<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196242] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196242">196242</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-07 14:26:46 -0800 (Sun, 07 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy
https://bugs.webkit.org/show_bug.cgi?id=153622
<rdar://problem/24400023>
Source/WebCore:
Reviewed by Gavin Barraclough.
Fixes an issue where Web Workers initiated from an isolated world (say, a Safari Content Script Extension)
would be subject to the Content Security Policy of the page.
Currently code in an isolated world that does not execute in a Web Worker is exempt from the CSP of
the page. However, code that runs inside a Web Worker that was initiated from an isolated world is
subject to the CSP of the page. Instead, such Web Worker code should also be exempt from the CSP of
the page.
Tests: http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html
http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html
http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html
* Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect): Modified to ask the script execution context whether to bypass the
main world Content Security Policy now that script execution context knows this information.
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy): Deleted; moved logic from here...
* bindings/js/ScriptController.h:
* dom/Document.cpp:
(WebCore::Document::shouldBypassMainWorldContentSecurityPolicy): ...to here.
* dom/Document.h:
* dom/ScriptExecutionContext.h:
(WebCore::ScriptExecutionContext::shouldBypassMainWorldContentSecurityPolicy): Added; defaults to false -
do not bypass the main world Content Security Policy.
* page/EventSource.cpp:
(WebCore::EventSource::create): Modified to ask the script execution context whether to bypass the
main world Content Security Policy now that script execution context knows this information.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy): Deleted.
* page/csp/ContentSecurityPolicy.h:
* workers/AbstractWorker.cpp:
(WebCore::AbstractWorker::resolveURL): Bypass the main world Content Security Policy if applicable.
Added FIXME comment to enforce the child-src directive of the document's CSP (as opposed to the script-src
directive) on the worker's script URL. Also, scriptExecutionContext()->contentSecurityPolicy() should
always be non-null just as we expect scriptExecutionContext()->securityOrigin() to be non-null. Assert
this invariant to catch cases where a ScriptExecutionContext is not properly initialized.
* workers/DedicatedWorkerGlobalScope.cpp:
(WebCore::DedicatedWorkerGlobalScope::create): Modified to take boolean argument shouldBypassMainWorldContentSecurityPolicy
as to whether to bypass the main world Content Security Policy and only apply the Content Security
Policy headers when shouldBypassMainWorldContentSecurityPolicy is false.
(WebCore::DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
as to whether to bypass the main world Content Security Policy.
* workers/DedicatedWorkerGlobalScope.h:
* workers/DedicatedWorkerThread.cpp:
(WebCore::DedicatedWorkerThread::DedicatedWorkerThread): Ditto.
(WebCore::DedicatedWorkerThread::createWorkerGlobalScope): Ditto.
* workers/DedicatedWorkerThread.h:
* workers/Worker.cpp:
(WebCore::Worker::create): Store whether we should bypass the main world Content Security Policy so
that we can pass it to WorkerMessagingProxy::startWorkerGlobalScope() in Worker::notifyFinished().
We need to store this decision here as opposed to determining it at any later time (say, in Worker::notifyFinished())
because it is dependent on the current JavaScript program stack at the time this function is invoked.
(WebCore::Worker::notifyFinished): Pass whether to bypass the main world Content Security Policy.
* workers/Worker.h:
* workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::WorkerGlobalScope): Modified to take a boolean as to whether to bypass the
main world Content Security Policy and store it in a member field. Also, always instantiate a Content
Security Policy object as our current code assumes that one is always created.
* workers/WorkerGlobalScope.h:
* workers/WorkerGlobalScopeProxy.h:
* workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::startWorkerGlobalScope): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
as to whether to bypass the main world Content Security Policy.
* workers/WorkerMessagingProxy.h:
* workers/WorkerThread.cpp:
(WebCore::WorkerThreadStartupData::WorkerThreadStartupData): Modified to take a boolean argument as to
whether to bypass the main world Content Security Policy and store it in a member field.
(WebCore::WorkerThread::WorkerThread): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
as to whether to bypass the main world Content Security Policy.
(WebCore::WorkerThread::workerThread): Ditto.
* workers/WorkerThread.h:
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::open): Modified to ask the script execution context whether to bypass the
main world Content Security Policy now that script execution context knows this information.
LayoutTests:
Reviewed by Gavin Barraclough and Andy Estes.
