture()
Modified: trunk/Source/WebCore/bindings/js/WorkerScriptController.cpp (96666 => 96667)
--- trunk/Source/WebCore/bindings/js/WorkerScriptController.cpp 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/bindings/js/WorkerScriptController.cpp 2011-10-05 00:52:50 UTC (rev 96667)
@@ -181,6 +181,14 @@
return m_executionForbidden;
}
+void WorkerScriptController::disableEval()
+{
+ initScriptIfNeeded();
+ JSLock lock(SilenceAssertionsOnly);
+
+ m_workerContextWrapper->setEvalEnabled(false);
+}
+
} // namespace WebCore
#endif // ENABLE(WORKERS)
Modified: trunk/Source/WebCore/bindings/js/WorkerScriptController.h (96666 => 96667)
--- trunk/Source/WebCore/bindings/js/WorkerScriptController.h 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/bindings/js/WorkerScriptController.h 2011-10-05 00:52:50 UTC (rev 96667)
@@ -73,6 +73,8 @@
void forbidExecution();
bool isExecutionForbidden() const;
+ void disableEval();
+
JSC::JSGlobalData* globalData() { return m_globalData.get(); }
private:
Modified: trunk/Source/WebCore/dom/Document.cpp (96666 => 96667)
--- trunk/Source/WebCore/dom/Document.cpp 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/dom/Document.cpp 2011-10-05 00:52:50 UTC (rev 96667)
@@ -2438,6 +2438,14 @@
return frame() ? frame()->loader()->userAgent(url) : String();
}
+void Document::disableEval()
+{
+ if (!frame())
+ return;
+
+ frame()->script()->disableEval();
+}
+
CSSStyleSheet* Document::pageUserSheet()
{
if (m_pageUserSheet)
Modified: trunk/Source/WebCore/dom/Document.h (96666 => 96667)
--- trunk/Source/WebCore/dom/Document.h 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/dom/Document.h 2011-10-05 00:52:50 UTC (rev 96667)
@@ -612,6 +612,8 @@
virtual String userAgent(const KURL&) const;
+ virtual void disableEval() OVERRIDE;
+
CSSStyleSheet* pageUserSheet();
void clearPageUserSheet();
void updatePageUserSheet();
Modified: trunk/Source/WebCore/dom/ScriptExecutionContext.h (96666 => 96667)
--- trunk/Source/WebCore/dom/ScriptExecutionContext.h 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/dom/ScriptExecutionContext.h 2011-10-05 00:52:50 UTC (rev 96667)
@@ -96,6 +96,8 @@
virtual String userAgent(const KURL&) const = 0;
+ virtual void disableEval() = 0;
+
SecurityOrigin* securityOrigin() const { return m_securityOrigin.get(); }
ContentSecurityPolicy* contentSecurityPolicy() { return m_contentSecurityPolicy.get(); }
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (96666 => 96667)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-05 00:52:50 UTC (rev 96667)
@@ -27,12 +27,12 @@
#include "ContentSecurityPolicy.h"
#include "Console.h"
-#include "DOMWindow.h"
#include "Document.h"
#include "FormData.h"
#include "FormDataList.h"
#include "Frame.h"
#include "PingLoader.h"
+#include "ScriptCallStack.h"
#include "SecurityOrigin.h"
#include "TextEncoding.h"
#include <wtf/text/WTFString.h>
@@ -491,18 +491,19 @@
break;
}
- if (!checkEval(operativeDirective(m_scriptSrc.get()))) {
- // FIXME: Support disabling eval for Workers.
- if (m_scriptExecutionContext->isDocument()) {
- if (Frame* frame = static_cast<Document*>(m_scriptExecutionContext)->frame())
- frame->script()->disableEval();
- }
- }
+ if (!checkEval(operativeDirective(m_scriptSrc.get())))
+ m_scriptExecutionContext->disableEval();
}
void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage) const
{
- // FIXME: Support reporting violations for Workers.
+ String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
+ m_scriptExecutionContext->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String(), 0);
+
+ if (m_reportURLs.isEmpty())
+ return;
+
+ // FIXME: Support sending reports from worker.
if (!m_scriptExecutionContext->isDocument())
return;
@@ -511,12 +512,6 @@
if (!frame)
return;
- String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
- frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String());
-
- if (m_reportURLs.isEmpty())
- return;
-
// We need to be careful here when deciding what information to send to the
// report-uri. Currently, we send only the current document's URL and the
// directive that was violated. The document's URL is safe to send because
Modified: trunk/Source/WebCore/workers/WorkerContext.cpp (96666 => 96667)
--- trunk/Source/WebCore/workers/WorkerContext.cpp 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/workers/WorkerContext.cpp 2011-10-05 00:52:50 UTC (rev 96667)
@@ -165,6 +165,11 @@
return m_userAgent;
}
+void WorkerContext::disableEval()
+{
+ m_script->disableEval();
+}
+
WorkerLocation* WorkerContext::location() const
{
if (!m_location)
Modified: trunk/Source/WebCore/workers/WorkerContext.h (96666 => 96667)
--- trunk/Source/WebCore/workers/WorkerContext.h 2011-10-05 00:52:18 UTC (rev 96666)
+++ trunk/Source/WebCore/workers/WorkerContext.h 2011-10-05 00:52:50 UTC (rev 96667)
@@ -77,6 +77,8 @@
virtual String userAgent(const KURL&) const;
+ virtual void disableEval() OVERRIDE;
+
WorkerScriptController* script() { return m_script.get(); }
void clearScript() { m_script.clear(); }
#if ENABLE(INSPECTOR)
