[Webkit-unassigned] [Bug 88450] New: Can't use eval in iframes sanbdoxed via CSP header

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 6 13:32:39 PDT 2012


           Summary: Can't use eval in iframes sanbdoxed via CSP header
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: http://persistent.info/webkit/test-cases/csp/parent-no
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mihaip at chromium.org
                CC: eric at webkit.org, abarth at webkit.org

Test case: http://persistent.info/webkit/test-cases/csp/parent-no-eval.php (should see PASS in both frames, but only the second one has it).

The parent is served with the CSP header "script-src 'unsafe-inline'". It includes an iframe that is served with the CSP header "sandbox allow-scripts".

The iframe tries to make an eval() call, and fails with "EvalError: Eval is disabled" (with JSC) and/or "Code generation from strings disallowed for this context " (with V8).

If I include the same iframe with the equivalent "sandbox" attribute, then eval() works.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list