Add tests to ensure that a Web Worker initiated from an isolated world can bypass the main world
Content Security Policy.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreModuleswebsocketsWebSocketcpp">trunk/Source/WebCore/Modules/websockets/WebSocket.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsScriptControllercpp">trunk/Source/WebCore/bindings/js/ScriptController.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsScriptControllerh">trunk/Source/WebCore/bindings/js/ScriptController.h</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCoredomDocumenth">trunk/Source/WebCore/dom/Document.h</a></li>
<li><a href="#trunkSourceWebCoredomScriptExecutionContexth">trunk/Source/WebCore/dom/ScriptExecutionContext.h</a></li>
<li><a href="#trunkSourceWebCorepageEventSourcecpp">trunk/Source/WebCore/page/EventSource.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCoreworkersAbstractWorkercpp">trunk/Source/WebCore/workers/AbstractWorker.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersDedicatedWorkerGlobalScopecpp">trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersDedicatedWorkerGlobalScopeh">trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h</a></li>
<li><a href="#trunkSourceWebCoreworkersDedicatedWorkerThreadcpp">trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersDedicatedWorkerThreadh">trunk/Source/WebCore/workers/DedicatedWorkerThread.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkercpp">trunk/Source/WebCore/workers/Worker.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerh">trunk/Source/WebCore/workers/Worker.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerGlobalScopecpp">trunk/Source/WebCore/workers/WorkerGlobalScope.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerGlobalScopeh">trunk/Source/WebCore/workers/WorkerGlobalScope.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerGlobalScopeProxyh">trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerMessagingProxycpp">trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerMessagingProxyh">trunk/Source/WebCore/workers/WorkerMessagingProxy.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerThreadcpp">trunk/Source/WebCore/workers/WorkerThread.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerThreadh">trunk/Source/WebCore/workers/WorkerThread.h</a></li>
<li><a href="#trunkSourceWebCorexmlXMLHttpRequestcpp">trunk/Source/WebCore/xml/XMLHttpRequest.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobevalexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobevalhtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobxhrexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobxhrhtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerhtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/LayoutTests/ChangeLog 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2016-02-07 Daniel Bates <dabates@apple.com>
+
+ CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy
+ https://bugs.webkit.org/show_bug.cgi?id=153622
+ <rdar://problem/24400023>
+
+ Reviewed by Gavin Barraclough and Andy Estes.
+
+ Add tests to ensure that a Web Worker initiated from an isolated world can bypass the main world
+ Content Security Policy.
+
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html: Added.
+
</ins><span class="cx"> 2016-02-07 Carlos Garcia Campos <cgarcia@igalia.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION(r195661): [GTK] Scrollbar tests crashing after overlay scrollbar groundwork
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobevalexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt (0 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to call eval().
+
+PASS worker called eval().
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobevalhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html (0 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -0,0 +1,47 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to call <code>eval()</code>.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var script = [
+ 'try {',
+ ' eval("1 + 0");',
+ ' self.postMessage("PASS worker called eval().");',
+ '} catch (exception) {',
+ ' self.postMessage("FAIL should not have thrown an exception. Threw exception " + exception + ".");',
+ '}',
+ ].join("\n");
+
+ var worker;
+ try {
+ worker = new Worker(window.URL.createObjectURL(new Blob([script])));
+ worker.onmessage = function (event) { window.postMessage(event.data, "*") };
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobxhrexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt (0 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to make an XHR request.
+
+PASS
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobxhrhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html (0 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -0,0 +1,55 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'none'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to make an XHR request.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var script = [
+ 'var exception;',
+ 'var xhr;',
+ 'try {',
+ ' var isAsynchronous = false;',
+ ' xhr = new XMLHttpRequest;',
+ ' xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", isAsynchronous);',
+ ' xhr.send();',
+ '} catch (e) {',
+ ' exception = e;',
+ '}',
+ 'if (exception)',
+ ' self.postMessage("FAIL should not have thrown an exception. Threw exception " + exception + ".");',
+ 'else',
+ ' self.postMessage(xhr.response);',
+ ].join("\n");
+
+ var worker;
+ try {
+ worker = new Worker(window.URL.createObjectURL(new Blob([script])));
+ worker.onmessage = function (event) { window.postMessage(event.data, "*") };
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt (0 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to be instantiated with a script URL not listed in the CSP of the page.
+
+PASS worker instantiated.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html (0 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -0,0 +1,39 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<!-- FIXME: Add child-src 'none' once we implement the child-src directive. -->
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to be instantiated with a script URL not listed in the CSP of the page.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var worker;
+ try {
+ worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/worker.php?type=alert-pass");
+ window.postMessage("PASS worker instantiated.", "*");
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/ChangeLog 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -1,3 +1,86 @@
</span><ins>+2016-02-07 Daniel Bates <dabates@apple.com>
+
+ CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy
+ https://bugs.webkit.org/show_bug.cgi?id=153622
+ <rdar://problem/24400023>
+
+ Reviewed by Gavin Barraclough.
