<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[185638] trunk/Source/WebInspectorUI</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/185638">185638</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2015-06-16 22:11:49 -0700 (Tue, 16 Jun 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Web Inspector: Inspector Scripts evaluated in the page should not be searchable
https://bugs.webkit.org/show_bug.cgi?id=146040
Patch by Joseph Pecoraro <pecoraro@apple.com> on 2015-06-16
Reviewed by Darin Adler.
Any script with a __WebInspector source URL will be hidden by the tools.
There were a number of ways the inspector could evaluate script on the page
without getting the sourceURL and therefore not getting hidden. Audit
all cases of Runtime.evaluate, Runtime.callFunctionOn, and
Debugger.evaluateOnCallFrame, to ensure we have an appropriate source URL.
* UserInterface/Base/Utilities.js:
(appendWebInspectorSourceURL):
Helper to append a __WebInspectorInternal__ sourceURL to a string that may
be evaluated directly on the inspected context.
* UserInterface/Controllers/DOMTreeManager.js:
(WebInspector.DOMTreeManager.domNodeResolved):
* UserInterface/Controllers/JavaScriptLogViewController.js:
(WebInspector.JavaScriptLogViewController.prototype.consolePromptTextCommitted): Deleted.
* UserInterface/Controllers/RuntimeManager.js:
* UserInterface/Models/DOMTree.js:
(WebInspector.DOMTree.prototype._requestRootDOMNode):
* UserInterface/Protocol/RemoteObject.js:
(WebInspector.RemoteObject.):
* UserInterface/Views/SourceCodeTextEditor.js:
(WebInspector.SourceCodeTextEditor.prototype._tokenTrackingControllerHighlightedJavaScriptExpression):
Ensure all cases that evaluate directly on the inspected page / context
have the intenral source URL.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebInspectorUIChangeLog">trunk/Source/WebInspectorUI/ChangeLog</a></li>
<li><a href="#trunkSourceWebInspectorUIUserInterfaceBaseUtilitiesjs">trunk/Source/WebInspectorUI/UserInterface/Base/Utilities.js</a></li>
<li><a href="#trunkSourceWebInspectorUIUserInterfaceControllersDOMTreeManagerjs">trunk/Source/WebInspectorUI/UserInterface/Controllers/DOMTreeManager.js</a></li>
<li><a href="#trunkSourceWebInspectorUIUserInterfaceControllersJavaScriptLogViewControllerjs">trunk/Source/WebInspectorUI/UserInterface/Controllers/JavaScriptLogViewController.js</a></li>
<li><a href="#trunkSourceWebInspectorUIUserInterfaceControllersRuntimeManagerjs">trunk/Source/WebInspectorUI/UserInterface/Controllers/RuntimeManager.js</a></li>
<li><a href="#trunkSourceWebInspectorUIUserInterfaceModelsDOMTreejs">trunk/Source/WebInspectorUI/UserInterface/Models/DOMTree.js</a></li>
<li><a href="#trunkSourceWebInspectorUIUserInterfaceProtocolRemoteObjectjs">trunk/Source/WebInspectorUI/UserInterface/Protocol/RemoteObject.js</a></li>
<li><a href="#trunkSourceWebInspectorUIUserInterfaceViewsSourceCodeTextEditorjs">trunk/Source/WebInspectorUI/UserInterface/Views/SourceCodeTextEditor.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebInspectorUIChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebInspectorUI/ChangeLog (185637 => 185638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebInspectorUI/ChangeLog 2015-06-17 03:33:26 UTC (rev 185637)
+++ trunk/Source/WebInspectorUI/ChangeLog 2015-06-17 05:11:49 UTC (rev 185638)
</span><span class="lines">@@ -1,3 +1,35 @@
</span><ins>+2015-06-16 Joseph Pecoraro <pecoraro@apple.com>
+
+ Web Inspector: Inspector Scripts evaluated in the page should not be searchable
+ https://bugs.webkit.org/show_bug.cgi?id=146040
+
+ Reviewed by Darin Adler.
