<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CSP: 'eval()' blocked in report-only mode should send a violation report"

   href="https://bugs.webkit.org/show_bug.cgi?id=153148">153148</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CSP: 'eval()' blocked in report-only mode should send a violation report

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Local Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Keywords</th>

          <td>BlinkMergeCandidate

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>We should merge &lt;<a href="https://src.chromium.org/viewvc/blink?view=rev&amp;revision=155752">https://src.chromium.org/viewvc/blink?view=rev&amp;revision=155752</a>&gt;.

CSP: 'eval()' blocked in report-only mode should send a violation report.

Currently, 'eval()' is blocked inside V8 when an enforce-mode Content

Security Policy is specified for a document. Report-only policies don't

trigger this mechanism, and therefore can deliver violation reports

neither to the 'report-uri' in the policy nor the console.

This patch changes ContentSecurityPolicy::didReceiveHeader to disable

eval inside V8 for report-only policies as well, and relies on the

V8Initializer::codeGenerationCheckCallbackInMainThread callback to give

V8 the final go/no-go decision regarding the code's execution.

This patch has the negative performance side-effect of calling back from

V8 to core whenever 'eval()' is encountered on a page with an CSP that

blocks eval. Given that the page isn't expecting to run 'eval()' at all, that

impact seems like something we can live with (though it is fairly

significant).</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>