+
+ Fixes an issue where Web Workers initiated from an isolated world (say, a Safari Content Script Extension)
+ would be subject to the Content Security Policy of the page.
+
+ Currently code in an isolated world that does not execute in a Web Worker is exempt from the CSP of
+ the page. However, code that runs inside a Web Worker that was initiated from an isolated world is
+ subject to the CSP of the page. Instead, such Web Worker code should also be exempt from the CSP of
+ the page.
+
+ Tests: http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html
+
+ * Modules/websockets/WebSocket.cpp:
+ (WebCore::WebSocket::connect): Modified to ask the script execution context whether to bypass the
+ main world Content Security Policy now that script execution context knows this information.
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy): Deleted; moved logic from here...
+ * bindings/js/ScriptController.h:
+ * dom/Document.cpp:
+ (WebCore::Document::shouldBypassMainWorldContentSecurityPolicy): ...to here.
+ * dom/Document.h:
+ * dom/ScriptExecutionContext.h:
+ (WebCore::ScriptExecutionContext::shouldBypassMainWorldContentSecurityPolicy): Added; defaults to false -
+ do not bypass the main world Content Security Policy.
+ * page/EventSource.cpp:
+ (WebCore::EventSource::create): Modified to ask the script execution context whether to bypass the
+ main world Content Security Policy now that script execution context knows this information.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy): Deleted.
+ * page/csp/ContentSecurityPolicy.h:
+ * workers/AbstractWorker.cpp:
+ (WebCore::AbstractWorker::resolveURL): Bypass the main world Content Security Policy if applicable.
+ Added FIXME comment to enforce the child-src directive of the document's CSP (as opposed to the script-src
+ directive) on the worker's script URL. Also, scriptExecutionContext()->contentSecurityPolicy() should
+ always be non-null just as we expect scriptExecutionContext()->securityOrigin() to be non-null. Assert
+ this invariant to catch cases where a ScriptExecutionContext is not properly initialized.
+ * workers/DedicatedWorkerGlobalScope.cpp:
+ (WebCore::DedicatedWorkerGlobalScope::create): Modified to take boolean argument shouldBypassMainWorldContentSecurityPolicy
+ as to whether to bypass the main world Content Security Policy and only apply the Content Security
+ Policy headers when shouldBypassMainWorldContentSecurityPolicy is false.
+ (WebCore::DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
+ as to whether to bypass the main world Content Security Policy.
+ * workers/DedicatedWorkerGlobalScope.h:
+ * workers/DedicatedWorkerThread.cpp:
+ (WebCore::DedicatedWorkerThread::DedicatedWorkerThread): Ditto.
+ (WebCore::DedicatedWorkerThread::createWorkerGlobalScope): Ditto.
+ * workers/DedicatedWorkerThread.h:
+ * workers/Worker.cpp:
+ (WebCore::Worker::create): Store whether we should bypass the main world Content Security Policy so
+ that we can pass it to WorkerMessagingProxy::startWorkerGlobalScope() in Worker::notifyFinished().
+ We need to store this decision here as opposed to determining it at any later time (say, in Worker::notifyFinished())
+ because it is dependent on the current JavaScript program stack at the time this function is invoked.
+ (WebCore::Worker::notifyFinished): Pass whether to bypass the main world Content Security Policy.
+ * workers/Worker.h:
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::WorkerGlobalScope::WorkerGlobalScope): Modified to take a boolean as to whether to bypass the
+ main world Content Security Policy and store it in a member field. Also, always instantiate a Content
+ Security Policy object as our current code assumes that one is always created.
+ * workers/WorkerGlobalScope.h:
+ * workers/WorkerGlobalScopeProxy.h:
+ * workers/WorkerMessagingProxy.cpp:
+ (WebCore::WorkerMessagingProxy::startWorkerGlobalScope): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
+ as to whether to bypass the main world Content Security Policy.
+ * workers/WorkerMessagingProxy.h:
+ * workers/WorkerThread.cpp:
+ (WebCore::WorkerThreadStartupData::WorkerThreadStartupData): Modified to take a boolean argument as to
+ whether to bypass the main world Content Security Policy and store it in a member field.
+ (WebCore::WorkerThread::WorkerThread): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
+ as to whether to bypass the main world Content Security Policy.
+ (WebCore::WorkerThread::workerThread): Ditto.
+ * workers/WorkerThread.h:
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::open): Modified to ask the script execution context whether to bypass the
+ main world Content Security Policy now that script execution context knows this information.
