<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[193939] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/193939">193939</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2015-12-10 18:08:31 -0800 (Thu, 10 Dec 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>[CSP] eval() is not blocked for stringified literals
https://bugs.webkit.org/show_bug.cgi?id=152158
<rdar://problem/15775625>
Reviewed by Saam Barati.
Source/JavaScriptCore:
Fixes an issue where stringified literals can be eval()ed despite being disallowed by
Content Security Policy of the page.
* interpreter/Interpreter.cpp:
(JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page
and return undefined.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval): Ditto.
LayoutTests:
Update test LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html to be
more comprehensive.
Add tests to ensure that we block eval() from within an external JavaScript script when the
policy of the page disallows eval() and that we block eval() inside a subframe that disallows
eval() when the page in the main frame allows eval().
* http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html: Added.
* http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt.
* http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html: Added.
* http/tests/security/contentSecurityPolicy/eval-blocked.html:
* http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpretercpp">trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionscpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedinexternalscriptexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedinexternalscripthtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedinsubframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedinsubframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesevalblockedinexternalscriptjs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (193938 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-12-11 02:06:59 UTC (rev 193938)
+++ trunk/LayoutTests/ChangeLog 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2015-12-10 Daniel Bates <dabates@apple.com>
+
+ [CSP] eval() is not blocked for stringified literals
+ https://bugs.webkit.org/show_bug.cgi?id=152158
+ <rdar://problem/15775625>
+
+ Reviewed by Saam Barati.
+
+ Update test LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html to be
+ more comprehensive.
+
+ Add tests to ensure that we block eval() from within an external JavaScript script when the
+ policy of the page disallows eval() and that we block eval() inside a subframe that disallows
+ eval() when the page in the main frame allows eval().
+
+ * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html: Added.
+ * http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt.
+ * http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/eval-blocked.html:
+ * http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js: Added.
+
</ins><span class="cx"> 2015-12-10 Brady Eidson <beidson@apple.com>
</span><span class="cx">
</span><span class="cx"> Modern IDB: storage/indexeddb/delete-in-upgradeneeded-close-in-versionchange.html fails
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt (193938 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt 2015-12-11 02:06:59 UTC (rev 193938)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -1,5 +1,37 @@
</span><del>-CONSOLE MESSAGE: line 12: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
</del><ins>+CONSOLE MESSAGE: line 14: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
</ins><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: line 15: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
</span><span class="cx">
</span><ins>+CONSOLE MESSAGE: line 32: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
</ins><span class="cx">
</span><ins>+CONSOLE MESSAGE: line 33: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 34: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 35: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 36: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 37: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 38: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 39: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 40: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 41: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 42: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 43: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 44: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 45: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 46: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 47: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedinexternalscriptexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt (0 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+CONSOLE MESSAGE: line 1: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedinexternalscripthtmlfromrev193938trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedhtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html (from rev 193938, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html) (0 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<script src="resources/eval-blocked-in-external-script.js"></script>
+</head>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedinsubframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt (0 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -0,0 +1,44 @@
</span><ins>+CONSOLE MESSAGE: line 14: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 15: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 32: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 33: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 34: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 35: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 36: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 37: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 38: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 39: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 40: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 41: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 42: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 43: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 44: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 45: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 46: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 47: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+Tests that eval() is blocked in a subframe that disallows eval() when the parent frame allows eval().
