Bug 153148 - CSP: 'eval()' blocked in report-only mode should send a violation report
Summary: CSP: 'eval()' blocked in report-only mode should send a violation report
Status: RESOLVED DUPLICATE of bug 111869
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
Keywords: BlinkMergeCandidate, InRadar
Depends on:
Reported: 2016-01-15 14:44 PST by Daniel Bates
Modified: 2018-06-13 21:55 PDT (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-01-15 14:44:41 PST
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=155752>.

CSP: 'eval()' blocked in report-only mode should send a violation report.

Currently, 'eval()' is blocked inside V8 when an enforce-mode Content
Security Policy is specified for a document. Report-only policies don't
trigger this mechanism, and therefore can deliver violation reports
neither to the 'report-uri' in the policy nor the console.

This patch changes ContentSecurityPolicy::didReceiveHeader to disable
eval inside V8 for report-only policies as well, and relies on the
V8Initializer::codeGenerationCheckCallbackInMainThread callback to give
V8 the final go/no-go decision regarding the code's execution.

This patch has the negative performance side-effect of calling back from
V8 to core whenever 'eval()' is encountered on a page with an CSP that
blocks eval. Given that the page isn't expecting to run 'eval()' at all, that
impact seems like something we can live with (though it is fairly
Comment 1 Radar WebKit Bug Importer 2016-01-27 20:29:35 PST
Comment 2 Daniel Bates 2018-06-13 21:55:53 PDT

*** This bug has been marked as a duplicate of bug 111869 ***