Bug 88450 - Can't use eval in iframes sanbdoxed via CSP header
Summary: Can't use eval in iframes sanbdoxed via CSP header
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Adam Barth
URL: http://persistent.info/webkit/test-ca...
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-06 13:32 PDT by Mihai Parparita
Modified: 2012-06-09 12:35 PDT (History)
6 users (show)

See Also:


Attachments
test (1.57 KB, patch)
2012-06-06 15:07 PDT, Adam Barth
no flags Details | Formatted Diff | Diff
possible fix (4.41 KB, patch)
2012-06-06 15:43 PDT, Adam Barth
no flags Details | Formatted Diff | Diff
Patch (7.34 KB, patch)
2012-06-06 16:51 PDT, Adam Barth
no flags Details | Formatted Diff | Diff
Patch for landing (7.44 KB, patch)
2012-06-08 11:14 PDT, Adam Barth
no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ec2-cq-02 (847.35 KB, application/zip)
2012-06-08 16:35 PDT, WebKit Review Bot
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mihai Parparita 2012-06-06 13:32:37 PDT
Test case: http://persistent.info/webkit/test-cases/csp/parent-no-eval.php (should see PASS in both frames, but only the second one has it).

The parent is served with the CSP header "script-src 'unsafe-inline'". It includes an iframe that is served with the CSP header "sandbox allow-scripts".

The iframe tries to make an eval() call, and fails with "EvalError: Eval is disabled" (with JSC) and/or "Code generation from strings disallowed for this context " (with V8).

If I include the same iframe with the equivalent "sandbox" attribute, then eval() works.
Comment 1 Adam Barth 2012-06-06 15:07:23 PDT
Created attachment 146120 [details]
test
Comment 2 Adam Barth 2012-06-06 15:18:25 PDT
Looks like the problem is that we're performing a secure transition from the initial about:blank document to the document from the network.  When we do that, we reuse the global object (this some crazy compat thing which I can explain if you're curious), and it carries forward the "no eval" bit.

The proper solution is probably to reset the "no eval" bit even when doing a secure transition.
Comment 3 Adam Barth 2012-06-06 15:43:48 PDT
Created attachment 146131 [details]
possible fix
Comment 4 Adam Barth 2012-06-06 16:51:27 PDT
Created attachment 146145 [details]
Patch
Comment 5 Adam Barth 2012-06-06 17:36:02 PDT
Comment on attachment 146145 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=146145&action=review

> Source/WebCore/bindings/v8/ScriptController.cpp:300
> -    v8::Handle<v8::Context> v8Context = V8Proxy::mainWorldContext(m_frame);
> +    v8::Handle<v8::Context> v8Context = proxy()->windowShell()->context();

Note: This change isn't strictly necessary.  I just did it to mirror enableEval above.
Comment 6 Mihai Parparita 2012-06-08 00:24:40 PDT
Comment on attachment 146145 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=146145&action=review

> Source/WebCore/bindings/v8/ScriptController.cpp:296
>      if (!m_proxy->windowShell()->initContextIfNeeded())

Nit: switch this to accessing m_proxy via proxy() for consistency with the other uses you're adding.
Comment 7 Adam Barth 2012-06-08 11:14:35 PDT
Created attachment 146613 [details]
Patch for landing
Comment 8 Adam Barth 2012-06-08 11:15:50 PDT
Comment on attachment 146613 [details]
Patch for landing

Actually, I should test this patch on JSC before landing it.
Comment 9 Adam Barth 2012-06-08 14:03:30 PDT
Comment on attachment 146613 [details]
Patch for landing

JSC looks to work as well.  Good times.
Comment 10 WebKit Review Bot 2012-06-08 16:35:36 PDT
Comment on attachment 146613 [details]
Patch for landing

Rejecting attachment 146613 [details] from commit-queue.

New failing tests:
fast/repaint/block-selection-gap-in-composited-layer.html
Full output: http://queues.webkit.org/results/12910753
Comment 11 WebKit Review Bot 2012-06-08 16:35:41 PDT
Created attachment 146662 [details]
Archive of layout-test-results from ec2-cq-02

The attached test failures were seen while running run-webkit-tests on the commit-queue.
Bot: ec2-cq-02  Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'>  Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
Comment 12 WebKit Review Bot 2012-06-09 12:35:19 PDT
Comment on attachment 146613 [details]
Patch for landing

Clearing flags on attachment: 146613

Committed r119913: <http://trac.webkit.org/changeset/119913>
Comment 13 WebKit Review Bot 2012-06-09 12:35:25 PDT
All reviewed patches have been landed.  Closing bug.