+
</ins><span class="cx"> 2016-02-07 Dan Bernstein <mitz@apple.com>
</span><span class="cx">
</span><span class="cx"> [Cocoa] Replace __has_include guards around inclusion of Apple-internal-SDK headers with USE(APPLE_INTERNAL_SDK)
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebsocketsWebSocketcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/websockets/WebSocket.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -238,8 +238,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
</span><del>- bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(*scriptExecutionContext());
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url, shouldBypassMainWorldContentSecurityPolicy)) {
</del><ins>+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
</ins><span class="cx"> m_state = CLOSED;
</span><span class="cx">
</span><span class="cx"> // FIXME: Should this be throwing an exception?
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsScriptControllercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -519,17 +519,6 @@
</span><span class="cx"> return evaluateInWorld(sourceCode, world);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ScriptController::shouldBypassMainWorldContentSecurityPolicy()
-{
- CallFrame* callFrame = JSDOMWindow::commonVM().topCallFrame;
- if (callFrame == CallFrame::noCaller())
- return false;
- DOMWrapperWorld& domWrapperWorld = currentWorld(callFrame);
- if (domWrapperWorld.isNormal())
- return false;
- return true;
-}
-
</del><span class="cx"> bool ScriptController::canExecuteScripts(ReasonForCallingCanExecuteScripts reason)
</span><span class="cx"> {
</span><span class="cx"> if (m_frame.document() && m_frame.document()->isSandboxed(SandboxScripts)) {
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsScriptControllerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/ScriptController.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/ScriptController.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/bindings/js/ScriptController.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -166,8 +166,6 @@
</span><span class="cx"> WEBCORE_EXPORT NPObject* windowScriptNPObject();
</span><span class="cx"> #endif
</span><span class="cx">
</span><del>- bool shouldBypassMainWorldContentSecurityPolicy();
-
</del><span class="cx"> private:
</span><span class="cx"> WEBCORE_EXPORT JSDOMWindowShell* initScript(DOMWrapperWorld&);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -2431,6 +2431,17 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool Document::shouldBypassMainWorldContentSecurityPolicy() const
+{
+ JSC::CallFrame* callFrame = JSDOMWindow::commonVM().topCallFrame;
+ if (callFrame == JSC::CallFrame::noCaller())
+ return false;
+ DOMWrapperWorld& domWrapperWorld = currentWorld(callFrame);
+ if (domWrapperWorld.isNormal())
+ return false;
+ return true;
+}
+
</ins><span class="cx"> void Document::platformSuspendOrStopActiveDOMObjects()
</span><span class="cx"> {
</span><span class="cx"> #if PLATFORM(IOS)
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumenth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/dom/Document.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -603,6 +603,7 @@
</span><span class="cx"> void prepareForDestruction();
</span><span class="cx">
</span><span class="cx"> // Override ScriptExecutionContext methods to do additional work
</span><ins>+ bool shouldBypassMainWorldContentSecurityPolicy() const override final;
</ins><span class="cx"> virtual void suspendActiveDOMObjects(ActiveDOMObject::ReasonForSuspension) override final;
</span><span class="cx"> virtual void resumeActiveDOMObjects(ActiveDOMObject::ReasonForSuspension) override final;
</span><span class="cx"> virtual void stopActiveDOMObjects() override final;
</span></span></pre></div>
<a id="trunkSourceWebCoredomScriptExecutionContexth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ScriptExecutionContext.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ScriptExecutionContext.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/dom/ScriptExecutionContext.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -82,6 +82,8 @@
</span><span class="cx">
</span><span class="cx"> virtual SecurityOrigin* topOrigin() const = 0;
</span><span class="cx">
</span><ins>+ virtual bool shouldBypassMainWorldContentSecurityPolicy() const { return false; }
+
</ins><span class="cx"> PublicURLManager& publicURLManager();
</span><span class="cx">
</span><span class="cx"> // Active objects are not garbage collected even if inaccessible, e.g. because their activity may result in callbacks being invoked.
</span></span></pre></div>
<a id="trunkSourceWebCorepageEventSourcecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/EventSource.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/EventSource.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/page/EventSource.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -85,8 +85,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
</span><del>- bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(context);
- if (!context.contentSecurityPolicy()->allowConnectToSource(fullURL, shouldBypassMainWorldContentSecurityPolicy)) {
</del><ins>+ if (!context.contentSecurityPolicy()->allowConnectToSource(fullURL, context.shouldBypassMainWorldContentSecurityPolicy())) {
</ins><span class="cx"> // FIXME: Should this be throwing an exception?
