Bug 209521

Summary:

App-bound domain checks should provide more debugging details at script evaluation sites

Product:

WebKit

Reporter:

Kate Cheney <katherine_cheney>

Component:

WebKit Misc.

Assignee:

Kate Cheney <katherine_cheney>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aestes, bfulgham, cdumez, ews-watchlist, mkwst, simon.fraser, thorton

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none

Kate Cheney

Reported 2020-03-24 16:38:48 PDT

This would be helpful for debugging.

Attachments
Patch (5.21 KB, patch) 2020-03-24 16:59 PDT, Kate Cheney	no flags	Details Formatted Diff Diff
Patch (6.61 KB, patch) 2020-03-25 08:54 PDT, Kate Cheney	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Kate Cheney

Comment 1 2020-03-24 16:39:27 PDT

<rdar://problem/60837954>

Kate Cheney

Comment 2 2020-03-24 16:59:55 PDT

Created attachment 394443 [details] Patch

Chris Dumez

Comment 3 2020-03-24 17:04:07 PDT

Comment on attachment 394443 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394443&action=review > Source/WebCore/bindings/js/ScriptController.cpp:580 > + m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); Why do release logging here? How do you know document is non null? > Source/WebCore/page/Frame.cpp:630 > return; Why do release logging here?

Kate Cheney

Comment 4 2020-03-24 17:08:06 PDT

Comment on attachment 394443 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394443&action=review >> Source/WebCore/bindings/js/ScriptController.cpp:580 >> + m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); > > Why do release logging here? > How do you know document is non null? I didn't see any other examples of release logging so I wasn't sure if I could here. I'll add a check for m_frame.document(). >> Source/WebCore/page/Frame.cpp:630 >> return; > > Why do release logging here? Same as above, I didn't see any other examples of release logging so I wasn't sure if I could here

Kate Cheney

Comment 5 2020-03-24 17:08:49 PDT

(In reply to katherine_cheney from comment #4) > Comment on attachment 394443 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=394443&action=review > > >> Source/WebCore/bindings/js/ScriptController.cpp:580 > >> + m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); > > > > Why do release logging here? > > How do you know document is non null? > > I didn't see any other examples of release logging so I wasn't sure if I > could here. I'll add a check for m_frame.document(). > (no other examples in this file) > >> Source/WebCore/page/Frame.cpp:630 > >> return; > > > > Why do release logging here? > > Same as above, I didn't see any other examples of release logging so I > wasn't sure if I could here

Chris Dumez

Comment 6 2020-03-24 17:38:07 PDT

(In reply to katherine_cheney from comment #4) > Comment on attachment 394443 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=394443&action=review > > >> Source/WebCore/bindings/js/ScriptController.cpp:580 > >> + m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); > > > > Why do release logging here? > > How do you know document is non null? > > I didn't see any other examples of release logging so I wasn't sure if I > could here. I'll add a check for m_frame.document(). > > >> Source/WebCore/page/Frame.cpp:630 > >> return; > > > > Why do release logging here? > > Same as above, I didn't see any other examples of release logging so I > wasn't sure if I could here I believe you can do release logging anywhere you'd like.

Kate Cheney

Comment 7 2020-03-25 08:54:32 PDT

Created attachment 394502 [details] Patch

EWS

Comment 8 2020-03-25 09:30:01 PDT

Committed r258986: <https://trac.webkit.org/changeset/258986> All reviewed patches have been landed. Closing bug and clearing flags on attachment 394502 [details].

Simon Fraser (smfr)

Comment 9 2020-03-25 09:55:38 PDT Comment hidden (obsolete)

Comment on attachment 394502 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394502&action=review > Source/WebCore/bindings/js/ScriptController.cpp:584 > + document->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); I don't think "user script injection" makes sense here, authors won't know what that means when they see it in the console. This needs to say something like "Scripts injected by extensions" or "Scripts injected by the application". Ideally it would explicitly identify the extension or app by name. Also, no-one will know what "app-bound domains" are.

Note You need to log in before you can comment on or make changes to this bug.