[Webkit-unassigned] [Bug 141316] ScriptController::initScript should not subject to CSP if the world it is running in is isolated world
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 23 13:51:49 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=141316
--- Comment #5 from Daniel Bates <dbates at webkit.org> ---
Comment on attachment 248985
--> https://bugs.webkit.org/attachment.cgi?id=248985
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=248985&action=review
> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:34
> + new Function('return true');
Is it not possible to write this function using eval()?
> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:35
> + alert('LOADED in ' + (isolated ? "isolated world" : "main world"));
This message is disingenuous because we did not load anything. Maybe change LOADED to "Implicitly called eval()" (or "Called eval()" if we can write this function using eval())?
> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:39
> + alert('BLOCKED in ' + (isolated ? "isolated world" : "main world"));
This message is not very clear what we are blocking. We should elaborate that we blocked eval().
> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:61
> + testRunner.evaluateScriptInIsolatedWorld(1, String(function setImgSrc(isolated) {
> + var img = document.createElement('img');
> + document.body.appendChild(img);
> + img.onload = function () {
> + alert('LOADED in ' + (isolated ? "isolated world" : "main world"));
> + window.postMessage("next", "*");
> + };
> + img.onerror = function () {
> + alert('BLOCKED in ' + (isolated ? "isolated world" : "main world"));
> + window.postMessage("next", "*");
> + };
> + img.src = "../resources/abe.png";
> + }) + "\nsetImgSrc(true);");
Can we use String(setImgSrc) to get a string representation of the source code of function setImgSrc?
> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:76
> + testRunner.evaluateScriptInIsolatedWorld(1, String(function createNewFunction(isolated) {
> + try {
> + new Function('return true');
> + alert('LOADED in ' + (isolated ? 'isolated world' : 'main world'));
> + window.postMessage('next', '*');
> + } catch (error) {
> + alert('BLOCKED in ' + (isolated ? 'isolated world' : 'main world'));
> + window.postMessage('next', '*');
> + }
> + }) + "\ncreateNewFunction(true);");
Similarly, can we use String(createNewFunction)?
> Source/WebCore/bindings/js/ScriptController.cpp:258
> + bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal();
> if (m_frame.document())
> - windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
> + windowShell->window()->setEvalEnabled(shouldBypassMainWorldContentSecurityPolicy ? shouldBypassMainWorldContentSecurityPolicy : m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
It's unnecessary to compute ContentSecurityPolicy::evalDisabledErrorMessage() when shouldBypassMainWorldContentSecurityPolicy evaluates to true.
I would have written this as:
if (m_frame.document()) {
bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal();
if (shouldBypassMainWorldContentSecurityPolicy)
windowShell->window()->setEvalEnabled(true);
else
windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
}
Notice that I also moved the initialization of shouldBypassMainWorldContentSecurityPolicy such that we only perform it when m_frame.document() is non-null, which is when we actually need to make use of its value.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150323/8a4f4691/attachment-0002.html>
More information about the webkit-unassigned
mailing list