</span><span class="cx"> ec = SECURITY_ERR;
</span><span class="cx"> return nullptr;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -1775,15 +1775,5 @@
</span><span class="cx"> return false;
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><del>-
-bool ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext& context)
-{
- if (is<Document>(context)) {
- auto& document = downcast<Document>(context);
- return document.frame() && document.frame()->script().shouldBypassMainWorldContentSecurityPolicy();
- }
</del><span class="cx">
</span><del>- return false;
</del><span class="cx"> }
</span><del>-
-}
</del></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -102,8 +102,6 @@
</span><span class="cx">
</span><span class="cx"> bool experimentalFeaturesEnabled() const;
</span><span class="cx">
</span><del>- static bool shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext&);
-
</del><span class="cx"> // The following functions are used by internal data structures to call back into this object when parsing, validating,
</span><span class="cx"> // and applying a Content Security Policy.
</span><span class="cx"> // FIXME: We should make the various directives serve only as state stores for the parsed policy and remove these functions.
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersAbstractWorkercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/AbstractWorker.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -62,7 +62,10 @@
</span><span class="cx"> return URL();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (scriptExecutionContext()->contentSecurityPolicy() && !scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL)) {
</del><ins>+ // FIXME: Enforce the child-src directive instead of script-src per <https://w3c.github.io/webappsec-csp/2/#directive-child-src-workers> (29 August 2015).
+ // See <https://bugs.webkit.org/show_bug.cgi?id=153562>.
+ ASSERT(scriptExecutionContext()->contentSecurityPolicy());
+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
</ins><span class="cx"> ec = SECURITY_ERR;
</span><span class="cx"> return URL();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersDedicatedWorkerGlobalScopecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -40,15 +40,16 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-Ref<DedicatedWorkerGlobalScope> DedicatedWorkerGlobalScope::create(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, PassRefPtr<SecurityOrigin> topOrigin)
</del><ins>+Ref<DedicatedWorkerGlobalScope> DedicatedWorkerGlobalScope::create(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin)
</ins><span class="cx"> {
</span><del>- Ref<DedicatedWorkerGlobalScope> context = adoptRef(*new DedicatedWorkerGlobalScope(url, userAgent, thread, topOrigin));
- context->applyContentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders);
</del><ins>+ Ref<DedicatedWorkerGlobalScope> context = adoptRef(*new DedicatedWorkerGlobalScope(url, userAgent, thread, shouldBypassMainWorldContentSecurityPolicy, topOrigin));
+ if (!shouldBypassMainWorldContentSecurityPolicy)
+ context->applyContentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders);
</ins><span class="cx"> return context;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, PassRefPtr<SecurityOrigin> topOrigin)
- : WorkerGlobalScope(url, userAgent, thread, topOrigin)
</del><ins>+DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin)
+ : WorkerGlobalScope(url, userAgent, thread, shouldBypassMainWorldContentSecurityPolicy, topOrigin)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersDedicatedWorkerGlobalScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx"> class DedicatedWorkerGlobalScope : public WorkerGlobalScope {
</span><span class="cx"> public:
</span><span class="cx"> typedef WorkerGlobalScope Base;
</span><del>- static Ref<DedicatedWorkerGlobalScope> create(const URL&, const String& userAgent, DedicatedWorkerThread&, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin);
</del><ins>+ static Ref<DedicatedWorkerGlobalScope> create(const URL&, const String& userAgent, DedicatedWorkerThread&, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin);
</ins><span class="cx"> virtual ~DedicatedWorkerGlobalScope();
</span><span class="cx">
</span><span class="cx"> virtual bool isDedicatedWorkerGlobalScope() const override { return true; }
</span><span class="lines">@@ -60,7 +60,7 @@
</span><span class="cx"> DedicatedWorkerThread& thread();
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- DedicatedWorkerGlobalScope(const URL&, const String& userAgent, DedicatedWorkerThread&, PassRefPtr<SecurityOrigin> topOrigin);
</del><ins>+ DedicatedWorkerGlobalScope(const URL&, const String& userAgent, DedicatedWorkerThread&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin);
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersDedicatedWorkerThreadcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -38,8 +38,8 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-DedicatedWorkerThread::DedicatedWorkerThread(const URL& url, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerObjectProxy& workerObjectProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