+
+ Any script with a __WebInspector source URL will be hidden by the tools.
+ There were a number of ways the inspector could evaluate script on the page
+ without getting the sourceURL and therefore not getting hidden. Audit
+ all cases of Runtime.evaluate, Runtime.callFunctionOn, and
+ Debugger.evaluateOnCallFrame, to ensure we have an appropriate source URL.
+
+ * UserInterface/Base/Utilities.js:
+ (appendWebInspectorSourceURL):
+ Helper to append a __WebInspectorInternal__ sourceURL to a string that may
+ be evaluated directly on the inspected context.
+
+ * UserInterface/Controllers/DOMTreeManager.js:
+ (WebInspector.DOMTreeManager.domNodeResolved):
+ * UserInterface/Controllers/JavaScriptLogViewController.js:
+ (WebInspector.JavaScriptLogViewController.prototype.consolePromptTextCommitted): Deleted.
+ * UserInterface/Controllers/RuntimeManager.js:
+ * UserInterface/Models/DOMTree.js:
+ (WebInspector.DOMTree.prototype._requestRootDOMNode):
+ * UserInterface/Protocol/RemoteObject.js:
+ (WebInspector.RemoteObject.):
+ * UserInterface/Views/SourceCodeTextEditor.js:
+ (WebInspector.SourceCodeTextEditor.prototype._tokenTrackingControllerHighlightedJavaScriptExpression):
+ Ensure all cases that evaluate directly on the inspected page / context
+ have the intenral source URL.
+
</ins><span class="cx"> 2015-06-16 Matt Baker <mattbaker@apple.com>
</span><span class="cx">
</span><span class="cx"> Web Inspector: REGRESSION (r171645): up/down key navigation of timeline sidebar tree elements is broken when scope bar filters are applied
</span></span></pre></div>
<a id="trunkSourceWebInspectorUIUserInterfaceBaseUtilitiesjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebInspectorUI/UserInterface/Base/Utilities.js (185637 => 185638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebInspectorUI/UserInterface/Base/Utilities.js 2015-06-17 03:33:26 UTC (rev 185637)
+++ trunk/Source/WebInspectorUI/UserInterface/Base/Utilities.js 2015-06-17 05:11:49 UTC (rev 185638)
</span><span class="lines">@@ -1007,6 +1007,11 @@
</span><span class="cx"> }
</span><span class="cx"> });
</span><span class="cx">
</span><ins>+function appendWebInspectorSourceURL(string)
+{
+ return string + "\n//# sourceURL=__WebInspectorInternal__\n";
+}
+
</ins><span class="cx"> function isFunctionStringNativeCode(str)
</span><span class="cx"> {
</span><span class="cx"> return str.endsWith("{\n [native code]\n}");
</span></span></pre></div>
<a id="trunkSourceWebInspectorUIUserInterfaceControllersDOMTreeManagerjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebInspectorUI/UserInterface/Controllers/DOMTreeManager.js (185637 => 185638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebInspectorUI/UserInterface/Controllers/DOMTreeManager.js 2015-06-17 03:33:26 UTC (rev 185637)
+++ trunk/Source/WebInspectorUI/UserInterface/Controllers/DOMTreeManager.js 2015-06-17 05:11:49 UTC (rev 185638)
</span><span class="lines">@@ -597,7 +597,7 @@
</span><span class="cx"> // passing the DOMNode as the "this" reference.
