[webkit-changes] [181925] trunk

[commit-queue]

Title: [181925] trunk

Revision

181925

Author

commit-qu...@webkit.org

Date

2015-03-24 18:28:28 -0700 (Tue, 24 Mar 2015)

Log Message

Scripts running in isolated world should not subject to a page's CSP about 'eval'.
https://bugs.webkit.org/show_bug.cgi?id=141316.

Patch by Zhuo Li <zac...@apple.com> on 2015-03-24
Reviewed by Geoffrey Garen.

Source/WebCore:

* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::initScript):
We should not impose the main world Content Security Policy onto the isolated world.

LayoutTests:

I added a new Content Security Policy directive, "script-src", so that we do not
allow 'unsafe-eval' in the main world.

Also I have to copy the whole function instead of using eval because
eval is subject to the main world Content Security Policy now.

* http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt:
* http/tests/security/isolatedWorld/bypass-main-world-csp.html:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt
• trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/js/ScriptController.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (181924 => 181925)

--- trunk/LayoutTests/ChangeLog	2015-03-25 01:18:18 UTC (rev 181924)
+++ trunk/LayoutTests/ChangeLog	2015-03-25 01:28:28 UTC (rev 181925)
@@ -1,3 +1,19 @@
+2015-03-24  Zhuo Li  <zac...@apple.com>
+
+        Scripts running in isolated world should not subject to a page's CSP about 'eval'.
+        https://bugs.webkit.org/show_bug.cgi?id=141316.
+
+        Reviewed by Geoffrey Garen.
+
+        I added a new Content Security Policy directive, "script-src", so that we do not
+        allow 'unsafe-eval' in the main world.
+
+        Also I have to copy the whole function instead of using eval because
+        eval is subject to the main world Content Security Policy now.
+
+        * http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt:
+        * http/tests/security/isolatedWorld/bypass-main-world-csp.html:
+
 2015-03-24  Joseph Pecoraro  <pecor...@apple.com>
 
         ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance

Modified: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt (181924 => 181925)

--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt	2015-03-25 01:18:18 UTC (rev 181924)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt	2015-03-25 01:28:28 UTC (rev 181925)
@@ -2,6 +2,10 @@
 
 ALERT: BLOCKED in main world
 ALERT: LOADED in isolated world
+CONSOLE MESSAGE: line 38: EvalError: Refused to evaluate a string as _javascript_ because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+ALERT: BLOCKED eval() in main world
+ALERT: Called eval() in isolated world
 This test ensures that scripts run in isolated worlds aren't affected by the page's content security policy. Extensions, for example, should be able to load any resource they like.
 
 

Modified: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html (181924 => 181925)

--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html	2015-03-25 01:18:18 UTC (rev 181924)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html	2015-03-25 01:28:28 UTC (rev 181925)
@@ -1,14 +1,14 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'unsafe-inline'">
 <script>
     if (window.testRunner) {
         testRunner.dumpAsText();
         testRunner.waitUntilDone();
     }
 
-    tests = 2;
+    tests = 4;
     window.addEventListener("message", function(message) {
         tests -= 1;
         test();
@@ -29,12 +29,30 @@
             img.src = ""
         }
 
+        function callEval(isolated) {
+            try { 
+                eval("true");
+                alert('Called eval() in ' + (isolated ? "isolated world" : "main world"));
+                window.postMessage("next", "*");
+            } catch (error) {
+                console.log(error);
+                alert('BLOCKED eval() in ' + (isolated ? "isolated world" : "main world"));
+                window.postMessage("next", "*");
+            }
+        }
+
         switch (tests) {
-            case 2:
+            case 4:
                 setImgSrc(false);
                 break;
+            case 3:
+                testRunner.evaluateScriptInIsolatedWorld(1, String(setImgSrc) + "\nsetImgSrc(true);");
+                break;
+            case 2:
+                callEval(false);
+                break;
             case 1:
-                testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true);");
+                testRunner.evaluateScriptInIsolatedWorld(1, String(callEval) + "\ncallEval(true);");
                 break;
             case 0:
                 testRunner.notifyDone();

Modified: trunk/Source/WebCore/ChangeLog (181924 => 181925)

--- trunk/Source/WebCore/ChangeLog	2015-03-25 01:18:18 UTC (rev 181924)
+++ trunk/Source/WebCore/ChangeLog	2015-03-25 01:28:28 UTC (rev 181925)
@@ -1,3 +1,14 @@
+2015-03-24  Zhuo Li  <zac...@apple.com>
+
+        Scripts running in isolated world should not subject to a page's CSP about 'eval'.
+        https://bugs.webkit.org/show_bug.cgi?id=141316.
+
+        Reviewed by Geoffrey Garen.
+
+        * bindings/js/ScriptController.cpp:
+        (WebCore::ScriptController::initScript):
+        We should not impose the main world Content Security Policy onto the isolated world.
+
 2015-03-24  Chris Dumez  <cdu...@apple.com>
 
         [Mac] Use .cpp file extension instead of .mm for SharedTimerCF and PowerObserverMac

Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (181924 => 181925)

--- trunk/Source/WebCore/bindings/js/ScriptController.cpp	2015-03-25 01:18:18 UTC (rev 181924)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp	2015-03-25 01:28:28 UTC (rev 181925)
@@ -253,8 +253,13 @@
 
     windowShell->window()->updateDocument();
 
-    if (m_frame.document())
-        windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
+    if (m_frame.document()) {
+        bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal();
+        if (shouldBypassMainWorldContentSecurityPolicy)
+            windowShell->window()->setEvalEnabled(true);
+        else
+            windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
+    }
 
     if (Page* page = m_frame.page()) {
         attachDebugger(windowShell, page->debugger());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes