[Webkit-unassigned] [Bug 138492] New: CSP is enforced for eval in report-only mode on first page load
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 6 20:47:41 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=138492
Bug ID: 138492
Summary: CSP is enforced for eval in report-only mode on first
page load
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: Page Loading
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ap at webkit.org
CC: sam at webkit.org
If a page that disallows eval() in report-only mode is the first page to be loaded in a window, then the policy will actually be enforced.
There are two code path for applying the eval policy. If we have a JS context already, then we apply it right away, checking for whether it report only. But if we didn't have a JS context when parsing the policy yet, then this is delayed until after the context is created. And in this code path, we don't check for report only mode.
rdar://problem/15782525
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141107/970a09ee/attachment-0002.html>
More information about the webkit-unassigned
mailing list