</span><span class="cx"> var evalParameters = {
</span><span class="cx"> objectId: remoteObject.objectId,
</span><del>- functionDeclaration: backendFunction.toString(),
</del><ins>+ functionDeclaration: appendWebInspectorSourceURL(backendFunction.toString()),
</ins><span class="cx"> doNotPauseOnExceptionsAndMuteConsole: true,
</span><span class="cx"> returnByValue: false,
</span><span class="cx"> generatePreview: false
</span></span></pre></div>
<a id="trunkSourceWebInspectorUIUserInterfaceControllersJavaScriptLogViewControllerjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebInspectorUI/UserInterface/Controllers/JavaScriptLogViewController.js (185637 => 185638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebInspectorUI/UserInterface/Controllers/JavaScriptLogViewController.js 2015-06-17 03:33:26 UTC (rev 185637)
+++ trunk/Source/WebInspectorUI/UserInterface/Controllers/JavaScriptLogViewController.js 2015-06-17 05:11:49 UTC (rev 185638)
</span><span class="lines">@@ -232,8 +232,6 @@
</span><span class="cx"> this._appendConsoleMessageView(commandResultMessageView, true);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- text += "\n//# sourceURL=__WebInspectorConsole__\n";
-
</del><span class="cx"> WebInspector.runtimeManager.evaluateInInspectedWindow(text, "console", true, false, false, true, true, printResult.bind(this));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebInspectorUIUserInterfaceControllersRuntimeManagerjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebInspectorUI/UserInterface/Controllers/RuntimeManager.js (185637 => 185638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebInspectorUI/UserInterface/Controllers/RuntimeManager.js 2015-06-17 03:33:26 UTC (rev 185637)
+++ trunk/Source/WebInspectorUI/UserInterface/Controllers/RuntimeManager.js 2015-06-17 05:11:49 UTC (rev 185638)
</span><span class="lines">@@ -43,6 +43,8 @@
</span><span class="cx"> expression = "this";
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ expression = appendWebInspectorSourceURL(expression);
+
</ins><span class="cx"> function evalCallback(error, result, wasThrown, savedResultIndex)
</span><span class="cx"> {
</span><span class="cx"> this.dispatchEventToListeners(WebInspector.RuntimeManager.Event.DidEvaluate);
</span></span></pre></div>
<a id="trunkSourceWebInspectorUIUserInterfaceModelsDOMTreejs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebInspectorUI/UserInterface/Models/DOMTree.js (185637 => 185638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebInspectorUI/UserInterface/Models/DOMTree.js 2015-06-17 03:33:26 UTC (rev 185637)
+++ trunk/Source/WebInspectorUI/UserInterface/Models/DOMTree.js 2015-06-17 05:11:49 UTC (rev 185638)
</span><span class="lines">@@ -210,7 +210,7 @@
</span><span class="cx"> // COMPATIBILITY (iOS 6): Execution context identifiers (contextId) did not exist
</span><span class="cx"> // in iOS 6. Fallback to including the frame identifier (frameId).
</span><span class="cx"> var contextId = this._frame.pageExecutionContext ? this._frame.pageExecutionContext.id : undefined;
</span><del>- RuntimeAgent.evaluate.invoke({expression: "document", objectGroup: "", includeCommandLineAPI: false, doNotPauseOnExceptionsAndMuteConsole: true, contextId, frameId: this._frame.id, returnByValue: false, generatePreview: false}, rootObjectAvailable.bind(this));
</del><ins>+ RuntimeAgent.evaluate.invoke({expression: appendWebInspectorSourceURL("document"), objectGroup: "", includeCommandLineAPI: false, doNotPauseOnExceptionsAndMuteConsole: true, contextId, frameId: this._frame.id, returnByValue: false, generatePreview: false}, rootObjectAvailable.bind(this));
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebInspectorUIUserInterfaceProtocolRemoteObjectjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebInspectorUI/UserInterface/Protocol/RemoteObject.js (185637 => 185638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebInspectorUI/UserInterface/Protocol/RemoteObject.js 2015-06-17 03:33:26 UTC (rev 185637)
+++ trunk/Source/WebInspectorUI/UserInterface/Protocol/RemoteObject.js 2015-06-17 05:11:49 UTC (rev 185638)
</span><span class="lines">@@ -306,7 +306,8 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- RuntimeAgent.evaluate.invoke({expression:value, doNotPauseOnExceptionsAndMuteConsole:true}, evaluatedCallback.bind(this));
</del><ins>+ // FIXME: It doesn't look like setPropertyValue is used yet. This will need to be tested when it is again (editable ObjectTrees).
