Bug 115700 - CSP: Check inline event handlers on each run, not only the first
Summary: CSP: Check inline event handlers on each run, not only the first
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: BlinkMergeCandidate, InRadar
Depends on:
Blocks:
 
Reported: 2013-05-06 20:03 PDT by Ryosuke Niwa
Modified: 2016-03-22 12:08 PDT (History)
10 users (show)

See Also:

Attachments
Patch (13.37 KB, patch)
2016-03-18 18:12 PDT, Daniel Bates 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews101 for mac-yosemite (855.97 KB, application/zip)
2016-03-18 19:04 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews106 for mac-yosemite-wk2 (863.52 KB, application/zip)
2016-03-18 19:08 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews124 for ios-simulator-wk2 (728.81 KB, application/zip)
2016-03-18 19:13 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews115 for mac-yosemite (929.61 KB, application/zip)
2016-03-18 19:20 PDT, Build Bot 		no flags Details
Patch (13.39 KB, patch)
2016-03-19 15:08 PDT, Daniel Bates 		aestes: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2013-05-06 20:03:40 PDT 
We should consider merging
https://chromium.googlesource.com/chromium/blink/+/eeb0b48e9f470edeca26452382c1d6381f23371b

CSP: Check inline event handlers on each run, not only the first.

Injecting a policy into an existing document currently allows inline event
handlers to continue executing as long as they were executed once before
the policy was injected. This patch adjusts the check to ensure that it
always blocks execution.
Comment 1 Radar WebKit Bug Importer 2016-01-15 12:47:27 PST 
<rdar://problem/24211159>
Comment 2 Daniel Bates 2016-03-18 18:12:29 PDT 
Created attachment 274485 [details]
Patch
Comment 3 Build Bot 2016-03-18 19:04:38 PDT 
Comment on attachment 274485 [details]
Patch

Attachment 274485 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/1002472

New failing tests:
http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html
http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html
http/tests/security/contentSecurityPolicy/report-uri.php
http/tests/security/contentSecurityPolicy/report-only-from-header.php
http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php
http/tests/security/contentSecurityPolicy/report-and-enforce.php
http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
http/tests/security/contentSecurityPolicy/csp-header-is-sent.html
http/tests/security/contentSecurityPolicy/report-only.php
Comment 4 Build Bot 2016-03-18 19:04:42 PDT 
Created attachment 274487 [details]
Archive of layout-test-results from ews101 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 5 Build Bot 2016-03-18 19:08:15 PDT 
Comment on attachment 274485 [details]
Patch

Attachment 274485 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/1002473

New failing tests:
http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html
http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html
http/tests/security/contentSecurityPolicy/report-uri.php
http/tests/security/contentSecurityPolicy/report-only-from-header.php
http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php
http/tests/security/contentSecurityPolicy/report-and-enforce.php
http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
http/tests/security/contentSecurityPolicy/csp-header-is-sent.html
http/tests/security/contentSecurityPolicy/report-only.php
Comment 6 Build Bot 2016-03-18 19:08:19 PDT 
Created attachment 274488 [details]
Archive of layout-test-results from ews106 for mac-yosemite-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-yosemite-wk2  Platform: Mac OS X 10.10.5
Comment 7 Build Bot 2016-03-18 19:12:58 PDT 
Comment on attachment 274485 [details]
Patch

Attachment 274485 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/1002474

New failing tests:
http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html
http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html
http/tests/security/contentSecurityPolicy/report-uri.php
http/tests/security/contentSecurityPolicy/report-only-from-header.php
http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php
http/tests/security/contentSecurityPolicy/report-and-enforce.php
http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
http/tests/security/contentSecurityPolicy/csp-header-is-sent.html
http/tests/security/contentSecurityPolicy/report-only.php
Comment 8 Build Bot 2016-03-18 19:13:03 PDT 
Created attachment 274489 [details]
Archive of layout-test-results from ews124 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews124  Port: ios-simulator-wk2  Platform: Mac OS X 10.10.5
Comment 9 Build Bot 2016-03-18 19:20:27 PDT 
Comment on attachment 274485 [details]
Patch

Attachment 274485 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/1002479

New failing tests:
http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html
http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html
http/tests/security/contentSecurityPolicy/report-uri.php
http/tests/security/contentSecurityPolicy/report-only-from-header.php
http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php
http/tests/security/contentSecurityPolicy/report-and-enforce.php
http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
http/tests/security/contentSecurityPolicy/csp-header-is-sent.html
http/tests/security/contentSecurityPolicy/report-only.php
Comment 10 Build Bot 2016-03-18 19:20:32 PDT 
Created attachment 274490 [details]
Archive of layout-test-results from ews115 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews115  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 11 Daniel Bates 2016-03-19 15:08:44 PDT 
Created attachment 274524 [details]
Patch
Comment 12 Andy Estes 2016-03-21 11:03:24 PDT 
Comment on attachment 274524 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=274524&action=review

> Source/WebCore/bindings/js/JSLazyEventListener.cpp:3
> - *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All Rights Reserved.
> + *  Copyright (C) 2003-2009, 2013, 2016 Apple Inc. All Rights Reserved.

I think we can just write 2003-2016.

> Source/WebCore/bindings/js/JSLazyEventListener.h:3
> - *  Copyright (C) 2003, 2008, 2009, 2013 Apple Inc. All rights reserved.
> + *  Copyright (C) 2003, 2008-2009, 2013, 2016 Apple Inc. All rights reserved.

Ditto.
Comment 13 Daniel Bates 2016-03-22 12:07:26 PDT 
(In reply to comment #12)
> > Source/WebCore/bindings/js/JSLazyEventListener.cpp:3
> > - *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All Rights Reserved.
> > + *  Copyright (C) 2003-2009, 2013, 2016 Apple Inc. All Rights Reserved.
> 
> I think we can just write 2003-2016.
> 

Will fix before landing.

> > Source/WebCore/bindings/js/JSLazyEventListener.h:3
> > - *  Copyright (C) 2003, 2008, 2009, 2013 Apple Inc. All rights reserved.
> > + *  Copyright (C) 2003, 2008-2009, 2013, 2016 Apple Inc. All rights reserved.
> 
> Ditto.

Will fix before landing.
Comment 14 Daniel Bates 2016-03-22 12:08:49 PDT 
Committed r198541: <http://trac.webkit.org/changeset/198541>