- : WorkerThread(url, userAgent, sourceCode, workerLoaderProxy, workerObjectProxy, startMode, contentSecurityPolicyResponseHeaders, topOrigin)
</del><ins>+DedicatedWorkerThread::DedicatedWorkerThread(const URL& url, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerObjectProxy& workerObjectProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin)
+ : WorkerThread(url, userAgent, sourceCode, workerLoaderProxy, workerObjectProxy, startMode, contentSecurityPolicyResponseHeaders, shouldBypassMainWorldContentSecurityPolicy, topOrigin)
</ins><span class="cx"> , m_workerObjectProxy(workerObjectProxy)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="lines">@@ -48,9 +48,9 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Ref<WorkerGlobalScope> DedicatedWorkerThread::createWorkerGlobalScope(const URL& url, const String& userAgent, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, PassRefPtr<SecurityOrigin> topOrigin)
</del><ins>+Ref<WorkerGlobalScope> DedicatedWorkerThread::createWorkerGlobalScope(const URL& url, const String& userAgent, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin)
</ins><span class="cx"> {
</span><del>- return DedicatedWorkerGlobalScope::create(url, userAgent, *this, contentSecurityPolicyResponseHeaders, topOrigin);
</del><ins>+ return DedicatedWorkerGlobalScope::create(url, userAgent, *this, contentSecurityPolicyResponseHeaders, shouldBypassMainWorldContentSecurityPolicy, topOrigin);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void DedicatedWorkerThread::runEventLoop()
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersDedicatedWorkerThreadh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/DedicatedWorkerThread.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/DedicatedWorkerThread.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/DedicatedWorkerThread.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -48,11 +48,11 @@
</span><span class="cx"> WorkerObjectProxy& workerObjectProxy() const { return m_workerObjectProxy; }
</span><span class="cx">
</span><span class="cx"> protected:
</span><del>- virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin) override;
</del><ins>+ virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin) override;
</ins><span class="cx"> virtual void runEventLoop() override;
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- DedicatedWorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerObjectProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
</del><ins>+ DedicatedWorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerObjectProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin);
</ins><span class="cx">
</span><span class="cx"> WorkerObjectProxy& m_workerObjectProxy;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/Worker.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/Worker.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/Worker.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -87,6 +87,8 @@
</span><span class="cx"> if (scriptURL.isEmpty())
</span><span class="cx"> return nullptr;
</span><span class="cx">
</span><ins>+ worker->m_shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy();
+
</ins><span class="cx"> // The worker context does not exist while loading, so we must ensure that the worker object is not collected, nor are its event listeners.
</span><span class="cx"> worker->setPendingActivity(worker.ptr());
</span><span class="cx">
</span><span class="lines">@@ -166,7 +168,7 @@
</span><span class="cx"> dispatchEvent(Event::create(eventNames().errorEvent, false, true));
</span><span class="cx"> else {
</span><span class="cx"> const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders = m_contentSecurityPolicyResponseHeaders ? m_contentSecurityPolicyResponseHeaders.value() : scriptExecutionContext()->contentSecurityPolicy()->responseHeaders();
</span><del>- m_contextProxy->startWorkerGlobalScope(m_scriptLoader->url(), scriptExecutionContext()->userAgent(m_scriptLoader->url()), m_scriptLoader->script(), contentSecurityPolicyResponseHeaders, DontPauseWorkerGlobalScopeOnStart);
</del><ins>+ m_contextProxy->startWorkerGlobalScope(m_scriptLoader->url(), scriptExecutionContext()->userAgent(m_scriptLoader->url()), m_scriptLoader->script(), contentSecurityPolicyResponseHeaders, m_shouldBypassMainWorldContentSecurityPolicy, DontPauseWorkerGlobalScopeOnStart);
</ins><span class="cx"> InspectorInstrumentation::scriptImported(scriptExecutionContext(), m_scriptLoader->identifier(), m_scriptLoader->script());
</span><span class="cx"> }
</span><span class="cx"> m_scriptLoader = nullptr;
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/Worker.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/Worker.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/Worker.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -86,6 +86,7 @@
</span><span class="cx"> RefPtr<WorkerScriptLoader> m_scriptLoader;
</span><span class="cx"> WorkerGlobalScopeProxy* m_contextProxy; // The proxy outlives the worker to perform thread shutdown.
