RESOLVED FIXED 88450
Can't use eval in iframes sanbdoxed via CSP header 
https://bugs.webkit.org/show_bug.cgi?id=88450
Summary Can't use eval in iframes sanbdoxed via CSP header
Mihai Parparita
Reported 2012-06-06 13:32:37 PDT
Test case: http://persistent.info/webkit/test-cases/csp/parent-no-eval.php (should see PASS in both frames, but only the second one has it). The parent is served with the CSP header "script-src 'unsafe-inline'". It includes an iframe that is served with the CSP header "sandbox allow-scripts". The iframe tries to make an eval() call, and fails with "EvalError: Eval is disabled" (with JSC) and/or "Code generation from strings disallowed for this context " (with V8). If I include the same iframe with the equivalent "sandbox" attribute, then eval() works.
Attachments
test (1.57 KB, patch)
2012-06-06 15:07 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
possible fix (4.41 KB, patch)
2012-06-06 15:43 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (7.34 KB, patch)
2012-06-06 16:51 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch for landing (7.44 KB, patch)
2012-06-08 11:14 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ec2-cq-02 (847.35 KB, application/zip)
2012-06-08 16:35 PDT, WebKit Review Bot 		no flags
Details
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2012-06-06 15:07:23 PDT
Created attachment 146120 [details] test
Adam Barth
Comment 2 2012-06-06 15:18:25 PDT
Looks like the problem is that we're performing a secure transition from the initial about:blank document to the document from the network. When we do that, we reuse the global object (this some crazy compat thing which I can explain if you're curious), and it carries forward the "no eval" bit. The proper solution is probably to reset the "no eval" bit even when doing a secure transition.
Adam Barth
Comment 3 2012-06-06 15:43:48 PDT
Created attachment 146131 [details] possible fix
Adam Barth
Comment 4 2012-06-06 16:51:27 PDT
Created attachment 146145 [details] Patch
Adam Barth
Comment 5 2012-06-06 17:36:02 PDT
Comment on attachment 146145 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=146145&action=review > Source/WebCore/bindings/v8/ScriptController.cpp:300 > - v8::Handle<v8::Context> v8Context = V8Proxy::mainWorldContext(m_frame); > + v8::Handle<v8::Context> v8Context = proxy()->windowShell()->context(); Note: This change isn't strictly necessary. I just did it to mirror enableEval above.
Mihai Parparita
Comment 6 2012-06-08 00:24:40 PDT
Comment on attachment 146145 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=146145&action=review > Source/WebCore/bindings/v8/ScriptController.cpp:296 > if (!m_proxy->windowShell()->initContextIfNeeded()) Nit: switch this to accessing m_proxy via proxy() for consistency with the other uses you're adding.
Adam Barth
Comment 7 2012-06-08 11:14:35 PDT
Created attachment 146613 [details] Patch for landing
Adam Barth
Comment 8 2012-06-08 11:15:50 PDT
Comment on attachment 146613 [details] Patch for landing Actually, I should test this patch on JSC before landing it.
Adam Barth
Comment 9 2012-06-08 14:03:30 PDT
Comment on attachment 146613 [details] Patch for landing JSC looks to work as well. Good times.
WebKit Review Bot
Comment 10 2012-06-08 16:35:36 PDT
Comment on attachment 146613 [details] Patch for landing Rejecting attachment 146613 [details] from commit-queue. New failing tests: fast/repaint/block-selection-gap-in-composited-layer.html Full output: http://queues.webkit.org/results/12910753
WebKit Review Bot
Comment 11 2012-06-08 16:35:41 PDT
Created attachment 146662 [details] Archive of layout-test-results from ec2-cq-02 The attached test failures were seen while running run-webkit-tests on the commit-queue. Bot: ec2-cq-02 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
WebKit Review Bot
Comment 12 2012-06-09 12:35:19 PDT
Comment on attachment 146613 [details] Patch for landing Clearing flags on attachment: 146613 Committed r119913: <http://trac.webkit.org/changeset/119913>
WebKit Review Bot
Comment 13 2012-06-09 12:35:25 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.