WebKit Bugzilla
Attachment 339689 Details for
Bug 185364
: CSP should only notify Inspector to pause the debugger on the first policy to violate a directive
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185364-20180506123952.patch (text/plain), 6.75 KB, created by
Daniel Bates
on 2018-05-06 12:39:52 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Daniel Bates
Created:
2018-05-06 12:39:52 PDT
Size:
6.75 KB
patch
obsolete
>Subversion Revision: 231394 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 293ccf0b6b21fd8c6f1c02b808d9f81094b47a9a..40a821d6d7214302469f2c466666303b268af894 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,27 @@ >+2018-05-06 Daniel Bates <dabates@apple.com> >+ >+ CSP should only notify Inspector to pause the debugger on the first policy to violate a directive >+ https://bugs.webkit.org/show_bug.cgi?id=185364 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Notify Web Inspector that a script was blocked on the first enforced CSP policy that it >+ violates. >+ >+ A page can have more than one enforced Content Security Policy. Currently for inline >+ scripts, inline event handlers, JavaScript URLs, and eval() that are blocked by CSP >+ we notify Web Inspector that it was blocked for each CSP policy that blocked it. When >+ Web Inspector is notified it pauses script execution. It does not seem very meaningful >+ to pause script execution on the same script for each CSP policy that blocked it. >+ Therefore, only tell Web Inspector that a script was blocked for the first enforced CSP >+ policy that blocked it. >+ >+ * page/csp/ContentSecurityPolicy.cpp: >+ (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const): >+ (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const): >+ (WebCore::ContentSecurityPolicy::allowInlineScript const): >+ (WebCore::ContentSecurityPolicy::allowEval const): >+ > 2018-05-02 Dean Jackson <dino@apple.com> > > Use IOSurfaces for CoreImage operations where possible >diff --git a/Source/WebCore/page/csp/ContentSecurityPolicy.cpp b/Source/WebCore/page/csp/ContentSecurityPolicy.cpp >index a775b0b1990257a11d183c2130298b2e17b47bd4..7b2ff0ef8a66fe45e63af5ab18ccf1f1654c0f30 100644 >--- a/Source/WebCore/page/csp/ContentSecurityPolicy.cpp >+++ b/Source/WebCore/page/csp/ContentSecurityPolicy.cpp >@@ -350,11 +350,14 @@ bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const > { > if (overrideContentSecurityPolicy) > return true; >+ bool didNotifyInspector = false; > auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) { > String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'"); > reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber())); >- if (!violatedDirective.directiveList().isReportOnly()) >+ if (!didNotifyInspector && violatedDirective.directiveList().isReportOnly()) { > reportBlockedScriptExecutionToInspector(violatedDirective.text()); >+ didNotifyInspector = true; >+ } > }; > return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript); > } >@@ -363,11 +366,14 @@ bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, c > { > if (overrideContentSecurityPolicy) > return true; >+ bool didNotifyInspector = false; > auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) { > String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'"); > reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber())); >- if (!violatedDirective.directiveList().isReportOnly()) >+ if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) { > reportBlockedScriptExecutionToInspector(violatedDirective.text()); >+ didNotifyInspector = true; >+ } > }; > return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript); > } >@@ -398,6 +404,7 @@ bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WT > { > if (overrideContentSecurityPolicy) > return true; >+ bool didNotifyInspector = false; > bool foundHashInEnforcedPolicies; > bool foundHashInReportOnlyPolicies; > std::tie(foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies) = findHashOfContentInPolicies(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, scriptContent, m_hashAlgorithmsForInlineScripts); >@@ -406,8 +413,10 @@ bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WT > auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) { > String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'"); > reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber())); >- if (!violatedDirective.directiveList().isReportOnly()) >+ if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) { > reportBlockedScriptExecutionToInspector(violatedDirective.text()); >+ didNotifyInspector = true; >+ } > }; > // FIXME: We should not report that the inline script violated a policy when its hash matched a source > // expression in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>. >@@ -442,11 +451,14 @@ bool ContentSecurityPolicy::allowEval(JSC::ExecState* state, bool overrideConten > { > if (overrideContentSecurityPolicy) > return true; >+ bool didNotifyInspector = false; > auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) { > String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'"); > reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, state); >- if (!violatedDirective.directiveList().isReportOnly()) >+ if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) { > reportBlockedScriptExecutionToInspector(violatedDirective.text()); >+ didNotifyInspector = true; >+ } > }; > return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeEval); > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185364
: 339689