</span><span class="cx"> Optional<ContentSecurityPolicyResponseHeaders> m_contentSecurityPolicyResponseHeaders;
</span><ins>+ bool m_shouldBypassMainWorldContentSecurityPolicy { false };
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerGlobalScopecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -62,12 +62,13 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-WorkerGlobalScope::WorkerGlobalScope(const URL& url, const String& userAgent, WorkerThread& thread, PassRefPtr<SecurityOrigin> topOrigin)
</del><ins>+WorkerGlobalScope::WorkerGlobalScope(const URL& url, const String& userAgent, WorkerThread& thread, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin)
</ins><span class="cx"> : m_url(url)
</span><span class="cx"> , m_userAgent(userAgent)
</span><span class="cx"> , m_script(std::make_unique<WorkerScriptController>(this))
</span><span class="cx"> , m_thread(thread)
</span><span class="cx"> , m_closing(false)
</span><ins>+ , m_shouldBypassMainWorldContentSecurityPolicy(shouldBypassMainWorldContentSecurityPolicy)
</ins><span class="cx"> , m_eventQueue(*this)
</span><span class="cx"> , m_topOrigin(topOrigin)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerGlobalScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerGlobalScope.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -67,6 +67,8 @@
</span><span class="cx">
</span><span class="cx"> virtual void disableEval(const String& errorMessage) override;
</span><span class="cx">
</span><ins>+ bool shouldBypassMainWorldContentSecurityPolicy() const override final { return m_shouldBypassMainWorldContentSecurityPolicy; }
+
</ins><span class="cx"> WorkerScriptController* script() { return m_script.get(); }
</span><span class="cx"> void clearScript() { m_script = nullptr; }
</span><span class="cx">
</span><span class="lines">@@ -130,7 +132,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> protected:
</span><del>- WorkerGlobalScope(const URL&, const String& userAgent, WorkerThread&, PassRefPtr<SecurityOrigin> topOrigin);
</del><ins>+ WorkerGlobalScope(const URL&, const String& userAgent, WorkerThread&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin);
</ins><span class="cx"> void applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders&);
</span><span class="cx">
</span><span class="cx"> virtual void logExceptionToConsole(const String& errorMessage, const String& sourceURL, int lineNumber, int columnNumber, RefPtr<Inspector::ScriptCallStack>&&) override;
</span><span class="lines">@@ -159,6 +161,7 @@
</span><span class="cx"> WorkerThread& m_thread;
</span><span class="cx">
</span><span class="cx"> bool m_closing;
</span><ins>+ bool m_shouldBypassMainWorldContentSecurityPolicy;
</ins><span class="cx">
</span><span class="cx"> HashSet<Observer*> m_workerObservers;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerGlobalScopeProxyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -49,7 +49,7 @@
</span><span class="cx">
</span><span class="cx"> virtual ~WorkerGlobalScopeProxy() { }
</span><span class="cx">
</span><del>- virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, WorkerThreadStartMode) = 0;
</del><ins>+ virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, WorkerThreadStartMode) = 0;
</ins><span class="cx">
</span><span class="cx"> virtual void terminateWorkerGlobalScope() = 0;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerMessagingProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -72,12 +72,12 @@
</span><span class="cx"> || (is<WorkerGlobalScope>(*m_scriptExecutionContext) && currentThread() == downcast<WorkerGlobalScope>(*m_scriptExecutionContext).thread().threadID()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WorkerMessagingProxy::startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, WorkerThreadStartMode startMode)
</del><ins>+void WorkerMessagingProxy::startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, WorkerThreadStartMode startMode)
</ins><span class="cx"> {
</span><span class="cx"> // FIXME: This need to be revisited when we support nested worker one day
</span><span class="cx"> ASSERT(m_scriptExecutionContext);
</span><span class="cx"> Document& document = downcast<Document>(*m_scriptExecutionContext);
</span><del>- RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode, contentSecurityPolicyResponseHeaders, document.topOrigin());
</del><ins>+ RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode, contentSecurityPolicyResponseHeaders, shouldBypassMainWorldContentSecurityPolicy, document.topOrigin());
</ins><span class="cx"> workerThreadCreated(thread);
</span><span class="cx"> thread->start();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerMessagingProxyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerMessagingProxy.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerMessagingProxy.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerMessagingProxy.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -52,7 +52,7 @@
</span><span class="cx">
</span><span class="cx"> // Implementations of WorkerGlobalScopeProxy.
</span><span class="cx"> // (Only use these methods in the worker object thread.)
