We should consider merging https://chromium.googlesource.com/chromium/blink/+/eeb0b48e9f470edeca26452382c1d6381f23371b CSP: Check inline event handlers on each run, not only the first. Injecting a policy into an existing document currently allows inline event handlers to continue executing as long as they were executed once before the policy was injected. This patch adjusts the check to ensure that it always blocks execution.
<rdar://problem/24211159>
Created attachment 274485 [details] Patch
Comment on attachment 274485 [details] Patch Attachment 274485 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1002472 New failing tests: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html http/tests/security/contentSecurityPolicy/report-uri.php http/tests/security/contentSecurityPolicy/report-only-from-header.php http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php http/tests/security/contentSecurityPolicy/report-and-enforce.php http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html http/tests/security/contentSecurityPolicy/csp-header-is-sent.html http/tests/security/contentSecurityPolicy/report-only.php
Created attachment 274487 [details] Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Comment on attachment 274485 [details] Patch Attachment 274485 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1002473 New failing tests: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html http/tests/security/contentSecurityPolicy/report-uri.php http/tests/security/contentSecurityPolicy/report-only-from-header.php http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php http/tests/security/contentSecurityPolicy/report-and-enforce.php http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html http/tests/security/contentSecurityPolicy/csp-header-is-sent.html http/tests/security/contentSecurityPolicy/report-only.php
Created attachment 274488 [details] Archive of layout-test-results from ews106 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Comment on attachment 274485 [details] Patch Attachment 274485 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/1002474 New failing tests: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html http/tests/security/contentSecurityPolicy/report-uri.php http/tests/security/contentSecurityPolicy/report-only-from-header.php http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php http/tests/security/contentSecurityPolicy/report-and-enforce.php http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html http/tests/security/contentSecurityPolicy/csp-header-is-sent.html http/tests/security/contentSecurityPolicy/report-only.php
Created attachment 274489 [details] Archive of layout-test-results from ews124 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.10.5
Comment on attachment 274485 [details] Patch Attachment 274485 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1002479 New failing tests: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html http/tests/security/contentSecurityPolicy/report-uri.php http/tests/security/contentSecurityPolicy/report-only-from-header.php http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php http/tests/security/contentSecurityPolicy/report-and-enforce.php http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html http/tests/security/contentSecurityPolicy/csp-header-is-sent.html http/tests/security/contentSecurityPolicy/report-only.php
Created attachment 274490 [details] Archive of layout-test-results from ews115 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews115 Port: mac-yosemite Platform: Mac OS X 10.10.5
Created attachment 274524 [details] Patch
Comment on attachment 274524 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=274524&action=review > Source/WebCore/bindings/js/JSLazyEventListener.cpp:3 > - * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All Rights Reserved. > + * Copyright (C) 2003-2009, 2013, 2016 Apple Inc. All Rights Reserved. I think we can just write 2003-2016. > Source/WebCore/bindings/js/JSLazyEventListener.h:3 > - * Copyright (C) 2003, 2008, 2009, 2013 Apple Inc. All rights reserved. > + * Copyright (C) 2003, 2008-2009, 2013, 2016 Apple Inc. All rights reserved. Ditto.
(In reply to comment #12) > > Source/WebCore/bindings/js/JSLazyEventListener.cpp:3 > > - * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All Rights Reserved. > > + * Copyright (C) 2003-2009, 2013, 2016 Apple Inc. All Rights Reserved. > > I think we can just write 2003-2016. > Will fix before landing. > > Source/WebCore/bindings/js/JSLazyEventListener.h:3 > > - * Copyright (C) 2003, 2008, 2009, 2013 Apple Inc. All rights reserved. > > + * Copyright (C) 2003, 2008-2009, 2013, 2016 Apple Inc. All rights reserved. > > Ditto. Will fix before landing.
Committed r198541: <http://trac.webkit.org/changeset/198541>