Bug 152158 - [CSP] eval() is not blocked for stringified literals
Summary: [CSP] eval() is not blocked for stringified literals
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-12-10 17:31 PST by Daniel Bates
Modified: 2015-12-10 18:08 PST (History)
5 users (show)

See Also:

Attachments
Example (210 bytes, text/html)
2015-12-10 17:32 PST, Daniel Bates 		no flags Details
Patch and layout tests (19.37 KB, patch)
2015-12-10 17:56 PST, Daniel Bates 		saam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2015-12-10 17:31:20 PST 
Consider a web page with the following markup:

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</head>
<body>
PASS
<script>
document.body.textContent = eval("'FAIL'");
</script>
</body>
</html>

Opening this page will show the word FAIL. But it should show PASS and a JavaScript EvalError should be thrown because the Content Security Policy (CSP) of the page disallows eval() (by the omission of the source expression 'unsafe-eval' in the allowed script sources for the page).
Comment 1 Daniel Bates 2015-12-10 17:32:53 PST 
Created attachment 267144 [details]
Example

For convenience, an HTML document using the markup presented in comment 0.
Comment 2 Daniel Bates 2015-12-10 17:34:27 PST 
<rdar://problem/15775625>
Comment 3 Daniel Bates 2015-12-10 17:56:02 PST 
Created attachment 267146 [details]
Patch and layout tests
Comment 4 Brent Fulgham 2015-12-10 17:59:56 PST 
(In reply to comment #3)
> Created attachment 267146 [details]
> Patch and layout tests

The patch doesn't seem to apply. Do you have a line-ending issue?
Comment 5 Saam Barati 2015-12-10 18:00:12 PST 
Comment on attachment 267146 [details]
Patch and layout tests

r=me
Comment 6 Daniel Bates 2015-12-10 18:06:10 PST 
(In reply to comment #4)
> (In reply to comment #3)
> > Created attachment 267146 [details]
> > Patch and layout tests
> 
> The patch doesn't seem to apply. Do you have a line-ending issue?

I inadvertently didn't merge a local Git commit that made changes to files LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html and LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt. The patch does not apply because it depends on these changes.
Comment 7 Daniel Bates 2015-12-10 18:06:41 PST 
[5:57pm] dbates: r? <https://bugs.webkit.org/show_bug.cgi?id=152158>
[5:58pm] dbates: Let me rebase the patch
[5:59pm] saamyjoon: r=me
[6:00pm] saamyjoon: w/ rebased patch
[6:03pm] dbates: Actually, the reason the patch didn’t apply is because I inadverntly didn’t squah a local commit that changed the existing files LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html and LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt.
[6:03pm] saamyjoon: ok
[6:03pm] dbates: Would you like to see those changes? Otherwise, I will squash that local patch into the one I posted and land
[6:04pm] saamyjoon: noope, just land it
[6:04pm] dbates: Thank you
[6:04pm] saamyjoon: np
Comment 8 Daniel Bates 2015-12-10 18:08:55 PST 
Committed r193939: <http://trac.webkit.org/changeset/193939>