[Webkit-unassigned] [Bug 60800] New: InjectedScriptSource.js - "Don't be eval()."

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 13 13:51:11 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=60800

           Summary: InjectedScriptSource.js - "Don't be eval()."
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Web Inspector
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tsepez at chromium.org
                CC: abarth at webkit.org


There are a number of calls to the javascript eval() function inside InjectedScriptSource.js.  This has recently become problematic with the introduction of Content-Security-Policy (CSP) which limits the contexts in which code generated from strings can execute.  When firing up the inspector against a page with CSP enabled, I am seeing an error (chromium example):

ASSERTION FAILED: !hadException
third_party/WebKit/Source/WebCore/inspector/InjectedScript.cpp(110) : WebCore::Node* WebCore::InjectedScript::nodeForObjectId(const WTF::String&)
[1873:1873:3971452761588:ERROR:CONSOLE(119)] "Uncaught Error: Code generation from strings disallowed for this context"

Tracking this down, I see that this operates by cobbling up a string of the form '{"injectedScriptId":1,"id":1}' and passing this into the JS engine as a string via ScriptFunctionCall::call() to the JS function named "nodeToObjectId".  

This is found in WebCore/Inspector/InjectedScriptSource.js, which tries to parse the string by the function _parseObjectId(objectId), in the same file:

    _parseObjectId: function(objectId)
    {
        return eval("(" + objectId + ")");

    },


I was able to circumvent this particular issue by changing the eval to a JSON.parse(objectId).  For the cases where this will work, this is a cleaner approach than the wide-open eval() calls, even though the contents of the string may be completely controlled by the inspector itself.

A layout test running the inspector against CSP-enabled pages would be required here.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list