209521 – App-bound domain checks should provide more debugging details at script evaluation sites

RESOLVED FIXED 209521

App-bound domain checks should provide more debugging details at script evaluation sites

https://bugs.webkit.org/show_bug.cgi?id=209521

Summary App-bound domain checks should provide more debugging details at script evalu...

Kate Cheney

Reported 2020-03-24 16:38:48 PDT

This would be helpful for debugging.

Attachments
Patch (5.21 KB, patch) 2020-03-24 16:59 PDT, Kate Cheney	no flags	Details Formatted Diff Diff
Patch (6.61 KB, patch) 2020-03-25 08:54 PDT, Kate Cheney	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Kate Cheney

Comment 1 2020-03-24 16:39:27 PDT

<rdar://problem/60837954>

Kate Cheney

Comment 2 2020-03-24 16:59:55 PDT

Created attachment 394443 [details] Patch

Chris Dumez

Comment 3 2020-03-24 17:04:07 PDT

Comment on attachment 394443 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394443&action=review > Source/WebCore/bindings/js/ScriptController.cpp:580 > + m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); Why do release logging here? How do you know document is non null? > Source/WebCore/page/Frame.cpp:630 > return; Why do release logging here?

Kate Cheney

Comment 4 2020-03-24 17:08:06 PDT

Comment on attachment 394443 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394443&action=review >> Source/WebCore/bindings/js/ScriptController.cpp:580 >> + m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); > > Why do release logging here? > How do you know document is non null? I didn't see any other examples of release logging so I wasn't sure if I could here. I'll add a check for m_frame.document(). >> Source/WebCore/page/Frame.cpp:630 >> return; > > Why do release logging here? Same as above, I didn't see any other examples of release logging so I wasn't sure if I could here

Kate Cheney

Comment 5 2020-03-24 17:08:49 PDT

(In reply to katherine_cheney from comment #4) > Comment on attachment 394443 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=394443&action=review > > >> Source/WebCore/bindings/js/ScriptController.cpp:580 > >> + m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); > > > > Why do release logging here? > > How do you know document is non null? > > I didn't see any other examples of release logging so I wasn't sure if I > could here. I'll add a check for m_frame.document(). > (no other examples in this file) > >> Source/WebCore/page/Frame.cpp:630 > >> return; > > > > Why do release logging here? > > Same as above, I didn't see any other examples of release logging so I > wasn't sure if I could here

Chris Dumez

Comment 6 2020-03-24 17:38:07 PDT

(In reply to katherine_cheney from comment #4) > Comment on attachment 394443 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=394443&action=review > > >> Source/WebCore/bindings/js/ScriptController.cpp:580 > >> + m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); > > > > Why do release logging here? > > How do you know document is non null? > > I didn't see any other examples of release logging so I wasn't sure if I > could here. I'll add a check for m_frame.document(). > > >> Source/WebCore/page/Frame.cpp:630 > >> return; > > > > Why do release logging here? > > Same as above, I didn't see any other examples of release logging so I > wasn't sure if I could here I believe you can do release logging anywhere you'd like.

Kate Cheney

Comment 7 2020-03-25 08:54:32 PDT

Created attachment 394502 [details] Patch

EWS

Comment 8 2020-03-25 09:30:01 PDT

Committed r258986: <https://trac.webkit.org/changeset/258986> All reviewed patches have been landed. Closing bug and clearing flags on attachment 394502 [details].

Simon Fraser (smfr)

Comment 9 2020-03-25 09:55:38 PDT Comment hidden (obsolete)

Comment on attachment 394502 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394502&action=review > Source/WebCore/bindings/js/ScriptController.cpp:584 > + document->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "Ignoring user script injection for non-app bound domain."); I don't think "user script injection" makes sense here, authors won't know what that means when they see it in the console. This needs to say something like "Scripts injected by extensions" or "Scripts injected by the application". Ideally it would explicitly identify the extension or app by name. Also, no-one will know what "app-bound domains" are.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit Misc.

Assignee

Kate Cheney

Reported

2020-03-24 16:38 PDT

Modified

2020-03-25 09:55 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks