Diff
Modified: trunk/LayoutTests/TestExpectations (283565 => 283566)
--- trunk/LayoutTests/TestExpectations 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/TestExpectations 2021-10-05 19:12:27 UTC (rev 283566)
@@ -959,8 +959,6 @@
imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement
# Skip some Content Security Policy script-dynamic tests as we do not fully support the feature
-imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html [ Skip ]
# Skip Content Security Policy shared workers tests as we do not support shared workers
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,3 +1,31 @@
+2021-10-05 Kate Cheney <[email protected]>
+
+ CSP: unsafe-eval tests timing out or failing
+ https://bugs.webkit.org/show_bug.cgi?id=231113
+ <rdar://problem/83425041>
+
+ Reviewed by Brent Fulgham.
+
+ * web-platform-tests/content-security-policy/script-src/script-src-1_4-expected.txt:
+ * web-platform-tests/content-security-policy/script-src/script-src-1_4_1-expected.txt:
+ * web-platform-tests/content-security-policy/script-src/script-src-1_4_2-expected.txt:
+ * web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval-expected.txt: Added.
+ * web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function-expected.txt: Added.
+ * web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval-expected.txt:
+ This test gets the report but gets an incorrect column number. The bug
+ seems tangential to this patch and we should fix it in a followup.
+
+ * web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub-expected.txt:
+ This test gets the report but reveals a bug where we don't allow
+ inline script to execute after calling eval() when unsafe-inline is
+ specified but not unsafe-eval. Tracking in rdar://83846298.
+
+ * web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub-expected.txt:
+
2021-10-05 Martin Robinson <[email protected]>
[css-position-sticky] scrollIntoView should not take into account sticky positioning offsets
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,9 +1,7 @@
eval() should not run without 'unsafe-eval' script-src directive.
-Harness Error (TIMEOUT), message = null
-
-NOTRUN Test that securitypolicyviolation event is fired
+PASS Test that securitypolicyviolation event is fired
PASS eval() should throw without 'unsafe-eval' keyword source in script-src directive.
PASS eval() should not run without 'unsafe-eval' script-src directive.
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_1-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -3,5 +3,5 @@
PASS window.setTimeout()
PASS window.setInterval()
-FAIL Test that securitypolicyviolation event is fired assert_equals: expected "script-src" but got "script-src 'self' 'unsafe-inline'"
+PASS Test that securitypolicyviolation event is fired
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_4_2-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,8 +1,6 @@
Function() called as a constructor should throw without 'unsafe-eval' script-src directive.
-Harness Error (TIMEOUT), message = null
-
-NOTRUN Test that securitypolicyviolation event is fired
+PASS Test that securitypolicyviolation event is fired
PASS Unsafe eval ran in Function() constructor.
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval-expected.txt (0 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval-expected.txt (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_eval-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -0,0 +1,5 @@
+Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.
+
+
+PASS Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`.
+
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function-expected.txt (0 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function-expected.txt (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_new_function-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -0,0 +1,5 @@
+Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.
+
+
+PASS Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'.
+
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-eval-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,5 +1,3 @@
-Harness Error (TIMEOUT), message = null
+FAIL Eval violations have a blockedURI of 'eval' assert_equals: expected 12 but got 17
-TIMEOUT Eval violations have a blockedURI of 'eval' Test timed out
-
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,3 +1,3 @@
