[Webkit-unassigned] [Bug 138492] New: CSP is enforced for eval in report-only mode on first page load

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 6 20:47:41 PST 2014


            Bug ID: 138492
           Summary: CSP is enforced for eval in report-only mode on first
                    page load
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ap at webkit.org
                CC: sam at webkit.org

If a page that disallows eval() in report-only mode is the first page to be loaded in a window, then the policy will actually be enforced.

There are two code path for applying the eval policy. If we have a JS context already, then we apply it right away, checking for whether it report only. But if we didn't have a JS context when parsing the policy yet, then this is delayed until after the context is created. And in this code path, we don't check for report only mode.


You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141107/970a09ee/attachment-0002.html>

More information about the webkit-unassigned mailing list