[Webkit-unassigned] [Bug 138492] New: CSP is enforced for eval in report-only mode on first page load

Thu Nov 6 20:47:41 PST 2014

https://bugs.webkit.org/show_bug.cgi?id=138492

            Bug ID: 138492
           Summary: CSP is enforced for eval in report-only mode on first
                    page load
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ap at webkit.org
                CC: sam at webkit.org

If a page that disallows eval() in report-only mode is the first page to be loaded in a window, then the policy will actually be enforced.

There are two code path for applying the eval policy. If we have a JS context already, then we apply it right away, checking for whether it report only. But if we didn't have a JS context when parsing the policy yet, then this is delayed until after the context is created. And in this code path, we don't check for report only mode.

rdar://problem/15782525

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141107/970a09ee/attachment-0002.html>