RESOLVED FIXED 93392
CSP doesn't turn off eval, etc. in Web Workers 
https://bugs.webkit.org/show_bug.cgi?id=93392
Summary CSP doesn't turn off eval, etc. in Web Workers
Thomas Sepez
Reported 2012-08-07 14:02:30 PDT
Originally reported by mazurak [at] cs.wisc.edu at http://code.google.com/p/chromium/issues/detail?id=140544 VULNERABILITY DETAILS By default, eval and eval-like functionality should be turned off whenever a Content Security Policy is in place, but this isn't happening in workers. The CSP spec definitely says that the policy on a worker should match the policy on its parent page, and checks on the origins of scripts do appear working correctly. Comparing SetTimeoutOrInterval in V8WorkerContextCustom.cpp to WindowSetTimeoutImpl in V8DomWindowCustom.cpp, it looks like the necessary checks are just missing on the worker side. VERSION Chrome Version: 21.0.1180.57 (stable) Operating System: Linux (Debian testing) (doesn't appear OS-dependent) REPRODUCTION CASE The tests here should all pass for a browser that is implementing CSP and Web Workers correctly (assuming I have not made some silly JavaScript mistakes): http://pages.cs.wisc.edu/~mazurak/csp_demo/
Attachments
Tests, more or less. (4.80 KB, patch)
2012-08-09 10:18 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
Patch, in-progress, fixes for JSC side, missing chromium eval() fix. (8.50 KB, patch)
2012-08-09 16:01 PDT, Thomas Sepez 		webkit.review.bot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from gce-cr-linux-05 (325.38 KB, application/zip)
2012-08-13 14:44 PDT, WebKit Review Bot 		no flags
Details
Patch for review. (12.90 KB, patch)
2012-08-13 14:56 PDT, Thomas Sepez 		webkit.review.bot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from gce-cr-linux-03 (399.24 KB, application/zip)
2012-08-13 16:56 PDT, WebKit Review Bot 		no flags
Details
Archive of layout-test-results from gce-cr-linux-01 (434.13 KB, application/zip)
2012-08-13 17:30 PDT, WebKit Review Bot 		no flags
Details
Patch (including chromium eval() fix). (12.11 KB, patch)
2012-08-20 12:40 PDT, Thomas Sepez 		tsepez: review-
tsepez: commit-queue-
DetailsFormatted DiffDiff
Patch (fix changelog) (14.05 KB, patch)
2012-08-20 12:57 PDT, Thomas Sepez 		abarth: review+
DetailsFormatted DiffDiff
Patch (fix nits). (14.07 KB, patch)
2012-08-20 13:24 PDT, Thomas Sepez 		abarth: review+
webkit.review.bot: commit-queue-
DetailsFormatted DiffDiff
Patch, update-webkit (14.07 KB, patch)
2012-08-27 14:46 PDT, Thomas Sepez 		abarth: review+
abarth: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (9) View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2012-08-07 14:03:37 PDT
I believe this to be specific to the chromium platform; we'll know once I convert (shortly) the example to layout tests.
Thomas Sepez
Comment 2 2012-08-09 10:18:23 PDT
Created attachment 157478 [details] Tests, more or less.
Thomas Sepez
Comment 3 2012-08-09 16:01:35 PDT
Created attachment 157570 [details] Patch, in-progress, fixes for JSC side, missing chromium eval() fix.
Thomas Sepez
Comment 4 2012-08-13 13:14:50 PDT
BTW, not specific to chromium side.
Eric Seidel (no email)
Comment 5 2012-08-13 13:22:07 PDT
This isn't a security bug. :) It was a conscious FIXME of the time, no need to restrict viewership here.
WebKit Review Bot
Comment 6 2012-08-13 14:44:35 PDT
Comment on attachment 157570 [details] Patch, in-progress, fixes for JSC side, missing chromium eval() fix. Attachment 157570 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13492247 New failing tests: http/tests/security/contentSecurityPolicy/worker-eval-blocked.html http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html
WebKit Review Bot
Comment 7 2012-08-13 14:44:39 PDT
Created attachment 158110 [details] Archive of layout-test-results from gce-cr-linux-05 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-05 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid
Thomas Sepez
Comment 8 2012-08-13 14:56:32 PDT
Created attachment 158115 [details] Patch for review.
