Bug 152158

Summary: [CSP] eval() is not blocked for stringified literals
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ddkilzer, ggaren, mark.lam, saam
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Example
none
Patch and layout tests saam: review+

Description Daniel Bates 2015-12-10 17:31:20 PST 
Consider a web page with the following markup:

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</head>
<body>
PASS
<script>
document.body.textContent = eval("'FAIL'");
</script>
</body>
</html>

Opening this page will show the word FAIL. But it should show PASS and a JavaScript EvalError should be thrown because the Content Security Policy (CSP) of the page disallows eval() (by the omission of the source expression 'unsafe-eval' in the allowed script sources for the page).
Comment 1 Daniel Bates 2015-12-10 17:32:53 PST 
Created attachment 267144 [details]
Example

For convenience, an HTML document using the markup presented in comment 0.
Comment 2 Daniel Bates 2015-12-10 17:34:27 PST 
<rdar://problem/15775625>
Comment 3 Daniel Bates 2015-12-10 17:56:02 PST 
Created attachment 267146 [details]
Patch and layout tests
Comment 4 Brent Fulgham 2015-12-10 17:59:56 PST 
(In reply to comment #3)
> Created attachment 267146 [details]
> Patch and layout tests

The patch doesn't seem to apply. Do you have a line-ending issue?
Comment 5 Saam Barati 2015-12-10 18:00:12 PST 
Comment on attachment 267146 [details]
Patch and layout tests

r=me
Comment 6 Daniel Bates 2015-12-10 18:06:10 PST 
(In reply to comment #4)
> (In reply to comment #3)
> > Created attachment 267146 [details]
> > Patch and layout tests
> 
> The patch doesn't seem to apply. Do you have a line-ending issue?

I inadvertently didn't merge a local Git commit that made changes to files LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html and LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt. The patch does not apply because it depends on these changes.
Comment 7 Daniel Bates 2015-12-10 18:06:41 PST 
[5:57pm] dbates: r? <https://bugs.webkit.org/show_bug.cgi?id=152158>
[5:58pm] dbates: Let me rebase the patch
[5:59pm] saamyjoon: r=me
[6:00pm] saamyjoon: w/ rebased patch
[6:03pm] dbates: Actually, the reason the patch didn’t apply is because I inadverntly didn’t squah a local commit that changed the existing files LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html and LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt.
[6:03pm] saamyjoon: ok
[6:03pm] dbates: Would you like to see those changes? Otherwise, I will squash that local patch into the one I posted and land
[6:04pm] saamyjoon: noope, just land it
[6:04pm] dbates: Thank you
[6:04pm] saamyjoon: np
Comment 8 Daniel Bates 2015-12-10 18:08:55 PST 
Committed r193939: <http://trac.webkit.org/changeset/193939>