RESOLVED FIXED Bug 100815
[JSC] Script run from an isolated world should bypass a page's CSP 
https://bugs.webkit.org/show_bug.cgi?id=100815
Summary [JSC] Script run from an isolated world should bypass a page's CSP
Mike West
Reported 2012-10-30 23:11:24 PDT
https://bugs.webkit.org/show_bug.cgi?id=97398 adds the ability for isolated worlds in V8 to bypass the Content Security Policy of the document they're layered on top of. This is useful for extensions, and it seems like a good API to implement in JSC as well.
Attachments
Patch (14.86 KB, patch)
2013-04-09 20:58 PDT, Geoffrey Garen 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2013-02-07 11:00:50 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Jessie Berlin
Comment 2 2013-03-19 11:55:50 PDT
<rdar://problem/12726714>
Geoffrey Garen
Comment 3 2013-04-09 20:58:35 PDT
Created attachment 197200 [details] Patch
Oliver Hunt
Comment 4 2013-04-09 21:54:39 PDT
Comment on attachment 197200 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=197200&action=review > Source/WebCore/bindings/js/ScriptController.cpp:477 > + if (!callFrame || callFrame == CallFrame::noCaller()) we do this check a lot, i wonder if we could streamline it? (not in this patch though)
Geoffrey Garen
Comment 5 2013-04-09 22:08:47 PDT
> we do this check a lot, i wonder if we could streamline it? (not in this patch though) Yeah, I think we should: I was surprised to learn that there were two different "null" values you had to test for, and I got it wrong the first time.
Geoffrey Garen
Comment 6 2013-04-09 22:11:20 PDT
Committed r148076: <http://trac.webkit.org/changeset/148076>
Note You need to log in before you can comment on or make changes to this bug.