Bug 152158 - [CSP] eval() is not blocked for stringified literals
Summary: [CSP] eval() is not blocked for stringified literals
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-12-10 17:31 PST by Daniel Bates
Modified: 2015-12-10 18:08 PST (History)
5 users (show)

See Also:


Attachments
Example (210 bytes, text/html)
2015-12-10 17:32 PST, Daniel Bates
no flags Details
Patch and layout tests (19.37 KB, patch)
2015-12-10 17:56 PST, Daniel Bates
sbarati: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2015-12-10 17:31:20 PST
Consider a web page with the following markup:

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</head>
<body>
PASS
<script>
document.body.textContent = eval("'FAIL'");
</script>
</body>
</html>

Opening this page will show the word FAIL. But it should show PASS and a JavaScript EvalError should be thrown because the Content Security Policy (CSP) of the page disallows eval() (by the omission of the source expression 'unsafe-eval' in the allowed script sources for the page).
Comment 1 Daniel Bates 2015-12-10 17:32:53 PST
Created attachment 267144 [details]
Example

For convenience, an HTML document using the markup presented in comment 0.
Comment 2 Daniel Bates 2015-12-10 17:34:27 PST
<rdar://problem/15775625>
Comment 3 Daniel Bates 2015-12-10 17:56:02 PST
Created attachment 267146 [details]
Patch and layout tests
Comment 4 Brent Fulgham 2015-12-10 17:59:56 PST
(In reply to comment #3)
> Created attachment 267146 [details]
> Patch and layout tests

The patch doesn't seem to apply. Do you have a line-ending issue?
Comment 5 Saam Barati 2015-12-10 18:00:12 PST
Comment on attachment 267146 [details]
Patch and layout tests

r=me
Comment 6 Daniel Bates 2015-12-10 18:06:10 PST
(In reply to comment #4)
> (In reply to comment #3)
> > Created attachment 267146 [details]
> > Patch and layout tests
> 
> The patch doesn't seem to apply. Do you have a line-ending issue?

I inadvertently didn't merge a local Git commit that made changes to files LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html and LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt. The patch does not apply because it depends on these changes.
Comment 7 Daniel Bates 2015-12-10 18:06:41 PST
[5:57pm] dbates: r? <https://bugs.webkit.org/show_bug.cgi?id=152158>
[5:58pm] dbates: Let me rebase the patch
[5:59pm] saamyjoon: r=me
[6:00pm] saamyjoon: w/ rebased patch
[6:03pm] dbates: Actually, the reason the patch didn’t apply is because I inadverntly didn’t squah a local commit that changed the existing files LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html and LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt.
[6:03pm] saamyjoon: ok
[6:03pm] dbates: Would you like to see those changes? Otherwise, I will squash that local patch into the one I posted and land
[6:04pm] saamyjoon: noope, just land it
[6:04pm] dbates: Thank you
[6:04pm] saamyjoon: np
Comment 8 Daniel Bates 2015-12-10 18:08:55 PST
Committed r193939: <http://trac.webkit.org/changeset/193939>