[webkit-changes] [119913] trunk

Sat, 09 Jun 2012 12:35:18 -0700

Title: [119913] trunk
Revision
119913
Author
[email protected]
Date
2012-06-09 12:35:02 -0700 (Sat, 09 Jun 2012)

Log Message

Can't use eval in iframes sanbdoxed via CSP header
https://bugs.webkit.org/show_bug.cgi?id=88450

Reviewed by Mihai Parparita.

Source/WebCore:

The initial empty document in a frame inherits the security context of
its parent (including the CSP policy).  When we load the real document,
in some cases we'll do a "secure transition" to the new document.  That
means that we leave the global object in place in case the parent
document has created any properties that it expects will be visible to
the new document.

If the parent document has a CSP policy that blocks eval, the "no eval"
bit will be set on the global object of the initial document.  When we
perform a "secure transition" to the new document, we'll keep the bit,
which is wrong.  In this patch, we reset the bit by always enabling
eval when clearing the context, regardless of whether we're performing
a "secure transition".

Test: http/tests/security/contentSecurityPolicy/iframe-inside-csp.html

* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::enableEval):
(WebCore):
* bindings/js/ScriptController.h:
(ScriptController):
* bindings/v8/ScriptController.cpp:
(WebCore::ScriptController::enableEval):
(WebCore):
(WebCore::ScriptController::disableEval):
* bindings/v8/ScriptController.h:
(ScriptController):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::clear):

LayoutTests:

* http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-inside-csp.html: Added.
* http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (119912 => 119913)


--- trunk/LayoutTests/ChangeLog	2012-06-09 19:14:27 UTC (rev 119912)
+++ trunk/LayoutTests/ChangeLog	2012-06-09 19:35:02 UTC (rev 119913)
@@ -1,3 +1,14 @@
+2012-06-09  Adam Barth  <[email protected]>
+
+        Can't use eval in iframes sanbdoxed via CSP header
+        https://bugs.webkit.org/show_bug.cgi?id=88450
+
+        Reviewed by Mihai Parparita.
+
+        * http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-inside-csp.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php: Added.
+
 2012-06-09  Christophe Dumez  <[email protected]>
 
         [EFL] skip new tests added in r119883

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt (0 => 119913)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt	2012-06-09 19:35:02 UTC (rev 119913)
@@ -0,0 +1,3 @@
+ALERT: PASS (1/2): Script can execute
+ALERT: PASS (2/2): Eval works
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp.html (0 => 119913)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp.html	2012-06-09 19:35:02 UTC (rev 119913)
@@ -0,0 +1,3 @@
+<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
+<script src=""
+<iframe src=""

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php (0 => 119913)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php	2012-06-09 19:35:02 UTC (rev 119913)
@@ -0,0 +1,10 @@
+<?php
+header("X-WebKit-CSP: sandbox allow-scripts");
+?>
+<script>
+alert('PASS (1/2): Script can execute');
+</script>
+<script>
+eval("alert('PASS (2/2): Eval works')");
+</script>
+Done.

Modified: trunk/Source/WebCore/ChangeLog (119912 => 119913)


--- trunk/Source/WebCore/ChangeLog	2012-06-09 19:14:27 UTC (rev 119912)
+++ trunk/Source/WebCore/ChangeLog	2012-06-09 19:35:02 UTC (rev 119913)
@@ -1,3 +1,40 @@
+2012-06-09  Adam Barth  <[email protected]>
+
+        Can't use eval in iframes sanbdoxed via CSP header
+        https://bugs.webkit.org/show_bug.cgi?id=88450
+
+        Reviewed by Mihai Parparita.
+
+        The initial empty document in a frame inherits the security context of
+        its parent (including the CSP policy).  When we load the real document,
+        in some cases we'll do a "secure transition" to the new document.  That
+        means that we leave the global object in place in case the parent
+        document has created any properties that it expects will be visible to
+        the new document.
+
+        If the parent document has a CSP policy that blocks eval, the "no eval"
+        bit will be set on the global object of the initial document.  When we
+        perform a "secure transition" to the new document, we'll keep the bit,
+        which is wrong.  In this patch, we reset the bit by always enabling
+        eval when clearing the context, regardless of whether we're performing
+        a "secure transition".
+
+        Test: http/tests/security/contentSecurityPolicy/iframe-inside-csp.html
+
+        * bindings/js/ScriptController.cpp:
+        (WebCore::ScriptController::enableEval):
+        (WebCore):
+        * bindings/js/ScriptController.h:
+        (ScriptController):
+        * bindings/v8/ScriptController.cpp:
+        (WebCore::ScriptController::enableEval):
+        (WebCore):
+        (WebCore::ScriptController::disableEval):
+        * bindings/v8/ScriptController.h:
+        (ScriptController):
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::clear):
+
 2012-06-09  Pablo Flouret  <[email protected]>
 