-FAIL Expecting logs: ["PASS: eval() blocked.","violated-directive=script-src"] assert_unreached: Logging timeout, expected logs violated-directive=script-src not sent. Reached unreachable code
+PASS Expecting logs: ["PASS: eval() blocked.","violated-directive=script-src"]
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.sub-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -2,5 +2,5 @@
-FAIL Expecting logs: ["violated-directive=script-src","PASS"] assert_unreached: Logging timeout, expected logs violated-directive=script-src,PASS not sent. Reached unreachable code
+FAIL Expecting logs: ["violated-directive=script-src","PASS"] assert_unreached: Logging timeout, expected logs PASS not sent. Reached unreachable code
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-blocked.sub-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,3 +1,3 @@
-FAIL Expecting logs: ["PASS EvalError","PASS EvalError", "violated-directive=script-src"] assert_unreached: Logging timeout, expected logs violated-directive=script-src not sent. Reached unreachable code
+PASS Expecting logs: ["PASS EvalError","PASS EvalError", "violated-directive=script-src"]
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,3 +1,3 @@
-FAIL Expecting logs: ["PASS","violated-directive=script-src"] assert_unreached: unexpected log: violated-directive=script-src 'self' 'unsafe-inline' Reached unreachable code
+PASS Expecting logs: ["PASS","violated-directive=script-src"]
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,3 +1,3 @@
-FAIL Expecting logs: ["PASS","violated-directive=script-src"] assert_unreached: unexpected log: violated-directive=script-src 'self' 'unsafe-inline' Reached unreachable code
+PASS Expecting logs: ["PASS","violated-directive=script-src"]
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub-expected.txt (283565 => 283566)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub-expected.txt 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,3 +1,3 @@
-FAIL Expecting logs: ["PASS EvalError","violated-directive=script-src"] assert_unreached: Logging timeout, expected logs violated-directive=script-src not sent. Reached unreachable code
+PASS Expecting logs: ["PASS EvalError","violated-directive=script-src"]
Modified: trunk/Source/_javascript_Core/API/JSAPIGlobalObject.cpp (283565 => 283566)
--- trunk/Source/_javascript_Core/API/JSAPIGlobalObject.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/API/JSAPIGlobalObject.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -47,6 +47,7 @@
&reportUncaughtExceptionAtEventLoop,
¤tScriptExecutionOwner,
&scriptExecutionStatus,
+ &reportViolationForUnsafeEval,
nullptr, // defaultLanguage
nullptr, // compileStreaming
nullptr, // instantiateStreaming
Modified: trunk/Source/_javascript_Core/API/JSAPIGlobalObject.mm (283565 => 283566)
--- trunk/Source/_javascript_Core/API/JSAPIGlobalObject.mm 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/API/JSAPIGlobalObject.mm 2021-10-05 19:12:27 UTC (rev 283566)
@@ -67,6 +67,7 @@
&reportUncaughtExceptionAtEventLoop,
¤tScriptExecutionOwner,
&scriptExecutionStatus,
+ &reportViolationForUnsafeEval,
nullptr, // defaultLanguage
nullptr, // compileStreaming
nullptr, // instantiateStreaming
Modified: trunk/Source/_javascript_Core/ChangeLog (283565 => 283566)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,3 +1,39 @@
+2021-10-05 Kate Cheney <[email protected]>
+
+ CSP: unsafe-eval tests timing out or failing
+ https://bugs.webkit.org/show_bug.cgi?id=231113
+ <rdar://problem/83425041>
+
+ Reviewed by Brent Fulgham.
+
+ Many imported unsafe-eval tests are failing because we don't report
+ violations to the DOM or report URI when an eval is blocked. This
+ patch adds support for that by calling
+ ContentSecurityPolicy::allowEval() when eval is disabled.
+
+ Eventually I think we can remove the evalEnabled() code and check the
+ CSP policy instead, but I will save that for another patch.
+
+ * API/JSAPIGlobalObject.cpp:
+ * API/JSAPIGlobalObject.mm:
+ * interpreter/Interpreter.cpp:
+ (JSC::eval):
+ * jsc.cpp:
+ * runtime/DirectEvalExecutable.cpp:
+ (JSC::DirectEvalExecutable::create):
+ * runtime/FunctionConstructor.cpp:
+ (JSC::constructFunction):
+ * runtime/IndirectEvalExecutable.cpp:
+ (JSC::IndirectEvalExecutable::create):
+ * runtime/JSGlobalObject.cpp:
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::reportViolationForUnsafeEval):
+ Per the spec we should send the report to the element's document and
+ bubble it up to the window.
