Attachment 339689 Details for Bug 185364 – Patch

[patch] Patch

bug-185364-20180506123952.patch (text/plain), 6.75 KB, created by Daniel Bates on 2018-05-06 12:39:52 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Daniel Bates

Created: 2018-05-06 12:39:52 PDT

Size: 6.75 KB

patch

obsolete

>Subversion Revision: 231394
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
>index 293ccf0b6b21fd8c6f1c02b808d9f81094b47a9a..40a821d6d7214302469f2c466666303b268af894 100644
>--- a/Source/WebCore/ChangeLog
>+++ b/Source/WebCore/ChangeLog
>@@ -1,3 +1,27 @@
>+2018-05-06  Daniel Bates  <dabates@apple.com>
>+
>+        CSP should only notify Inspector to pause the debugger on the first policy to violate a directive
>+        https://bugs.webkit.org/show_bug.cgi?id=185364
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        Notify Web Inspector that a script was blocked on the first enforced CSP policy that it
>+        violates.
>+
>+        A page can have more than one enforced Content Security Policy. Currently for inline
>+        scripts, inline event handlers, JavaScript URLs, and eval() that are blocked by CSP
>+        we notify Web Inspector that it was blocked for each CSP policy that blocked it. When
>+        Web Inspector is notified it pauses script execution. It does not seem very meaningful
>+        to pause script execution on the same script for each CSP policy that blocked it.
>+        Therefore, only tell Web Inspector that a script was blocked for the first enforced CSP
>+        policy that blocked it.
>+
>+        * page/csp/ContentSecurityPolicy.cpp:
>+        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
>+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
>+        (WebCore::ContentSecurityPolicy::allowInlineScript const):
>+        (WebCore::ContentSecurityPolicy::allowEval const):
>+
> 2018-05-02  Dean Jackson  <dino@apple.com>
> 
>         Use IOSurfaces for CoreImage operations where possible
>diff --git a/Source/WebCore/page/csp/ContentSecurityPolicy.cpp b/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
>index a775b0b1990257a11d183c2130298b2e17b47bd4..7b2ff0ef8a66fe45e63af5ab18ccf1f1654c0f30 100644
>--- a/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
>+++ b/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
>@@ -350,11 +350,14 @@ bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const
> {
>     if (overrideContentSecurityPolicy)
>         return true;
>+    bool didNotifyInspector = false;
>     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
>         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
>         reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
>-        if (!violatedDirective.directiveList().isReportOnly())
>+        if (!didNotifyInspector && violatedDirective.directiveList().isReportOnly()) {
>             reportBlockedScriptExecutionToInspector(violatedDirective.text());
>+            didNotifyInspector = true;
>+        }
>     };
>     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript);
> }
>@@ -363,11 +366,14 @@ bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, c
> {
>     if (overrideContentSecurityPolicy)
>         return true;
>+    bool didNotifyInspector = false;
>     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
>         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
>         reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
>-        if (!violatedDirective.directiveList().isReportOnly())
>+        if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
>             reportBlockedScriptExecutionToInspector(violatedDirective.text());
>+            didNotifyInspector = true;
>+        }
>     };
>     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript);
> }
>@@ -398,6 +404,7 @@ bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WT
> {
>     if (overrideContentSecurityPolicy)
>         return true;
>+    bool didNotifyInspector = false;
>     bool foundHashInEnforcedPolicies;
>     bool foundHashInReportOnlyPolicies;
>     std::tie(foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies) = findHashOfContentInPolicies(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, scriptContent, m_hashAlgorithmsForInlineScripts);
>@@ -406,8 +413,10 @@ bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WT
>     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
>         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
>         reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
>-        if (!violatedDirective.directiveList().isReportOnly())
>+        if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
>             reportBlockedScriptExecutionToInspector(violatedDirective.text());
>+            didNotifyInspector = true;
>+        }
>     };
>     // FIXME: We should not report that the inline script violated a policy when its hash matched a source
>     // expression in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>.
>@@ -442,11 +451,14 @@ bool ContentSecurityPolicy::allowEval(JSC::ExecState* state, bool overrideConten
> {
>     if (overrideContentSecurityPolicy)
>         return true;
>+    bool didNotifyInspector = false;
>     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
>         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'");
>         reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, state);
>-        if (!violatedDirective.directiveList().isReportOnly())
>+        if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
>             reportBlockedScriptExecutionToInspector(violatedDirective.text());
>+            didNotifyInspector = true;
>+        }
>     };
>     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeEval);
> }

Actions: View | Formatted Diff | Diff

Attachments on bug 185364: 339689