Bug 100815 - [JSC] Script run from an isolated world should bypass a page's CSP
Summary: [JSC] Script run from an isolated world should bypass a page's CSP
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Geoffrey Garen
URL:
Keywords: InRadar
Depends on: 97398
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-30 23:11 PDT by Mike West
Modified: 2013-04-09 22:11 PDT (History)
8 users (show)

See Also:


Attachments
Patch (14.86 KB, patch)
2013-04-09 20:58 PDT, Geoffrey Garen
oliver: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2012-10-30 23:11:24 PDT
https://bugs.webkit.org/show_bug.cgi?id=97398 adds the ability for isolated worlds in V8 to bypass the Content Security Policy of the document they're layered on top of. This is useful for extensions, and it seems like a good API to implement in JSC as well.
Comment 1 Mike West 2013-02-07 11:00:50 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Comment 2 Jessie Berlin 2013-03-19 11:55:50 PDT
<rdar://problem/12726714>
Comment 3 Geoffrey Garen 2013-04-09 20:58:35 PDT
Created attachment 197200 [details]
Patch
Comment 4 Oliver Hunt 2013-04-09 21:54:39 PDT
Comment on attachment 197200 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=197200&action=review

> Source/WebCore/bindings/js/ScriptController.cpp:477
> +    if (!callFrame || callFrame == CallFrame::noCaller()) 

we do this check a lot, i wonder if we could streamline it? (not in this patch though)
Comment 5 Geoffrey Garen 2013-04-09 22:08:47 PDT
> we do this check a lot, i wonder if we could streamline it? (not in this patch though)

Yeah, I think we should: I was surprised to learn that there were two different "null" values you had to test for, and I got it wrong the first time.
Comment 6 Geoffrey Garen 2013-04-09 22:11:20 PDT
Committed r148076: <http://trac.webkit.org/changeset/148076>