Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 152e920a5ac26047b9103bd750367343205e7752
https://github.com/WebKit/WebKit/commit/152e920a5ac26047b9103bd750367343205e7752
Author: Luke Warlow <[email protected]>
Date: 2024-12-16 (Mon, 16 Dec 2024)
Changed paths:
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-clips-sample.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-csp-tt-default-policy-mutate-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-csp-tt-no-default-policy-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-function-constructor-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-function-constructor.html
M
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-with-permissive-csp-expected.txt
M Source/JavaScriptCore/API/JSAPIGlobalObject.cpp
M Source/JavaScriptCore/API/JSAPIGlobalObject.mm
M Source/JavaScriptCore/debugger/DebuggerEvalEnabler.h
M Source/JavaScriptCore/interpreter/Interpreter.cpp
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/runtime/DirectEvalExecutable.cpp
M Source/JavaScriptCore/runtime/FunctionConstructor.cpp
M Source/JavaScriptCore/runtime/GlobalObjectMethodTable.h
M Source/JavaScriptCore/runtime/IndirectEvalExecutable.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.h
M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
M Source/WebCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations
M Source/WebCore/bindings/js/JSDOMGlobalObject.cpp
M Source/WebCore/bindings/js/JSDOMGlobalObject.h
M Source/WebCore/bindings/js/JSDOMWindowBase.cpp
M Source/WebCore/bindings/js/JSDOMWindowBase.h
M Source/WebCore/bindings/js/JSShadowRealmGlobalScopeBase.cpp
M Source/WebCore/bindings/js/JSShadowRealmGlobalScopeBase.h
M Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp
M Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h
M Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.cpp
M Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.h
M Source/WebCore/dom/TrustedType.cpp
M Source/WebCore/dom/TrustedType.h
Log Message:
-----------
Implement trusted types enforcement on Function constructor
https://bugs.webkit.org/show_bug.cgi?id=273187
Reviewed by Yusuke Suzuki.
This patch adds trusted types enforcement to the Function constructor as well
as updating the eval implementation.
The canCompileStrings global method table function no longer takes a JSValue
argument,
this is because it is now only called for untrusted input from eval.
The implementation of TT enforcement for both direct and indirect eval is
updated to do more work in JSC.
The structure of the TrustedScript type is used by JSC to determine if an
object should be evaluated,
rather than always calling codeForEval. Only if the structures don't match is
codeForEval called, this can happen
if someone changes the instance properties such as for polyfills.
The canCompileStrings call is now only done if the input is known
to be untrusted (raw string rather than TrustedScript argument).
The Function constructor is now also updated such that when TT enforcement is
enabled through CSP, similar logic
comparing the arguments to the TrustedScript structure is used.
If not all of the arguments match the structure then they're not trusted so we
fallback to calling canCompileStrings,
with a new ArgList atgument.
The ArgList is used to check if the arguments are modified trusted script
objects, which are accepted providing the
stringifier isn't modified.
DebuggerEvalEnabler is also updated to disable trusted types and re-enable it,
so that
web inspector can continue working on sites with TT enforced.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-clips-sample.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-csp-tt-default-policy-mutate-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-csp-tt-no-default-policy-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-function-constructor-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-function-constructor.html:
*
LayoutTests/imported/w3c/web-platform-tests/trusted-types/eval-with-permissive-csp-expected.txt:
* Source/JavaScriptCore/API/JSAPIGlobalObject.cpp:
(JSC::JSAPIGlobalObject::globalObjectMethodTable):
* Source/JavaScriptCore/API/JSAPIGlobalObject.mm:
(JSC::JSAPIGlobalObject::globalObjectMethodTable):
* Source/JavaScriptCore/debugger/DebuggerEvalEnabler.h:
(JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
(JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::eval):
* Source/JavaScriptCore/jsc.cpp:
* Source/JavaScriptCore/runtime/DirectEvalExecutable.cpp:
(JSC::DirectEvalExecutable::create):
* Source/JavaScriptCore/runtime/FunctionConstructor.cpp:
(JSC::constructFunction):
* Source/JavaScriptCore/runtime/GlobalObjectMethodTable.h:
* Source/JavaScriptCore/runtime/IndirectEvalExecutable.cpp:
(JSC::IndirectEvalExecutable::createImpl):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::baseGlobalObjectMethodTable):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayIteratorStructure const):
(JSC::JSGlobalObject::trustedScriptStructure):
(JSC::JSGlobalObject::reportViolationForUnsafeEval):
(JSC::JSGlobalObject::canCompileStrings):
* Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/WebCore/bindings/js/JSDOMGlobalObject.cpp:
(WebCore::JSDOMGlobalObject::codeForEval):
(WebCore::JSDOMGlobalObject::canCompileStrings):
(WebCore::JSDOMGlobalObject::trustedScriptStructure):
* Source/WebCore/bindings/js/JSDOMGlobalObject.h:
* Source/WebCore/bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::globalObjectMethodTable):
(WebCore::JSDOMWindowBase::reportViolationForUnsafeEval):
(WebCore::JSDOMWindowBase::codeForEval): Deleted.
(WebCore::JSDOMWindowBase::canCompileStrings): Deleted.
* Source/WebCore/bindings/js/JSDOMWindowBase.h:
* Source/WebCore/bindings/js/JSShadowRealmGlobalScopeBase.cpp:
(WebCore::JSShadowRealmGlobalScopeBase::globalObjectMethodTable):
(WebCore::JSShadowRealmGlobalScopeBase::reportViolationForUnsafeEval):
(WebCore::JSShadowRealmGlobalScopeBase::codeForEval): Deleted.
(WebCore::JSShadowRealmGlobalScopeBase::canCompileStrings): Deleted.
* Source/WebCore/bindings/js/JSShadowRealmGlobalScopeBase.h:
* Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp:
(WebCore::JSWorkerGlobalScopeBase::globalObjectMethodTable):
(WebCore::JSWorkerGlobalScopeBase::reportViolationForUnsafeEval):
(WebCore::JSWorkerGlobalScopeBase::codeForEval): Deleted.
(WebCore::JSWorkerGlobalScopeBase::canCompileStrings): Deleted.
* Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h:
* Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.cpp:
(WebCore::JSWorkletGlobalScopeBase::globalObjectMethodTable):
(WebCore::JSWorkletGlobalScopeBase::reportViolationForUnsafeEval):
(WebCore::JSWorkletGlobalScopeBase::codeForEval): Deleted.
(WebCore::JSWorkletGlobalScopeBase::canCompileStrings): Deleted.
* Source/WebCore/bindings/js/JSWorkletGlobalScopeBase.h:
* Source/WebCore/dom/TrustedType.cpp:
(WebCore::canCompile):
* Source/WebCore/dom/TrustedType.h:
* Source/WebCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations:
Remove TrustedType.cpp because the file has been fixed.
Canonical link: https://commits.webkit.org/287909@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