WebKit Review Bot
Comment 9 2012-08-13 16:56:26 PDT
Comment on attachment 158115 [details] Patch for review. Attachment 158115 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13485673 New failing tests: http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html http/tests/security/contentSecurityPolicy/worker-eval-blocked.html http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html
WebKit Review Bot
Comment 10 2012-08-13 16:56:30 PDT
Created attachment 158147 [details] Archive of layout-test-results from gce-cr-linux-03 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-03 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid
WebKit Review Bot
Comment 11 2012-08-13 17:30:10 PDT
Comment on attachment 158115 [details] Patch for review. Attachment 158115 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13484957 New failing tests: http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html http/tests/security/contentSecurityPolicy/worker-eval-blocked.html http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html
WebKit Review Bot
Comment 12 2012-08-13 17:30:14 PDT
Created attachment 158156 [details] Archive of layout-test-results from gce-cr-linux-01 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-01 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid
Thomas Sepez
Comment 13 2012-08-20 12:40:18 PDT
Created attachment 159491 [details] Patch (including chromium eval() fix).
Thomas Sepez
Comment 14 2012-08-20 12:51:27 PDT
Comment on attachment 159491 [details] Patch (including chromium eval() fix). bleh. Source/WebCore/ChangeLog fell out of the patch :(.
Thomas Sepez
Comment 15 2012-08-20 12:57:56 PDT
Created attachment 159495 [details] Patch (fix changelog)
Adam Barth
Comment 16 2012-08-20 13:03:42 PDT
Comment on attachment 159495 [details] Patch (fix changelog) View in context: https://bugs.webkit.org/attachment.cgi?id=159495&action=review > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp:249 > + m_disableEvalPending = !enable; What if m_context already exists? Should we call AllowCodeGenerationFromStrings on it? > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h:72 > + void allowEval(bool enable); setEvalAllowed ? > Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp:69 > + if (ContentSecurityPolicy *policy = workerContext->contentSecurityPolicy()) { ContentSecurityPolicy * -> ContentSecurityPolicy*
Thomas Sepez
Comment 17 2012-08-20 13:13:36 PDT
(In reply to comment #16) > (From update of attachment 159495 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=159495&action=review > > > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.cpp:249 > > + m_disableEvalPending = !enable; > > What if m_context already exists? Should we call AllowCodeGenerationFromStrings on it? > Nah. You don't do any work until you call evaluate(), so we just use that one path always. > > Source/WebCore/bindings/v8/WorkerContextExecutionProxy.h:72 > > + void allowEval(bool enable); > > setEvalAllowed ? > Will Do. > > Source/WebCore/bindings/v8/custom/V8WorkerContextCustom.cpp:69 > > + if (ContentSecurityPolicy *policy = workerContext->contentSecurityPolicy()) { > > ContentSecurityPolicy * -> ContentSecurityPolicy* Will Do.
Thomas Sepez
Comment 18 2012-08-20 13:24:25 PDT
Created attachment 159506 [details] Patch (fix nits).
Adam Barth
Comment 19 2012-08-22 15:29:37 PDT
Comment on attachment 159506 [details] Patch (fix nits). Thanks.
WebKit Review Bot
Comment 20 2012-08-27 13:21:59 PDT
Comment on attachment 159506 [details] Patch (fix nits). Rejecting attachment 159506 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: er-set-timeout-blocked-expected.txt patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-eval.js patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-function-function.js patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-set-timeout.js Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', u'--force', u'--reviewer', u'Adam Barth']" exit_code: 1 cwd: /mnt/git/webkit-commit-queue/ Full output: http://queues.webkit.org/results/13616310
Thomas Sepez
Comment 21 2012-08-27 14:46:18 PDT
Created attachment 160811 [details] Patch, update-webkit re-upload patch. Unclear if out of date or if infrastructure itself is borked.
Adam Barth
Comment 22 2012-08-28 15:18:16 PDT
Comment on attachment 160811 [details] Patch, update-webkit I'm building this locally and will land manually.
Adam Barth
Comment 23 2012-08-28 18:15:51 PDT
Committed r126947: <http://trac.webkit.org/changeset/126947>
Note You need to log in before you can comment on or make changes to this bug.