CSP: Eval isn't blocked in about:blank subframes
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 May 2012 03:45:06 +0000 (03:45 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 May 2012 03:45:06 +0000 (03:45 +0000)
commitde5ae5dda29f09b7c9a6fc56a6216e8c302a449c
tree065811e9109d7d360d8c67a2b436d2f8eafe0a93
parent3c1f4e33b574ddf622f43e4fe00f756e720d8f9b
CSP: Eval isn't blocked in about:blank subframes
https://bugs.webkit.org/show_bug.cgi?id=85553

Reviewed by Eric Seidel.

Source/WebCore:

ContentSecurityPolicy has a back pointer to ScriptExecutionContext.
That means we shouldn't share a single ContentSecurityPolicy object
between multiple ScriptExecutionContexts.  This patch copies the state
from one ScriptExecutionContext to another rather than sharing the
ContentSecurityPolicy object itself.

This resulted in a subtle but w.r.t. blocking eval.  Because we block
eval by setting a bit in the JavaScript engine when enforcing the
policy, that bit wasn't copied along with the rest of the state when we
were sharing the ContentSecurityPolicy object.  Now that we use the
more robust ContentSecurityPolicy::copyStateFrom function, we don't
have that bug.

Test: http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html

* dom/Document.cpp:
(WebCore::Document::initSecurityContext):
(WebCore):
(WebCore::Document::initContentSecurityPolicy):
* dom/Document.h:
(Document):
* dom/SecurityContext.cpp:
(WebCore::SecurityContext::setContentSecurityPolicy):
* dom/SecurityContext.h:
(SecurityContext):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
* page/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::create):

LayoutTests:

* http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html: Added.
    - New test for the eval issue.
* http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
* http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
    - Now that we re-parse the CSP policy, we log parse errors to the
      console more times. This isn't ideal and is something we might
      change in the future.
* platform/chromium/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt: Added.
    - Add a Chromium-specific baseline for this test because the eval
      error is slightly different between V8 and JSC.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@116066 268f45cc-cd09-0410-ab3c-d52691b4dbfc
15 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/Document.h
Source/WebCore/dom/SecurityContext.cpp
Source/WebCore/dom/SecurityContext.h
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/page/ContentSecurityPolicy.h