RESOLVED FIXED 115700
CSP: Check inline event handlers on each run, not only the first 
https://bugs.webkit.org/show_bug.cgi?id=115700
Summary CSP: Check inline event handlers on each run, not only the first
Ryosuke Niwa
Reported 2013-05-06 20:03:40 PDT
We should consider merging https://chromium.googlesource.com/chromium/blink/+/eeb0b48e9f470edeca26452382c1d6381f23371b CSP: Check inline event handlers on each run, not only the first. Injecting a policy into an existing document currently allows inline event handlers to continue executing as long as they were executed once before the policy was injected. This patch adjusts the check to ensure that it always blocks execution.
Attachments
Patch (13.37 KB, patch)
2016-03-18 18:12 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews101 for mac-yosemite (855.97 KB, application/zip)
2016-03-18 19:04 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews106 for mac-yosemite-wk2 (863.52 KB, application/zip)
2016-03-18 19:08 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews124 for ios-simulator-wk2 (728.81 KB, application/zip)
2016-03-18 19:13 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews115 for mac-yosemite (929.61 KB, application/zip)
2016-03-18 19:20 PDT, Build Bot 		no flags
Details
Patch (13.39 KB, patch)
2016-03-19 15:08 PDT, Daniel Bates 		aestes: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-01-15 12:47:27 PST
<rdar://problem/24211159>
Daniel Bates
Comment 2 2016-03-18 18:12:29 PDT
Created attachment 274485 [details] Patch
Build Bot
Comment 3 2016-03-18 19:04:38 PDT
Comment on attachment 274485 [details] Patch Attachment 274485 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1002472 New failing tests: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html http/tests/security/contentSecurityPolicy/report-uri.php http/tests/security/contentSecurityPolicy/report-only-from-header.php http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php http/tests/security/contentSecurityPolicy/report-and-enforce.php http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html http/tests/security/contentSecurityPolicy/csp-header-is-sent.html http/tests/security/contentSecurityPolicy/report-only.php
Build Bot
Comment 4 2016-03-18 19:04:42 PDT
Created attachment 274487 [details] Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 5 2016-03-18 19:08:15 PDT
Comment on attachment 274485 [details] Patch Attachment 274485 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1002473 New failing tests: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html http/tests/security/contentSecurityPolicy/report-uri.php http/tests/security/contentSecurityPolicy/report-only-from-header.php http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php http/tests/security/contentSecurityPolicy/report-and-enforce.php http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html http/tests/security/contentSecurityPolicy/csp-header-is-sent.html http/tests/security/contentSecurityPolicy/report-only.php
Build Bot
Comment 6 2016-03-18 19:08:19 PDT
Created attachment 274488 [details] Archive of layout-test-results from ews106 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Build Bot
Comment 7 2016-03-18 19:12:58 PDT
Comment on attachment 274485 [details] Patch Attachment 274485 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/1002474 New failing tests: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html http/tests/security/contentSecurityPolicy/report-uri.php http/tests/security/contentSecurityPolicy/report-only-from-header.php http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php http/tests/security/contentSecurityPolicy/report-and-enforce.php http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html http/tests/security/contentSecurityPolicy/csp-header-is-sent.html http/tests/security/contentSecurityPolicy/report-only.php
Build Bot
Comment 8 2016-03-18 19:13:03 PDT
Created attachment 274489 [details] Archive of layout-test-results from ews124 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.10.5
Build Bot
Comment 9 2016-03-18 19:20:27 PDT
Comment on attachment 274485 [details] Patch Attachment 274485 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1002479 New failing tests: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html http/tests/security/contentSecurityPolicy/report-uri-from-child-frame.html http/tests/security/contentSecurityPolicy/report-uri.php http/tests/security/contentSecurityPolicy/report-only-from-header.php http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.php http/tests/security/contentSecurityPolicy/report-and-enforce.php http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html http/tests/security/contentSecurityPolicy/csp-header-is-sent.html http/tests/security/contentSecurityPolicy/report-only.php
Build Bot
Comment 10 2016-03-18 19:20:32 PDT
Created attachment 274490 [details] Archive of layout-test-results from ews115 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews115 Port: mac-yosemite Platform: Mac OS X 10.10.5
Daniel Bates
Comment 11 2016-03-19 15:08:44 PDT
Created attachment 274524 [details] Patch
Andy Estes
Comment 12 2016-03-21 11:03:24 PDT
Comment on attachment 274524 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=274524&action=review > Source/WebCore/bindings/js/JSLazyEventListener.cpp:3 > - * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All Rights Reserved. > + * Copyright (C) 2003-2009, 2013, 2016 Apple Inc. All Rights Reserved. I think we can just write 2003-2016. > Source/WebCore/bindings/js/JSLazyEventListener.h:3 > - * Copyright (C) 2003, 2008, 2009, 2013 Apple Inc. All rights reserved. > + * Copyright (C) 2003, 2008-2009, 2013, 2016 Apple Inc. All rights reserved. Ditto.
Daniel Bates
Comment 13 2016-03-22 12:07:26 PDT
(In reply to comment #12) > > Source/WebCore/bindings/js/JSLazyEventListener.cpp:3 > > - * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All Rights Reserved. > > + * Copyright (C) 2003-2009, 2013, 2016 Apple Inc. All Rights Reserved. > > I think we can just write 2003-2016. > Will fix before landing. > > Source/WebCore/bindings/js/JSLazyEventListener.h:3 > > - * Copyright (C) 2003, 2008, 2009, 2013 Apple Inc. All rights reserved. > > + * Copyright (C) 2003, 2008-2009, 2013, 2016 Apple Inc. All rights reserved. > > Ditto. Will fix before landing.
Daniel Bates
Comment 14 2016-03-22 12:08:49 PDT
Committed r198541: <http://trac.webkit.org/changeset/198541>
Note You need to log in before you can comment on or make changes to this bug.