         The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests

Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (119912 => 119913)


--- trunk/Source/WebCore/bindings/js/ScriptController.cpp	2012-06-09 19:14:27 UTC (rev 119912)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp	2012-06-09 19:35:02 UTC (rev 119913)
@@ -233,6 +233,14 @@
     return TextPosition::minimumPosition();
 }
 
+void ScriptController::enableEval()
+{
+    JSDOMWindowShell* windowShell = existingWindowShell(mainThreadNormalWorld());
+    if (!windowShell)
+        return; // Eval is enabled by default.
+    windowShell->window()->setEvalEnabled(true);
+}
+
 void ScriptController::disableEval()
 {
     windowShell(mainThreadNormalWorld())->window()->setEvalEnabled(false);

Modified: trunk/Source/WebCore/bindings/js/ScriptController.h (119912 => 119913)


--- trunk/Source/WebCore/bindings/js/ScriptController.h	2012-06-09 19:14:27 UTC (rev 119912)
+++ trunk/Source/WebCore/bindings/js/ScriptController.h	2012-06-09 19:35:02 UTC (rev 119913)
@@ -104,6 +104,7 @@
 
     WTF::TextPosition eventHandlerPosition() const;
 
+    void enableEval();
     void disableEval();
 
     static bool processingUserGesture();

Modified: trunk/Source/WebCore/bindings/v8/ScriptController.cpp (119912 => 119913)


--- trunk/Source/WebCore/bindings/v8/ScriptController.cpp	2012-06-09 19:14:27 UTC (rev 119912)
+++ trunk/Source/WebCore/bindings/v8/ScriptController.cpp	2012-06-09 19:35:02 UTC (rev 119913)
@@ -279,13 +279,25 @@
     return m_proxy->windowShell()->isContextInitialized();
 }
 
+void ScriptController::enableEval()
+{
+    // We don't call initContextIfNeeded because contexts have eval enabled by default.
+
+    v8::HandleScope handleScope;
+    v8::Handle<v8::Context> v8Context = proxy()->windowShell()->context();
+    if (v8Context.IsEmpty())
+        return;
+
+    v8Context->AllowCodeGenerationFromStrings(true);
+}
+
 void ScriptController::disableEval()
 {
-    if (!m_proxy->windowShell()->initContextIfNeeded())
+    if (!proxy()->windowShell()->initContextIfNeeded())
         return;
 
     v8::HandleScope handleScope;
-    v8::Handle<v8::Context> v8Context = V8Proxy::mainWorldContext(m_frame);
+    v8::Handle<v8::Context> v8Context = proxy()->windowShell()->context();
     if (v8Context.IsEmpty())
         return;

Modified: trunk/Source/WebCore/bindings/v8/ScriptController.h (119912 => 119913)


--- trunk/Source/WebCore/bindings/v8/ScriptController.h	2012-06-09 19:14:27 UTC (rev 119912)
+++ trunk/Source/WebCore/bindings/v8/ScriptController.h	2012-06-09 19:35:02 UTC (rev 119913)
@@ -126,6 +126,7 @@
     // Check if the _javascript_ engine has been initialized.
     bool haveInterpreter() const;
 
+    void enableEval();
     void disableEval();
 
     static bool canAccessFromCurrentOrigin(Frame*);

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (119912 => 119913)


--- trunk/Source/WebCore/loader/FrameLoader.cpp	2012-06-09 19:14:27 UTC (rev 119912)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2012-06-09 19:35:02 UTC (rev 119913)
@@ -540,6 +540,8 @@
     if (clearScriptObjects)
         m_frame->script()->clearScriptObjects();
 
+    m_frame->script()->enableEval();
+
     m_frame->navigationScheduler()->clear();
 
     m_checkTimer.stop();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to