RESOLVED FIXED 86943
Blocking `setTimeout` and `setInterval` evaluation with CSP should include a stack trace in the console warning. 
https://bugs.webkit.org/show_bug.cgi?id=86943
Summary Blocking `setTimeout` and `setInterval` evaluation with CSP should include a ...
Mike West
Reported 2012-05-19 07:27:11 PDT
Along the same lines as http://webk.it/86848, the error message for CSP-blocked `setTimeout` and `setInterval` calls don't give developers enough information to debug the issue. We should include a stack trace with the error so they can jump directly to the offending line. I've got a patch together that does this, but I'm a bit worried that it's making the CSP interface pretty complex (especially in conjunction with 86848, and some CSP 1.1 work). I'd also like to add a test to verify that a call stack is present, but I'm not exactly sure how I can track that down from JavaScript. I dug through the inspector tests currently in the system, but nothing seemed to fit the use case. Suggestions?
Attachments
Patch (9.48 KB, patch)
2012-05-19 07:35 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Patch (15.76 KB, patch)
2012-05-21 06:02 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Patch (18.52 KB, patch)
2012-05-21 11:52 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2012-05-19 07:35:31 PDT
Created attachment 142866 [details] Patch
Build Bot
Comment 2 2012-05-19 08:03:05 PDT
Comment on attachment 142866 [details] Patch Attachment 142866 [details] did not pass win-ews (win): Output: http://queues.webkit.org/results/12729378
jochen
Comment 3 2012-05-19 11:25:59 PDT
(In reply to comment #0) > I'd also like to add a test to verify that a call stack is present, but I'm not exactly sure how I can track that down from JavaScript. I dug through the inspector tests currently in the system, but nothing seemed to fit the use case. Suggestions? I think that InspectorTest.dumpConsoleMessages() should do the trick (see LayoutTests/inspector/console/)
Mike West
Comment 4 2012-05-20 00:41:08 PDT
After digging a bit, it looks like the InspectorTest framework isn't playing nicely with CSP. If I inject `<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'self'">` into http/tests/inspector/console-cd.html, for example, it times out. I'm not exactly sure where it's dying, but it's entirely possible that it relies on `eval` (in the form of `RuntimeAgent.evaluate`).
Adam Barth
Comment 5 2012-05-20 21:00:41 PDT
The code in this patch looks fine, but we should have a test. I'm not sure what to do about the test harness using eval...
jochen
Comment 6 2012-05-21 02:14:25 PDT
(In reply to comment #5) > The code in this patch looks fine, but we should have a test. I'm not sure what to do about the test harness using eval... I would recommend to add a function to window.internals that returns the recorded console messages, doing basically the same as InspectorTest.dumpConsoleMessages, just without depending on InspectorTest
Pavel Feldman
Comment 7 2012-05-21 02:17:19 PDT
(In reply to comment #6) > (In reply to comment #5) > > The code in this patch looks fine, but we should have a test. I'm not sure what to do about the test harness using eval... > > I would recommend to add a function to window.internals that returns the recorded console messages, doing basically the same as InspectorTest.dumpConsoleMessages, just without depending on InspectorTest +1
Mike West
Comment 8 2012-05-21 05:50:16 PDT
As it turns out, this isn't an `eval` problem. It's an inspector test issue. Long story short, if I copy my test into the `http/tests/inspector` directory, things work as expected. If I don't, I get timeouts. Jochen suggested that there might be a separate inspector agent process that's only spun up if certain tests are executed. It looks like `http/tests/inspector-enabled` is there for exactly this purpose; I'm adding tests there.
Mike West
Comment 9 2012-05-21 06:02:03 PDT
Created attachment 143014 [details] Patch
Build Bot
Comment 10 2012-05-21 06:17:31 PDT
Comment on attachment 143014 [details] Patch Attachment 143014 [details] did not pass win-ews (win): Output: http://queues.webkit.org/results/12733602
Adam Barth
Comment 11 2012-05-21 09:05:42 PDT
Comment on attachment 143014 [details] Patch Looks like you've got some sort of problem on apple-win.
Mike West
Comment 12 2012-05-21 09:20:01 PDT
Yeah, it looks like the compiler is picking the wrong `isAllowedByAll` and throwing type errors. Would you mind terribly if I simply renamed the function to something like `isAllowedByAllWithCallStack` instead of overloading the `isAllowedByAll` that takes a KURL? We'd end up with something like CSP::isAllowedByAll, CSP::isAllowedByAllWithCallStack, and CSP::isAllowedByAllWithKURL, which is ugly, but simpler to understand than digging through Windows' template specialization rules. (It might, of course, just be something simple that I'm overlooking...)
Adam Barth
Comment 13 2012-05-21 09:25:41 PDT
That's fine. These functions are only used in this file, so it's ok if their names a bit wonky.
Mike West
Comment 14 2012-05-21 11:52:06 PDT
Created attachment 143070 [details] Patch
WebKit Review Bot
Comment 15 2012-05-21 16:00:02 PDT
Comment on attachment 143070 [details] Patch Clearing flags on attachment: 143070 Committed r117826: <http://trac.webkit.org/changeset/117826>
WebKit Review Bot
Comment 16 2012-05-21 16:00:08 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.