</span><del>- virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, WorkerThreadStartMode) override;
</del><ins>+ virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, WorkerThreadStartMode) override;
</ins><span class="cx"> virtual void terminateWorkerGlobalScope() override;
</span><span class="cx"> virtual void postMessageToWorkerGlobalScope(PassRefPtr<SerializedScriptValue>, std::unique_ptr<MessagePortChannelArray>) override;
</span><span class="cx"> virtual bool hasPendingActivity() const override;
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerThreadcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerThread.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerThread.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerThread.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -70,31 +70,33 @@
</span><span class="cx"> struct WorkerThreadStartupData {
</span><span class="cx"> WTF_MAKE_NONCOPYABLE(WorkerThreadStartupData); WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><del>- WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
</del><ins>+ WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin);
</ins><span class="cx">
</span><span class="cx"> URL m_scriptURL;
</span><span class="cx"> String m_userAgent;
</span><span class="cx"> String m_sourceCode;
</span><span class="cx"> WorkerThreadStartMode m_startMode;
</span><span class="cx"> ContentSecurityPolicyResponseHeaders m_contentSecurityPolicyResponseHeaders;
</span><ins>+ bool m_shouldBypassMainWorldContentSecurityPolicy;
</ins><span class="cx"> RefPtr<SecurityOrigin> m_topOrigin;
</span><span class="cx"> };
</span><span class="cx">
</span><del>-WorkerThreadStartupData::WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
</del><ins>+WorkerThreadStartupData::WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin)
</ins><span class="cx"> : m_scriptURL(scriptURL.isolatedCopy())
</span><span class="cx"> , m_userAgent(userAgent.isolatedCopy())
</span><span class="cx"> , m_sourceCode(sourceCode.isolatedCopy())
</span><span class="cx"> , m_startMode(startMode)
</span><span class="cx"> , m_contentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders.isolatedCopy())
</span><ins>+ , m_shouldBypassMainWorldContentSecurityPolicy(shouldBypassMainWorldContentSecurityPolicy)
</ins><span class="cx"> , m_topOrigin(topOrigin ? &topOrigin->isolatedCopy().get() : nullptr)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-WorkerThread::WorkerThread(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerReportingProxy& workerReportingProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
</del><ins>+WorkerThread::WorkerThread(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerReportingProxy& workerReportingProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin)
</ins><span class="cx"> : m_threadID(0)
</span><span class="cx"> , m_workerLoaderProxy(workerLoaderProxy)
</span><span class="cx"> , m_workerReportingProxy(workerReportingProxy)
</span><del>- , m_startupData(std::make_unique<WorkerThreadStartupData>(scriptURL, userAgent, sourceCode, startMode, contentSecurityPolicyResponseHeaders, topOrigin))
</del><ins>+ , m_startupData(std::make_unique<WorkerThreadStartupData>(scriptURL, userAgent, sourceCode, startMode, contentSecurityPolicyResponseHeaders, shouldBypassMainWorldContentSecurityPolicy, topOrigin))
</ins><span class="cx"> #if ENABLE(NOTIFICATIONS) || ENABLE(LEGACY_NOTIFICATIONS)
</span><span class="cx"> , m_notificationClient(0)
</span><span class="cx"> #endif
</span><span class="lines">@@ -144,7 +146,7 @@
</span><span class="cx">
</span><span class="cx"> {
</span><span class="cx"> LockHolder lock(m_threadCreationMutex);
</span><del>- m_workerGlobalScope = createWorkerGlobalScope(m_startupData->m_scriptURL, m_startupData->m_userAgent, m_startupData->m_contentSecurityPolicyResponseHeaders, m_startupData->m_topOrigin.release());
</del><ins>+ m_workerGlobalScope = createWorkerGlobalScope(m_startupData->m_scriptURL, m_startupData->m_userAgent, m_startupData->m_contentSecurityPolicyResponseHeaders, m_startupData->m_shouldBypassMainWorldContentSecurityPolicy, m_startupData->m_topOrigin.release());
</ins><span class="cx">
</span><span class="cx"> if (m_runLoop.terminated()) {
</span><span class="cx"> // The worker was terminated before the thread had a chance to run. Since the context didn't exist yet,
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerThreadh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerThread.h (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerThread.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerThread.h 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -68,10 +68,10 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> protected:
</span><del>- WorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerReportingProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
</del><ins>+ WorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerReportingProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin);
</ins><span class="cx">
</span><span class="cx"> // Factory method for creating a new worker context for the thread.
</span><del>- virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin) = 0;
</del><ins>+ virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin) = 0;
</ins><span class="cx">
</span><span class="cx"> // Executes the event loop for the worker thread. Derived classes can override to perform actions before/after entering the event loop.
</span><span class="cx"> virtual void runEventLoop();
</span></span></pre></div>
<a id="trunkSourceWebCorexmlXMLHttpRequestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (196241 => 196242)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-02-07 22:26:46 UTC (rev 196242)
</span><span class="lines">@@ -498,8 +498,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
</span><del>- bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(*scriptExecutionContext());
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url, shouldBypassMainWorldContentSecurityPolicy)) {
</del><ins>+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
</ins><span class="cx"> // FIXME: Should this be throwing an exception?
</span><span class="cx"> ec = SECURITY_ERR;
</span><span class="cx"> return;
</span></span></pre>
</div>
</div>
</body>
</html>