[Webkit-unassigned] [Bug 141316] ScriptController::initScript should not subject to CSP if the world it is running in is isolated world

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 23 13:51:49 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=141316

--- Comment #5 from Daniel Bates <dbates at webkit.org> ---
Comment on attachment 248985
  --> https://bugs.webkit.org/attachment.cgi?id=248985
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=248985&action=review

> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:34
> +                new Function('return true');

Is it not possible to write this function using eval()?

> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:35
> +                alert('LOADED in ' + (isolated ? "isolated world" : "main world"));

This message is disingenuous because we did not load anything. Maybe change LOADED to "Implicitly called eval()" (or "Called eval()" if we can write this function using eval())?

> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:39
> +                alert('BLOCKED in ' + (isolated ? "isolated world" : "main world"));

This message is not very clear what we are blocking. We should elaborate that we blocked eval().

> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:61
> +                testRunner.evaluateScriptInIsolatedWorld(1, String(function setImgSrc(isolated) {
> +                                                                        var img = document.createElement('img');
> +                                                                        document.body.appendChild(img);
> +                                                                        img.onload = function () {
> +                                                                            alert('LOADED in ' + (isolated ? "isolated world" : "main world"));
> +                                                                            window.postMessage("next", "*");
> +                                                                        };
> +                                                                        img.onerror = function () {
> +                                                                            alert('BLOCKED in ' + (isolated ? "isolated world" : "main world"));
> +                                                                            window.postMessage("next", "*");
> +                                                                        };
> +                                                                        img.src = "../resources/abe.png";
> +                                                                    }) + "\nsetImgSrc(true);");

Can we use String(setImgSrc) to get a string representation of the source code of function setImgSrc?

> LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html:76
> +                testRunner.evaluateScriptInIsolatedWorld(1, String(function createNewFunction(isolated) {
> +                                                                        try { 
> +                                                                            new Function('return true');
> +                                                                            alert('LOADED in ' + (isolated ? 'isolated world' : 'main world'));
> +                                                                            window.postMessage('next', '*');
> +                                                                        } catch (error) {
> +                                                                            alert('BLOCKED in ' + (isolated ? 'isolated world' : 'main world'));
> +                                                                            window.postMessage('next', '*');
> +                                                                        }
> +                                                                    }) + "\ncreateNewFunction(true);");

Similarly, can we use String(createNewFunction)?

> Source/WebCore/bindings/js/ScriptController.cpp:258
> +    bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal();
>      if (m_frame.document())
> -        windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
> +        windowShell->window()->setEvalEnabled(shouldBypassMainWorldContentSecurityPolicy ? shouldBypassMainWorldContentSecurityPolicy : m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());

It's unnecessary to compute ContentSecurityPolicy::evalDisabledErrorMessage() when shouldBypassMainWorldContentSecurityPolicy evaluates to true.

I would have written this as:

if (m_frame.document()) {
    bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal();
    if (shouldBypassMainWorldContentSecurityPolicy)
        windowShell->window()->setEvalEnabled(true);
    else
        windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
}

Notice that I also moved the initialization of shouldBypassMainWorldContentSecurityPolicy such that we only perform it when m_frame.document() is non-null, which is when we actually need to make use of its value.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150323/8a4f4691/attachment-0002.html>

More information about the webkit-unassigned mailing list