+
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+
2021-10-05 Xan López <[email protected]>
[JSC][32bit] Fix bugs after unlinked baseline jit
Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.cpp (283565 => 283566)
--- trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -98,6 +98,7 @@
TopCallFrameSetter topCallFrame(vm, callFrame);
if (!globalObject->evalEnabled()) {
+ globalObject->globalObjectMethodTable()->reportViolationForUnsafeEval(globalObject);
throwException(globalObject, scope, createEvalError(globalObject, globalObject->evalDisabledErrorMessage()));
return jsUndefined();
}
Modified: trunk/Source/_javascript_Core/jsc.cpp (283565 => 283566)
--- trunk/Source/_javascript_Core/jsc.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/jsc.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -751,6 +751,7 @@
&reportUncaughtExceptionAtEventLoop,
¤tScriptExecutionOwner,
&scriptExecutionStatus,
+ &reportViolationForUnsafeEval,
nullptr, // defaultLanguage
nullptr, // compileStreaming
nullptr, // instantinateStreaming
Modified: trunk/Source/_javascript_Core/runtime/DirectEvalExecutable.cpp (283565 => 283566)
--- trunk/Source/_javascript_Core/runtime/DirectEvalExecutable.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/runtime/DirectEvalExecutable.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -40,6 +40,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
if (!globalObject->evalEnabled()) {
+ globalObject->globalObjectMethodTable()->reportViolationForUnsafeEval(globalObject);
throwException(globalObject, scope, createEvalError(globalObject, globalObject->evalDisabledErrorMessage()));
return nullptr;
}
Modified: trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp (283565 => 283566)
--- trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -71,6 +71,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
if (UNLIKELY(!globalObject->evalEnabled())) {
+ globalObject->globalObjectMethodTable()->reportViolationForUnsafeEval(globalObject);
throwException(globalObject, scope, createEvalError(globalObject, globalObject->evalDisabledErrorMessage()));
return nullptr;
}
Modified: trunk/Source/_javascript_Core/runtime/IndirectEvalExecutable.cpp (283565 => 283566)
--- trunk/Source/_javascript_Core/runtime/IndirectEvalExecutable.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/runtime/IndirectEvalExecutable.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -40,6 +40,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
if (!globalObject->evalEnabled()) {
+ globalObject->globalObjectMethodTable()->reportViolationForUnsafeEval(globalObject);
throwException(globalObject, scope, createEvalError(globalObject, globalObject->evalDisabledErrorMessage()));
return nullptr;
}
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (283565 => 283566)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -522,6 +522,7 @@
&reportUncaughtExceptionAtEventLoop,
¤tScriptExecutionOwner,
&scriptExecutionStatus,
+ &reportViolationForUnsafeEval,
nullptr, // defaultLanguage
nullptr, // compileStreaming
nullptr, // instantiateStreaming
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (283565 => 283566)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2021-10-05 19:12:27 UTC (rev 283566)
@@ -248,6 +248,9 @@
typedef ScriptExecutionStatus (*ScriptExecutionStatusPtr)(JSGlobalObject*, JSObject* scriptExecutionOwner);
ScriptExecutionStatusPtr scriptExecutionStatus;
+
+ typedef void (*ReportViolationForUnsafeEvalPtr)(JSGlobalObject*);
+ ReportViolationForUnsafeEvalPtr reportViolationForUnsafeEval;
typedef String (*DefaultLanguageFunctionPtr)();
DefaultLanguageFunctionPtr defaultLanguage;
@@ -914,6 +917,7 @@
static void reportUncaughtExceptionAtEventLoop(JSGlobalObject*, Exception*);
static JSObject* currentScriptExecutionOwner(JSGlobalObject* global) { return global; }
static ScriptExecutionStatus scriptExecutionStatus(JSGlobalObject*, JSObject*) { return ScriptExecutionStatus::Running; }
+ static void reportViolationForUnsafeEval(JSGlobalObject*) { }
JSObject* arrayBufferPrototype(ArrayBufferSharingMode sharingMode) const
{
@@ -1054,6 +1058,8 @@
JS_EXPORT_PRIVATE void queueMicrotask(Ref<Microtask>&&);
+ static void reportViolationForUnsafeEval(const JSGlobalObject*) { }
+
bool evalEnabled() const { return m_evalEnabled; }
bool webAssemblyEnabled() const { return m_webAssemblyEnabled; }
const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp (283565 => 283566)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -471,6 +471,7 @@
return JSValue::encode(x);
if (!globalObject->evalEnabled()) {
+ globalObject->globalObjectMethodTable()->reportViolationForUnsafeEval(globalObject);
throwException(globalObject, scope, createEvalError(globalObject, globalObject->evalDisabledErrorMessage()));
return JSValue::encode(jsUndefined());
}
Modified: trunk/Source/WebCore/ChangeLog (283565 => 283566)
--- trunk/Source/WebCore/ChangeLog 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/ChangeLog 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1,3 +1,53 @@
+2021-10-05 Kate Cheney <[email protected]>
+
+ CSP: unsafe-eval tests timing out or failing
+ https://bugs.webkit.org/show_bug.cgi?id=231113
+ <rdar://problem/83425041>
+
+ Reviewed by Brent Fulgham.
+
+ No new tests. This will cause existing tests to pass.
+
+ * bindings/js/JSDOMWindowBase.cpp:
+ (WebCore::JSDOMWindowBase::reportViolationForUnsafeEval):
+ Add new parameter LogToConsole to ContentSecurityPolicy::allowEval()
+ because in many cases we already log to console for eval violations
+ when we throw an error.
