Bug 136542

Summary: Web Inspector: breakpoint actions should work regardless of Content Security Policy
Product: WebKit Reporter: Matt Baker <mattbaker>
Component: Web InspectorAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, graouts, joepeck, mark.lam, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

Matt Baker
Reported 2014-09-04 12:48:43 PDT
Breakpoint actions that evaluate JavaScript don't work when inspecting pages with a CSP that doesn't permit "unsafe-eval".
Attachments
Patch (15.59 KB, patch)
2014-09-04 17:59 PDT, Matt Baker 		no flags
DetailsFormatted DiffDiff
Patch (16.02 KB, patch)
2014-09-04 19:17 PDT, Matt Baker 		no flags
DetailsFormatted DiffDiff
Patch (15.86 KB, patch)
2014-09-05 11:42 PDT, Matt Baker 		no flags
DetailsFormatted DiffDiff
Patch (15.97 KB, patch)
2014-09-05 12:17 PDT, Matt Baker 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2014-09-04 12:49:00 PDT
<rdar://problem/18233842>
Matt Baker
Comment 2 2014-09-04 17:59:34 PDT
Created attachment 237664 [details] Patch
Mark Lam
Comment 3 2014-09-04 18:45:06 PDT
Comment on attachment 237664 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=237664&action=review > Source/JavaScriptCore/ChangeLog:9 > + JSGlobalObject for the duration of scope, returning the eval enabled state to its /duration of scope/duration of a scope/ > Source/JavaScriptCore/ChangeLog:11 > + to allow breakpoint actions to execute JS in pages with CSP that would normally Would you mind spelling out Content Security Policy instead of the CSP abbreviation? Thanks. > Source/JavaScriptCore/ChangeLog:14 > + Refactored Inspector::InjectedScriptBase to use RAII object instead of manually /use RAII/use the RAII/ > Source/JavaScriptCore/ChangeLog:15 > + setting/resetting eval enabled state. /...ing eval enabled/...ing the eval enabled/ > Source/JavaScriptCore/debugger/DebuggerEvalEnabler.h:46 > + explicit DebuggerEvalEnabler(const ExecState* exec) > + : m_globalObject(nullptr) > + , m_evalEnabled(false) > + { > + if (exec) { > + m_globalObject = exec->lexicalGlobalObject(); > + m_evalEnabled = m_globalObject->evalEnabled(); > + } > + if (m_globalObject && !m_evalEnabled) > + m_globalObject->setEvalEnabled(true, m_globalObject->evalDisabledErrorMessage()); > + } I suggest renaming m_evalEnabled to m_evalWasEnabled to indicate that it is referring to the original state. Actually, I think you should use m_evalwasDisabled instead because that would remove the need for a lot of negation in the code (making the logic simpler). I think it's weird that the exec can be NULL, but that appears to be a due to InjectedScriptBase getting the exec from ScriptObject::scriptState() which can currently be NULL. I suggest adding a comment in the ChangeLog to document this so that we'll have a record of why this NULL check exists, and can remove it in the future if we fix ScriptObject::scriptState() to never be NULL (at least for the duration when the DebuggerEvalEnabler is called). Why not just cache the ExecState, and do a conditional on that? I suggest the following: explicit DebuggerEvalEnabler(const ExecState* exec) : m_exec(exec) , m_evalWasDisabled(false) { if (exec) { JSGlobalObject* globalObject = exec->lexicalGlobalObject(); m_evalWasDisabled = !m_globalObject->evalEnabled(); if (m_evalWasDisabled) globalObject->setEvalEnabled(true, globalObject->evalDisabledErrorMessage()); } } ~DebuggerEvalEnabler() { if (m_evalWasDisabled) { ASSERT(m_exec); JSGlobalObject* globalObject = exec->lexicalGlobalObject(); globalObject()->setEvalEnabled(false, globalObject->evalDisabledErrorMessage()); } } I think the code is a little simpler this way.
Matt Baker
Comment 4 2014-09-04 19:17:21 PDT
Created attachment 237670 [details] Patch
Mark Lam
Comment 5 2014-09-04 19:33:28 PDT
Comment on attachment 237670 [details] Patch r=me
Joseph Pecoraro
Comment 6 2014-09-04 19:36:23 PDT
Comment on attachment 237670 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=237670&action=review Looks good to me. > Source/JavaScriptCore/debugger/DebuggerEvalEnabler.h:2 > + * Copyright (C) 2013 Apple Inc. All rights reserved. Nit: 2014 > LayoutTests/inspector/debugger/breakpoint-action-eval.html:22 > + WebInspector.Frame.addEventListener(WebInspector.Frame.Event.MainResourceDidChange, function() { Is the MainResourceDidChange + reload really necessary? This test would be much simpler if it was just listening for the ScriptAdded event. > LayoutTests/inspector/debugger/breakpoint-action-eval.html:39 > + }); Nit: broken indentation.
Mark Lam
Comment 7 2014-09-04 19:37:32 PDT
Comment on attachment 237670 [details] Patch Cancelling commit so that Matt can address Joe's comments.
Mark Lam
Comment 8 2014-09-05 11:19:45 PDT
Comment on attachment 237670 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=237670&action=review > Source/JavaScriptCore/inspector/InjectedScriptBase.cpp:86 > + JSC::DebuggerEvalEnabler evalEnabler(scriptState); > Deprecated::ScriptValue resultValue = function.call(hadException); Please add { } around these lines so that we preserve the original semantics of only enabling evals for this function call, and not the didCallInjectedScriptFunction() callback that follows below.
Matt Baker
Comment 9 2014-09-05 11:42:55 PDT
Created attachment 237702 [details] Patch
Matt Baker
Comment 10 2014-09-05 12:17:02 PDT
Created attachment 237704 [details] Patch
Mark Lam
Comment 11 2014-09-05 13:31:36 PDT
Comment on attachment 237704 [details] Patch r=me
WebKit Commit Bot
Comment 12 2014-09-05 14:08:26 PDT
Comment on attachment 237704 [details] Patch Clearing flags on attachment: 237704 Committed r173333: <http://trac.webkit.org/changeset/173333>
WebKit Commit Bot
Comment 13 2014-09-05 14:08:29 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.