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedinsubframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html (0 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+<p>Tests that eval() is blocked in a subframe that disallows eval() when the parent frame allows eval().</p>
+<iframe src="eval-blocked.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyevalblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html (193938 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html 2015-12-11 02:06:59 UTC (rev 193938)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -5,14 +5,45 @@
</span><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.dumpAsText();
</span><ins>+
+var dummy = 79;
</ins><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<script>
-eval("alert('FAIL (1 of 2)')");
-</script>
-<script>
-window.eval("alert('FAIL (2 of 2)')");
-</script>
</del><ins>+<!-- eval() string literal "alert()" -->
+<script>eval("alert('FAIL')")</script>
+<script>window.eval("alert('FAIL')")</script>
+<!-- eval() non-string literal (should be allowed) -->
+<script>eval(0)</script>
+<script>window.eval(0)</script>
+<script>eval(1)</script>
+<script>window.eval(1)</script>
+<script>eval(7)</script>
+<script>window.eval(7)</script>
+<script>eval(3.14)</script>
+<script>window.eval(3.14)</script>
+<script>eval(true)</script>
+<script>window.eval(true)</script>
+<script>eval(false)</script>
+<script>window.eval(false)</script>
+<script>eval(Function)</script>
+<script>window.eval(Function)</script>
+<!-- eval() string literal -->
+<script>eval("")</script>
+<script>window.eval("")</script>
+<script>eval("0")</script>
+<script>window.eval("0")</script>
+<script>eval("1")</script>
+<script>window.eval("1")</script>
+<script>eval("2.73")</script>
+<script>window.eval("2.73")</script>
+<script>eval("true")</script>
+<script>window.eval("true")</script>
+<script>eval("false")</script>
+<script>window.eval("false")</script>
+<script>eval("Object")</script>
+<script>window.eval("Object")</script>
+<script>eval("dummy")</script>
+<script>window.eval("dummy")</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesevalblockedinexternalscriptjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js (0 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+eval("'FAIL'");
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (193938 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-12-11 02:06:59 UTC (rev 193938)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -1,3 +1,20 @@
</span><ins>+2015-12-10 Daniel Bates <dabates@apple.com>
+
+ [CSP] eval() is not blocked for stringified literals
+ https://bugs.webkit.org/show_bug.cgi?id=152158
+ <rdar://problem/15775625>
+
+ Reviewed by Saam Barati.
+
+ Fixes an issue where stringified literals can be eval()ed despite being disallowed by
+ Content Security Policy of the page.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page
+ and return undefined.
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncEval): Ditto.
+
</ins><span class="cx"> 2015-12-10 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Fix jsc symlink creation on iOS
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpretercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (193938 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2015-12-11 02:06:59 UTC (rev 193938)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -144,8 +144,13 @@
</span><span class="cx"> JSValue program = callFrame->argument(0);
</span><span class="cx"> if (!program.isString())
</span><span class="cx"> return program;
</span><del>-
</del><ins>+
</ins><span class="cx"> TopCallFrameSetter topCallFrame(callFrame->vm(), callFrame);
</span><ins>+ JSGlobalObject* globalObject = callFrame->lexicalGlobalObject();
+ if (!globalObject->evalEnabled()) {
+ callFrame->vm().throwException(callFrame, createEvalError(callFrame, globalObject->evalDisabledErrorMessage()));
+ return jsUndefined();
+ }
</ins><span class="cx"> String programSource = asString(program)->value(callFrame);
</span><span class="cx"> if (callFrame->hadException())
</span><span class="cx"> return JSValue();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (193938 => 193939)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp 2015-12-11 02:06:59 UTC (rev 193938)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp 2015-12-11 02:08:31 UTC (rev 193939)
</span><span class="lines">@@ -567,6 +567,12 @@
</span><span class="cx"> if (!x.isString())
</span><span class="cx"> return JSValue::encode(x);
</span><span class="cx">
</span><ins>+ JSGlobalObject* globalObject = exec->lexicalGlobalObject();
+ if (!globalObject->evalEnabled()) {
+ exec->vm().throwException(exec, createEvalError(exec, globalObject->evalDisabledErrorMessage()));
+ return JSValue::encode(jsUndefined());
+ }
+
</ins><span class="cx"> String s = x.toString(exec)->value(exec);
</span><span class="cx">
</span><span class="cx"> if (s.is8Bit()) {
</span></span></pre>
</div>
</div>
</body>
</html>