Bug 152158

Summary: [CSP] eval() is not blocked for stringified literals
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ddkilzer, ggaren, mark.lam, saam
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Example
none
Patch and layout tests saam: review+

Daniel Bates
Reported 2015-12-10 17:31:20 PST
Consider a web page with the following markup: <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'"> </head> <body> PASS <script> document.body.textContent = eval("'FAIL'"); </script> </body> </html> Opening this page will show the word FAIL. But it should show PASS and a JavaScript EvalError should be thrown because the Content Security Policy (CSP) of the page disallows eval() (by the omission of the source expression 'unsafe-eval' in the allowed script sources for the page).
Attachments
Example (210 bytes, text/html)
2015-12-10 17:32 PST, Daniel Bates 		no flags
Details
Patch and layout tests (19.37 KB, patch)
2015-12-10 17:56 PST, Daniel Bates 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2015-12-10 17:32:53 PST
Created attachment 267144 [details] Example For convenience, an HTML document using the markup presented in comment 0.
Daniel Bates
Comment 2 2015-12-10 17:34:27 PST
<rdar://problem/15775625>
Daniel Bates
Comment 3 2015-12-10 17:56:02 PST
Created attachment 267146 [details] Patch and layout tests
Brent Fulgham
Comment 4 2015-12-10 17:59:56 PST
(In reply to comment #3) > Created attachment 267146 [details] > Patch and layout tests The patch doesn't seem to apply. Do you have a line-ending issue?
Saam Barati
Comment 5 2015-12-10 18:00:12 PST
Comment on attachment 267146 [details] Patch and layout tests r=me
Daniel Bates
Comment 6 2015-12-10 18:06:10 PST
(In reply to comment #4) > (In reply to comment #3) > > Created attachment 267146 [details] > > Patch and layout tests > > The patch doesn't seem to apply. Do you have a line-ending issue? I inadvertently didn't merge a local Git commit that made changes to files LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html and LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt. The patch does not apply because it depends on these changes.
Daniel Bates
Comment 7 2015-12-10 18:06:41 PST
[5:57pm] dbates: r? <https://bugs.webkit.org/show_bug.cgi?id=152158> [5:58pm] dbates: Let me rebase the patch [5:59pm] saamyjoon: r=me [6:00pm] saamyjoon: w/ rebased patch [6:03pm] dbates: Actually, the reason the patch didn’t apply is because I inadverntly didn’t squah a local commit that changed the existing files LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html and LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt. [6:03pm] saamyjoon: ok [6:03pm] dbates: Would you like to see those changes? Otherwise, I will squash that local patch into the one I posted and land [6:04pm] saamyjoon: noope, just land it [6:04pm] dbates: Thank you [6:04pm] saamyjoon: np
Daniel Bates
Comment 8 2015-12-10 18:08:55 PST
Committed r193939: <http://trac.webkit.org/changeset/193939>
Note You need to log in before you can comment on or make changes to this bug.