+
+ * bindings/js/JSDOMWindowBase.h:
+ * bindings/js/JSRemoteDOMWindowBase.cpp:
+ Per the spec, we should set the DOM target to be the element's
+ document. If the element is null, we set it to the window's document.
+
+ * bindings/js/JSWorkerGlobalScopeBase.cpp:
+ (WebCore::JSWorkerGlobalScopeBase::reportViolationForUnsafeEval):
+ * bindings/js/JSWorkerGlobalScopeBase.h:
+ * bindings/js/JSWorkletGlobalScopeBase.cpp:
+ (WebCore::JSWorkletGlobalScopeBase::reportViolationForUnsafeEval):
+ * bindings/js/JSWorkletGlobalScopeBase.h:
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::setTimeout):
+ (WebCore::DOMWindow::setInterval):
+ Cases where we do not log to console already, so we should do it when
+ we check for a violation.
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowEval const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ Per the spec, the blockedURI for eval violations should be "eval".
+ This patch updates the blockedURI to be a string when passed to
+ reportViolation to allow this to happen.
+
+ (WebCore::ContentSecurityPolicy::logToConsole const):
+ Don't log an empty string to console. This allows us to pass an empty
+ string when shouldLogToConsole == LogToConsole::No so we don't need to
+ add an extra boolean to a lot of places to know whether to log.
+
+ * page/csp/ContentSecurityPolicy.h:
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::WorkerGlobalScope::setTimeout):
+ (WebCore::WorkerGlobalScope::setInterval):
+
2021-10-05 Chris Dumez <[email protected]>
Authorization header lost on 30x redirects
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp (283565 => 283566)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -26,8 +26,10 @@
#include "Chrome.h"
#include "CommonVM.h"
+#include "ContentSecurityPolicy.h"
#include "DOMWindow.h"
#include "Document.h"
+#include "Element.h"
#include "EventLoop.h"
#include "FetchResponse.h"
#include "Frame.h"
@@ -83,6 +85,7 @@
&reportUncaughtExceptionAtEventLoop,
¤tScriptExecutionOwner,
&scriptExecutionStatus,
+ &reportViolationForUnsafeEval,
[] { return defaultLanguage(); },
#if ENABLE(WEBASSEMBLY)
&compileStreaming,
@@ -249,6 +252,24 @@
return jsCast<JSDocument*>(owner)->wrapped().jscScriptExecutionStatus();
}
+void JSDOMWindowBase::reportViolationForUnsafeEval(JSGlobalObject* object)
+{
+ const JSDOMWindowBase* thisObject = static_cast<const JSDOMWindowBase*>(object);
+ ContentSecurityPolicy* contentSecurityPolicy = nullptr;
+ if (auto* element = thisObject->wrapped().frameElement())
+ contentSecurityPolicy = element->document().contentSecurityPolicy();
+
+ if (!contentSecurityPolicy) {
+ if (auto *document = thisObject->wrapped().document())
+ contentSecurityPolicy = document->contentSecurityPolicy();
+ }
+
+ if (!contentSecurityPolicy)
+ return;
+
+ contentSecurityPolicy->allowEval(object, LogToConsole::No, false);
+}
+
void JSDOMWindowBase::willRemoveFromWindowProxy()
{
setCurrentEvent(0);
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h (283565 => 283566)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h 2021-10-05 19:12:27 UTC (rev 283566)
@@ -80,7 +80,8 @@
static void queueMicrotaskToEventLoop(JSC::JSGlobalObject&, Ref<JSC::Microtask>&&);
static JSC::JSObject* currentScriptExecutionOwner(JSC::JSGlobalObject*);
static JSC::ScriptExecutionStatus scriptExecutionStatus(JSC::JSGlobalObject*, JSC::JSObject*);
-
+ static void reportViolationForUnsafeEval(JSC::JSGlobalObject*);
+
void printErrorMessage(const String&) const;
JSWindowProxy& proxy() const;
Modified: trunk/Source/WebCore/bindings/js/JSRemoteDOMWindowBase.cpp (283565 => 283566)
--- trunk/Source/WebCore/bindings/js/JSRemoteDOMWindowBase.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/bindings/js/JSRemoteDOMWindowBase.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -49,6 +49,7 @@
