[webkit-reviews] review denied: [Bug 97398] Script run from an isolated world should bypass a page's CSP. : [Attachment 169401] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 24 23:15:28 PDT 2012
Adam Barth <abarth at webkit.org> has denied Mike West <mkwst at chromium.org>'s
request for review:
Bug 97398: Script run from an isolated world should bypass a page's CSP.
https://bugs.webkit.org/show_bug.cgi?id=97398
Attachment 169401: Patch
https://bugs.webkit.org/attachment.cgi?id=169401&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=169401&action=review
This looks great. I'd keep the API as a String, but I would use a bool in
WebCore to represent this state. We can always elaborate the WebCore state
if/when we want to support a full CSP policy.
Sorry for the delay in reviewing this patch. For some reason I was hesitating
to review it, but now I see that my hesitation was misplaced.
> Source/WebCore/bindings/v8/DOMWrapperWorld.cpp:152
> +typedef HashMap<int, String> IsolatedWorldContentSecurityPolicyMap;
> +static IsolatedWorldContentSecurityPolicyMap&
isolatedWorldContentSecurityPolicies()
> +{
> + ASSERT(isMainThread());
> + DEFINE_STATIC_LOCAL(IsolatedWorldContentSecurityPolicyMap, map, ());
> + return map;
> +}
I really dislike these maps keyed on the world ID. I know you're just
following the pattern here, but this should really just be a bool on
DOMWrapperWord.
> Source/WebCore/bindings/v8/ScriptController.h:113
> + // Returns true if the current world is isolated, and has its own
Content
> + // Security Policy. In this case, the policy of the main world should be
> + // ignored when evaluating resources injected into the DOM.
> + bool shouldBypassMainWorldContentSecurityPolicy();
This API should take a DOMWrapperWorld* argument and the caller should call it
with currentWorld(). You can look at how the other functions that take
DOMWrapperWorld* arguments work in JSC. We'd like to switch over to using an
approach more like JSC, but for now we do things a bit differently. Given that
ScriptController is a shared interface with JSC, we should do things the JSC
way.
> Source/WebCore/loader/cache/CachedResourceLoader.cpp:307
> + bool shouldBypassMainWorldContentSecurityPolicy = (document()->frame()
&&
document()->frame()->script()->shouldBypassMainWorldContentSecurityPolicy());
There's already a frame() accessor that you can use on CachedResourceLoader
More information about the webkit-reviews
mailing list