[webkit-reviews] review granted: [Bug 57278] CSP script-src should block string arguments to setTimeout and setInterval : [Attachment 87220] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 28 16:06:31 PDT 2011
Darin Adler <darin at apple.com> has granted Adam Barth <abarth at webkit.org>'s
request for review:
Bug 57278: CSP script-src should block string arguments to setTimeout and
setInterval
https://bugs.webkit.org/show_bug.cgi?id=57278
Attachment 87220: Patch
https://bugs.webkit.org/attachment.cgi?id=87220&action=review
------- Additional Comments from Darin Adler <darin at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=87220&action=review
> Source/WebCore/ChangeLog:10
> + The changes to V8 and JSC aren't as symmetrical as I would like
because
> + this code path is factored differently in the two bindings. I've
added
> + a FIXME to synchronize the implementations.
The DOMWindow functions should be usable by the V8 version.
> Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:736
> + if (exec->hadException() || !action)
So the design here is to silently do nothing if there is a violation?
> Source/WebCore/bindings/js/ScheduledAction.cpp:57
> + if (activeContext->isDocument() &&
!static_cast<Document*>(activeContext)->contentSecurityPolicy()->allowScriptFro
mString())
> + return 0;
Do we want to have a contentSecurityPolicy for workers too, longer term?
More information about the webkit-reviews
mailing list