Bug 100815

Summary: [JSC] Script run from an isolated world should bypass a page's CSP
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, eric.carlson, felipe, ggaren, jberlin, oliver, rakuco, timothy
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 97398    
Bug Blocks:    
Attachments:
Description Flags
Patch oliver: review+

Description Mike West 2012-10-30 23:11:24 PDT
https://bugs.webkit.org/show_bug.cgi?id=97398 adds the ability for isolated worlds in V8 to bypass the Content Security Policy of the document they're layered on top of. This is useful for extensions, and it seems like a good API to implement in JSC as well.
Comment 1 Mike West 2013-02-07 11:00:50 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Comment 2 Jessie Berlin 2013-03-19 11:55:50 PDT
<rdar://problem/12726714>
Comment 3 Geoffrey Garen 2013-04-09 20:58:35 PDT
Created attachment 197200 [details]
Patch
Comment 4 Oliver Hunt 2013-04-09 21:54:39 PDT
Comment on attachment 197200 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=197200&action=review

> Source/WebCore/bindings/js/ScriptController.cpp:477
> +    if (!callFrame || callFrame == CallFrame::noCaller()) 

we do this check a lot, i wonder if we could streamline it? (not in this patch though)
Comment 5 Geoffrey Garen 2013-04-09 22:08:47 PDT
> we do this check a lot, i wonder if we could streamline it? (not in this patch though)

Yeah, I think we should: I was surprised to learn that there were two different "null" values you had to test for, and I got it wrong the first time.
Comment 6 Geoffrey Garen 2013-04-09 22:11:20 PDT
Committed r148076: <http://trac.webkit.org/changeset/148076>