[Webkit-unassigned] [Bug 153148] New: CSP: 'eval()' blocked in report-only mode should send a violation report

Fri Jan 15 14:44:41 PST 2016

https://bugs.webkit.org/show_bug.cgi?id=153148

            Bug ID: 153148
           Summary: CSP: 'eval()' blocked in report-only mode should send
                    a violation report
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: All
                OS: All
            Status: NEW
          Keywords: BlinkMergeCandidate
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dbates at webkit.org
                CC: dbates at webkit.org

We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=155752>.

CSP: 'eval()' blocked in report-only mode should send a violation report.

Currently, 'eval()' is blocked inside V8 when an enforce-mode Content
Security Policy is specified for a document. Report-only policies don't
trigger this mechanism, and therefore can deliver violation reports
neither to the 'report-uri' in the policy nor the console.

This patch changes ContentSecurityPolicy::didReceiveHeader to disable
eval inside V8 for report-only policies as well, and relies on the
V8Initializer::codeGenerationCheckCallbackInMainThread callback to give
V8 the final go/no-go decision regarding the code's execution.

This patch has the negative performance side-effect of calling back from
V8 to core whenever 'eval()' is encountered on a page with an CSP that
blocks eval. Given that the page isn't expecting to run 'eval()' at all, that
impact seems like something we can live with (though it is fairly
significant).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160115/f86a2c51/attachment.html>