Bug 117286
| Summary: | Reporting mode of Content Security Policy: eval() is not reported | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | masch |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | dbates |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
masch
Follow-up to bug 111867 which is solved with Chrome 27 (version 27.0.1453.110 m).
Now any usage of eval() isn't reported anymore in reporting-mode (but still blocked in non-reporting-mode).
Example:
<!DOCTYPE html>
<html>
<meta http-equiv="Content-Security-Policy-Report-Only" content="default-src 'self' 'unsafe-inline'; report-uri /dummy.html"/>
<head>
<script src="CSP.js"></script>
<script>
eval('alert(2);');
</script>
</head>
<body>
</body>
</html>
CSP.js:
eval('alert(1);');
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Daniel Bates
*** This bug has been marked as a duplicate of bug 111869 ***