Scripts running in isolated world should not subject to a page's CSP about 'eval'.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Mar 2015 01:28:28 +0000 (01:28 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Mar 2015 01:28:28 +0000 (01:28 +0000)
commit4ce5866d0fbe14448757b82c764cad1a3fffc795
tree1b33e179ea3ac39675fabfca7a8e2c33181d980d
parentc1b58e55251e93b9efc0eb8ecb7327e645b2e163
Scripts running in isolated world should not subject to a page's CSP about 'eval'.
https://bugs.webkit.org/show_bug.cgi?id=141316.

Patch by Zhuo Li <zachli@apple.com> on 2015-03-24
Reviewed by Geoffrey Garen.

Source/WebCore:

* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::initScript):
We should not impose the main world Content Security Policy onto the isolated world.

LayoutTests:

I added a new Content Security Policy directive, "script-src", so that we do not
allow 'unsafe-eval' in the main world.

Also I have to copy the whole function instead of using eval because
eval is subject to the main world Content Security Policy now.

* http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt:
* http/tests/security/isolatedWorld/bypass-main-world-csp.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181925 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt
LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/ScriptController.cpp