[Webkit-unassigned] [Bug 60800] InjectedScriptSource.js - "Don't be eval()."

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 16 02:29:03 PDT 2011


Yury Semikhatsky <yurys at chromium.org> changed:

           What    |Removed                     |Added
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1

--- Comment #8 from Yury Semikhatsky <yurys at chromium.org>  2011-05-16 02:29:03 PST ---
(In reply to comment #5)
> > 2) window.eval for console expression evaluation. I am not quite sure what you are suggesting to do with this one.
> I've lost track of how this all fits together, but can we add a binding to InjectedScriptHost to call ScriptController::evaluate ?  It's just the JavaScript eval function/operator that's blocked by CSP.

Providing a binding to InjectedScriptHost to call ScriptController::evaluate wouldn't help here if ScriptController::disableEval has already been called for the context. We need a way to enable evaluations only for expressions provided by inspector.

One possible approach would be for the native part of the inspector to temporarily allow 'eval' using e.g. callback set with V8::SetAllowCodeGenerationFromStringsCallback that allows overriding eval permissions. It would work for synchronous evals but not for things like 'setTimeout("eval('var x = 10;')",0)'.

Another way of dealing with CSP-enabled Pages would be to ask user whether he would like to disable CSP when he tries to evaluate something in console/performs  other inspector actions that require JS evaluation.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list