Modified: trunk/Source/WebCore/ChangeLog (231442 => 231443)
--- trunk/Source/WebCore/ChangeLog 2018-05-07 17:38:25 UTC (rev 231442)
+++ trunk/Source/WebCore/ChangeLog 2018-05-07 17:41:50 UTC (rev 231443)
@@ -1,5 +1,29 @@
2018-05-07 Daniel Bates <[email protected]>
+ CSP should only notify Inspector to pause the debugger on the first policy to violate a directive
+ https://bugs.webkit.org/show_bug.cgi?id=185364
+
+ Reviewed by Brent Fulgham.
+
+ Notify Web Inspector that a script was blocked on the first enforced CSP policy that it
+ violates.
+
+ A page can have more than one enforced Content Security Policy. Currently for inline
+ scripts, inline event handlers, _javascript_ URLs, and eval() that are blocked by CSP
+ we notify Web Inspector that it was blocked for each CSP policy that blocked it. When
+ Web Inspector is notified it pauses script execution. It does not seem very meaningful
+ to pause script execution on the same script for each CSP policy that blocked it.
+ Therefore, only tell Web Inspector that a script was blocked for the first enforced CSP
+ policy that blocked it.
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
+ (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
+ (WebCore::ContentSecurityPolicy::allowInlineScript const):
+ (WebCore::ContentSecurityPolicy::allowEval const):
+
+2018-05-07 Daniel Bates <[email protected]>
+
Substitute CrossOriginPreflightResultCache::clear() for CrossOriginPreflightResultCache::empty()
https://bugs.webkit.org/show_bug.cgi?id=185170
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (231442 => 231443)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2018-05-07 17:38:25 UTC (rev 231442)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2018-05-07 17:41:50 UTC (rev 231443)
@@ -351,11 +351,14 @@
{
if (overrideContentSecurityPolicy)
return true;
+ bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
- if (!violatedDirective.directiveList().isReportOnly())
+ if (!didNotifyInspector && violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
+ didNotifyInspector = true;
+ }
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript);
}
@@ -364,11 +367,14 @@
{
if (overrideContentSecurityPolicy)
return true;
+ bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
- if (!violatedDirective.directiveList().isReportOnly())
+ if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
+ didNotifyInspector = true;
+ }
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript);
}
@@ -399,6 +405,7 @@
{
if (overrideContentSecurityPolicy)
return true;
+ bool didNotifyInspector = false;
bool foundHashInEnforcedPolicies;
bool foundHashInReportOnlyPolicies;
std::tie(foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies) = findHashOfContentInPolicies(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, scriptContent, m_hashAlgorithmsForInlineScripts);
@@ -407,8 +414,10 @@
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
- if (!violatedDirective.directiveList().isReportOnly())
+ if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
+ didNotifyInspector = true;
+ }
};
// FIXME: We should not report that the inline script violated a policy when its hash matched a source
// _expression_ in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>.
@@ -443,11 +452,14 @@
{
if (overrideContentSecurityPolicy)
return true;
+ bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'");
reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, state);
- if (!violatedDirective.directiveList().isReportOnly())
+ if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
+ didNotifyInspector = true;
+ }
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeEval);
}
