RESOLVED FIXED 146040
Web Inspector: Inspector Scripts evaluated in the page should not be searchable 
https://bugs.webkit.org/show_bug.cgi?id=146040
Summary Web Inspector: Inspector Scripts evaluated in the page should not be searchable
Joseph Pecoraro
Reported 2015-06-16 18:16:24 PDT
* SUMMARY Inspector Scripts evaluated in the page should not be searchable. * STEPS TO REPRODUCE 1. Inspect about:blank 2. Type "[1,2].con" in the console, to show autocompletion "concat" 3. Search "1,2" or "getComple" => results in Inspector internal script evaluated on the page to get completion for [1,2] * NOTES - The frontend ignores all evaluations containing a sourceURL starting with "__WebInspector", so we should append something like that for EVERY eval the frontend runs on the inspected page.
Attachments
[PATCH] Proposed Fix (11.73 KB, patch)
2015-06-16 18:28 PDT, Joseph Pecoraro 		joepeck: review-
joepeck: commit-queue-
DetailsFormatted DiffDiff
[PATCH] Proposed Fix (10.07 KB, patch)
2015-06-16 18:31 PDT, Joseph Pecoraro 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2015-06-16 18:16:55 PDT
<rdar://problem/21413971>
Joseph Pecoraro
Comment 2 2015-06-16 18:24:14 PDT
Also affects DebuggerPopovers, and other one-off evaluations like "document". Basically all of these places can evaluate arbitrary code on the frontend: - RuntimeAgent.evaluate - DebuggerAgent.evaluateOnCallFrame - RuntimeAgent.callFunctionOn Both of these are wrapped by managers / models, others are called directly in code. I will just look at updating the direct call sites of each to ensure I cover each case.
Joseph Pecoraro
Comment 3 2015-06-16 18:28:51 PDT
Created attachment 254991 [details] [PATCH] Proposed Fix cq- for the moment because at least one part of this has yet to be tested manually by me.
Joseph Pecoraro
Comment 4 2015-06-16 18:29:54 PDT
Comment on attachment 254991 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=254991&action=review > Source/WebInspectorUI/UserInterface/Controllers/JavaScriptRuntimeCompletionProvider.js:159 > + else if (result.type === "string" || result.type === "number" || result.type === "boolean") { > + var completionScript = "(" + getCompletions + ")(\"" + result.type + "\")"; > + WebInspector.runtimeManager.evaluateInInspectedWindow(completionScript, "completion", false, true, true, false, false, receivedPropertyNamesFromEvaluate.bind(this)); > + } else Err, this change can be reverted now that I have evaluateInInspectedWindow add the sourceURL. Let me update the patch.
Joseph Pecoraro
Comment 5 2015-06-16 18:31:05 PDT
Created attachment 254992 [details] [PATCH] Proposed Fix
WebKit Commit Bot
Comment 6 2015-06-16 22:12:30 PDT
Comment on attachment 254992 [details] [PATCH] Proposed Fix Clearing flags on attachment: 254992 Committed r185638: <http://trac.webkit.org/changeset/185638>
WebKit Commit Bot
Comment 7 2015-06-16 22:12:36 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.