+ RuntimeAgent.evaluate.invoke({expression:appendWebInspectorSourceURL(value), doNotPauseOnExceptionsAndMuteConsole:true}, evaluatedCallback.bind(this));
</ins><span class="cx">
</span><span class="cx"> function evaluatedCallback(error, result, wasThrown)
</span><span class="cx"> {
</span><span class="lines">@@ -322,7 +323,7 @@
</span><span class="cx">
</span><span class="cx"> delete result.description; // Optimize on traffic.
</span><span class="cx">
</span><del>- RuntimeAgent.callFunctionOn(this._objectId, setPropertyValue.toString(), [{value:name}, result], true, undefined, propertySetCallback.bind(this));
</del><ins>+ RuntimeAgent.callFunctionOn(this._objectId, appendWebInspectorSourceURL(setPropertyValue.toString()), [{value:name}, result], true, undefined, propertySetCallback.bind(this));
</ins><span class="cx">
</span><span class="cx"> if (result._objectId)
</span><span class="cx"> RuntimeAgent.releaseObject(result._objectId);
</span><span class="lines">@@ -406,7 +407,7 @@
</span><span class="cx"> if (args)
</span><span class="cx"> args = args.map(WebInspector.RemoteObject.createCallArgument);
</span><span class="cx">
</span><del>- RuntimeAgent.callFunctionOn(this._objectId, functionDeclaration.toString(), args, true, undefined, generatePreview, mycallback);
</del><ins>+ RuntimeAgent.callFunctionOn(this._objectId, appendWebInspectorSourceURL(functionDeclaration.toString()), args, true, undefined, generatePreview, mycallback);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> callFunctionJSON(functionDeclaration, args, callback)
</span><span class="lines">@@ -416,7 +417,7 @@
</span><span class="cx"> callback((error || wasThrown) ? null : result.value);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- RuntimeAgent.callFunctionOn(this._objectId, functionDeclaration.toString(), args, true, true, mycallback);
</del><ins>+ RuntimeAgent.callFunctionOn(this._objectId, appendWebInspectorSourceURL(functionDeclaration.toString()), args, true, true, mycallback);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> invokeGetter(getterRemoteObject, callback)
</span></span></pre></div>
<a id="trunkSourceWebInspectorUIUserInterfaceViewsSourceCodeTextEditorjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebInspectorUI/UserInterface/Views/SourceCodeTextEditor.js (185637 => 185638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebInspectorUI/UserInterface/Views/SourceCodeTextEditor.js 2015-06-17 03:33:26 UTC (rev 185637)
+++ trunk/Source/WebInspectorUI/UserInterface/Views/SourceCodeTextEditor.js 2015-06-17 05:11:49 UTC (rev 185638)
</span><span class="lines">@@ -1384,13 +1384,15 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ var expression = appendWebInspectorSourceURL(candidate.expression);
+
</ins><span class="cx"> if (WebInspector.debuggerManager.activeCallFrame) {
</span><del>- DebuggerAgent.evaluateOnCallFrame.invoke({callFrameId: WebInspector.debuggerManager.activeCallFrame.id, expression: candidate.expression, objectGroup: "popover", doNotPauseOnExceptionsAndMuteConsole: true}, populate.bind(this));
</del><ins>+ DebuggerAgent.evaluateOnCallFrame.invoke({callFrameId: WebInspector.debuggerManager.activeCallFrame.id, expression, objectGroup: "popover", doNotPauseOnExceptionsAndMuteConsole: true}, populate.bind(this));
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // No call frame available. Use the main page's context.
</span><del>- RuntimeAgent.evaluate.invoke({expression: candidate.expression, objectGroup: "popover", doNotPauseOnExceptionsAndMuteConsole: true}, populate.bind(this));
</del><ins>+ RuntimeAgent.evaluate.invoke({expression, objectGroup: "popover", doNotPauseOnExceptionsAndMuteConsole: true}, populate.bind(this));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> _tokenTrackingControllerHighlightedJavaScriptTypeInformation(candidate)
</span></span></pre>
</div>
</div>
</body>
</html>