nullptr, // reportUncaughtExceptionAtEventLoop
¤tScriptExecutionOwner,
&scriptExecutionStatus,
+ &reportViolationForUnsafeEval,
nullptr, // defaultLanguage
nullptr, // compileStreaming
nullptr, // instantiateStreaming
Modified: trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp (283565 => 283566)
--- trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -61,6 +61,7 @@
&reportUncaughtExceptionAtEventLoop,
¤tScriptExecutionOwner,
&scriptExecutionStatus,
+ &reportViolationForUnsafeEval,
[] { return defaultLanguage(); },
#if ENABLE(WEBASSEMBLY)
&compileStreaming,
@@ -133,6 +134,11 @@
return jsCast<JSWorkerGlobalScopeBase*>(globalObject)->scriptExecutionContext()->jscScriptExecutionStatus();
}
+void JSWorkerGlobalScopeBase::reportViolationForUnsafeEval(JSC::JSGlobalObject* globalObject)
+{
+ return JSGlobalObject::reportViolationForUnsafeEval(globalObject);
+}
+
void JSWorkerGlobalScopeBase::queueMicrotaskToEventLoop(JSGlobalObject& object, Ref<JSC::Microtask>&& task)
{
JSWorkerGlobalScopeBase& thisObject = static_cast<JSWorkerGlobalScopeBase&>(object);
Modified: trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h (283565 => 283566)
--- trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h 2021-10-05 19:12:27 UTC (rev 283566)
@@ -64,6 +64,7 @@
static JSC::RuntimeFlags _javascript_RuntimeFlags(const JSC::JSGlobalObject*);
static JSC::ScriptExecutionStatus scriptExecutionStatus(JSC::JSGlobalObject*, JSC::JSObject*);
static void queueMicrotaskToEventLoop(JSC::JSGlobalObject&, Ref<JSC::Microtask>&&);
+ static void reportViolationForUnsafeEval(JSC::JSGlobalObject*);
protected:
JSWorkerGlobalScopeBase(JSC::VM&, JSC::Structure*, RefPtr<WorkerGlobalScope>&&);
Modified: trunk/Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.cpp (283565 => 283566)
--- trunk/Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -57,6 +57,7 @@
&reportUncaughtExceptionAtEventLoop,
¤tScriptExecutionOwner,
&scriptExecutionStatus,
+ &reportViolationForUnsafeEval,
[] { return defaultLanguage(); },
#if ENABLE(WEBASSEMBLY)
&compileStreaming,
@@ -108,6 +109,11 @@
return jsCast<JSWorkletGlobalScopeBase*>(globalObject)->scriptExecutionContext()->jscScriptExecutionStatus();
}
+void JSWorkletGlobalScopeBase::reportViolationForUnsafeEval(JSC::JSGlobalObject* globalObject)
+{
+ return JSGlobalObject::reportViolationForUnsafeEval(globalObject);
+}
+
bool JSWorkletGlobalScopeBase::supportsRichSourceInfo(const JSGlobalObject* object)
{
return JSGlobalObject::supportsRichSourceInfo(object);
Modified: trunk/Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.h (283565 => 283566)
--- trunk/Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.h 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.h 2021-10-05 19:12:27 UTC (rev 283566)
@@ -61,6 +61,7 @@
static JSC::RuntimeFlags _javascript_RuntimeFlags(const JSC::JSGlobalObject*);
static JSC::ScriptExecutionStatus scriptExecutionStatus(JSC::JSGlobalObject*, JSC::JSObject*);
static void queueMicrotaskToEventLoop(JSC::JSGlobalObject&, Ref<JSC::Microtask>&&);
+ static void reportViolationForUnsafeEval(JSC::JSGlobalObject*);
protected:
JSWorkletGlobalScopeBase(JSC::VM&, JSC::Structure*, RefPtr<WorkletGlobalScope>&&);
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (283565 => 283566)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -1799,7 +1799,7 @@
// FIXME: Should this check really happen here? Or should it happen when code is about to eval?
if (action->type() == ScheduledAction::Type::Code) {
- if (!context->contentSecurityPolicy()->allowEval(&state))
+ if (!context->contentSecurityPolicy()->allowEval(&state, LogToConsole::Yes))
return 0;
}
@@ -1824,7 +1824,7 @@
// FIXME: Should this check really happen here? Or should it happen when code is about to eval?
