Bug 100815

Summary: [JSC] Script run from an isolated world should bypass a page's CSP
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, eric.carlson, felipe, ggaren, jberlin, oliver, rakuco, timothy
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 97398    
Bug Blocks:    
Attachments:
Description Flags
Patch oliver: review+

Mike West
Reported 2012-10-30 23:11:24 PDT
https://bugs.webkit.org/show_bug.cgi?id=97398 adds the ability for isolated worlds in V8 to bypass the Content Security Policy of the document they're layered on top of. This is useful for extensions, and it seems like a good API to implement in JSC as well.
Attachments
Patch (14.86 KB, patch)
2013-04-09 20:58 PDT, Geoffrey Garen 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2013-02-07 11:00:50 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Jessie Berlin
Comment 2 2013-03-19 11:55:50 PDT
<rdar://problem/12726714>
Geoffrey Garen
Comment 3 2013-04-09 20:58:35 PDT
Created attachment 197200 [details] Patch
Oliver Hunt
Comment 4 2013-04-09 21:54:39 PDT
Comment on attachment 197200 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=197200&action=review > Source/WebCore/bindings/js/ScriptController.cpp:477 > + if (!callFrame || callFrame == CallFrame::noCaller()) we do this check a lot, i wonder if we could streamline it? (not in this patch though)
Geoffrey Garen
Comment 5 2013-04-09 22:08:47 PDT
> we do this check a lot, i wonder if we could streamline it? (not in this patch though) Yeah, I think we should: I was surprised to learn that there were two different "null" values you had to test for, and I got it wrong the first time.
Geoffrey Garen
Comment 6 2013-04-09 22:11:20 PDT
Committed r148076: <http://trac.webkit.org/changeset/148076>
Note You need to log in before you can comment on or make changes to this bug.