[webkit-reviews] review denied: [Bug 112681] CSP 1.1: Stub out SecurityPolicyViolationEvent interface. : [Attachment 193819] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 19 09:57:12 PDT 2013
Adam Barth <abarth at webkit.org> has denied Mike West <mkwst at chromium.org>'s
request for review:
Bug 112681: CSP 1.1: Stub out SecurityPolicyViolationEvent interface.
https://bugs.webkit.org/show_bug.cgi?id=112681
Attachment 193819: Patch
https://bugs.webkit.org/attachment.cgi?id=193819&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=193819&action=review
This looks fine, but I'd like to look at it one more time to make sure the
web-visible changes are properly hidden when CSP.next is disabled at runtime.
> Source/WebCore/dom/Document.idl:344
> + [NotEnumerable, Conditional=CSP_NEXT] attribute EventListener
onsecuritypolicyviolation;
This attribute needs to be enabled at runtime or else it will be visible to the
web.
> Source/WebCore/dom/SecurityPolicyViolationEvent.h:36
> + };
No need for a ; here.
> Source/WebCore/dom/SecurityPolicyViolationEvent.h:55
> + static PassRefPtr<SecurityPolicyViolationEvent> create(const String&
documentURI, const String& referrer, const String& blockedURI, const String&
violatedDirective, const String& effectiveDirective, const String&
originalPolicy, const String& sourceURL, int lineNumber)
I'd skip this one too. Even C++ code is better off using
SecurityPolicyViolationEventInit.
> Source/WebCore/dom/SecurityPolicyViolationEvent.h:65
> + void initSecurityPolicyViolationEvent(const AtomicString& eventType,
bool canBubble, bool cancelable, const String& documentURI, const String&
referrer, const String& blockedURI, const String& violatedDirective, const
String& effectiveDirective, const String& originalPolicy, const String&
sourceURL, int lineNumber)
We should skip this function. We only implement these sorts of functions for
legacy events.
> Source/WebCore/dom/SecurityPolicyViolationEvent.idl:29
> + void initSecurityPolicyViolationEvent(in [Optional=DefaultIsUndefined]
DOMString type,
We should remove this function from the API. We're implementing new events in
the DOM4 Events style.
> Source/WebCore/page/DOMWindow.idl:573
> + [Conditional=CSP_NEXT] attribute SecurityPolicyViolationEventConstructor
SecurityPolicyViolationEvent;
This attribute should also be enabled at runtime.
More information about the webkit-reviews
mailing list