if (action->type() == ScheduledAction::Type::Code) {
- if (!context->contentSecurityPolicy()->allowEval(&state))
+ if (!context->contentSecurityPolicy()->allowEval(&state, LogToConsole::Yes))
return 0;
}
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (283565 => 283566)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -507,14 +507,14 @@
return foundHashInEnforcedPolicies || allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::Enforce, handleViolatedDirective, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle);
}
-bool ContentSecurityPolicy::allowEval(JSC::JSGlobalObject* state, bool overrideContentSecurityPolicy) const
+bool ContentSecurityPolicy::allowEval(JSC::JSGlobalObject* state, LogToConsole shouldLogToConsole, bool overrideContentSecurityPolicy) const
{
if (overrideContentSecurityPolicy)
return true;
bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'");
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, state);
+ String consoleMessage = shouldLogToConsole == LogToConsole::Yes ?consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'") : String();
+ reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "eval", consoleMessage, state);
if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
@@ -710,24 +710,24 @@
return static_cast<SecurityOriginData>(*m_selfSource).securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
}
-void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
{
// FIXME: Extract source file and source position from JSC::ExecState.
- return reportViolation(violatedDirective, effectiveViolatedDirective.text(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
+ return reportViolation(violatedDirective, effectiveViolatedDirective.name().convertToASCIILowercase(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
}
void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
{
// FIXME: Extract source file and source position from JSC::ExecState.
- return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
+ return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL.string(), consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
}
void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state) const
{
- return reportViolation(effectiveViolatedDirective, violatedDirective.name().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
+ return reportViolation(effectiveViolatedDirective, violatedDirective.name().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL.string(), consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL) const
{
logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, sourcePosition.m_column, state);
@@ -737,6 +737,7 @@
// FIXME: Support sending reports from worker.
CSPInfo info;
+ auto blockedURL = URL(URL(), blockedURLString);
info.documentURI = m_documentURL ? m_documentURL.value().strippedForUseAsReferrer() : deprecatedURLForReporting(blockedURL);
if (m_client)
@@ -763,7 +764,9 @@
ASSERT(m_client || is<Document>(m_scriptExecutionContext));
String blockedURI;
- if (preRedirectURL.isNull())
+ if (blockedURLString == "eval")
+ blockedURI = blockedURLString;
+ else if (preRedirectURL.isNull())
blockedURI = deprecatedURLForReporting(blockedURL);
else
blockedURI = deprecatedURLForReporting(preRedirectURL);
@@ -914,6 +917,9 @@
void ContentSecurityPolicy::logToConsole(const String& message, const String& contextURL, const WTF::OrdinalNumber& contextLine, const WTF::OrdinalNumber& contextColumn, JSC::JSGlobalObject* state) const
{
+ if (message.isEmpty())
+ return;
+
if (!m_isReportingEnabled)
return;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (283565 => 283566)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-10-05 19:12:27 UTC (rev 283566)
@@ -60,6 +60,7 @@
struct ContentSecurityPolicyClient;
enum class ParserInserted : bool { No, Yes };
+enum class LogToConsole : bool { No, Yes };
typedef Vector<std::unique_ptr<ContentSecurityPolicyDirectiveList>> CSPDirectiveListVector;
@@ -98,7 +99,7 @@
bool allowNonParserInsertedScripts(const URL&, const String&, const StringView&, ParserInserted) const;
bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, StringView styleContent, bool overrideContentSecurityPolicy = false) const;
- bool allowEval(JSC::JSGlobalObject*, bool overrideContentSecurityPolicy = false) const;
+ bool allowEval(JSC::JSGlobalObject*, LogToConsole, bool overrideContentSecurityPolicy = false) const;
bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false) const;
@@ -216,10 +217,10 @@
using HashInEnforcedAndReportOnlyPoliciesPair = std::pair<bool, bool>;
template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(Predicate&&, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
- void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*) const;
+ void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*) const;
void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL()) const;
+ void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL()) const;
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
// We can never have both a script execution context and a ContentSecurityPolicyClient.
Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.cpp (283565 => 283566)
--- trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2021-10-05 18:48:10 UTC (rev 283565)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2021-10-05 19:12:27 UTC (rev 283566)
@@ -289,7 +289,7 @@
{
// FIXME: Should this check really happen here? Or should it happen when code is about to eval?
if (action->type() == ScheduledAction::Type::Code) {
- if (!contentSecurityPolicy()->allowEval(&state))
+ if (!contentSecurityPolicy()->allowEval(&state, LogToConsole::Yes))
return 0;
}
@@ -307,7 +307,7 @@
{
// FIXME: Should this check really happen here? Or should it happen when code is about to eval?
if (action->type() == ScheduledAction::Type::Code) {
- if (!contentSecurityPolicy()->allowEval(&state))
+ if (!contentSecurityPolicy()->allowEval(&state, LogToConsole::Yes))
return 0;
}
