-
abarth@webkit.org authored
Reviewed by Eric Seidel. CSP script-src should block eval https://bugs.webkit.org/show_bug.cgi?id=59850 Test that both function-eval and operator-eval are correctly blocked and allowed according to the policy. * http/tests/security/contentSecurityPolicy/eval-allowed-expected.txt: Added. * http/tests/security/contentSecurityPolicy/eval-allowed.html: Added. * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt: Added. * http/tests/security/contentSecurityPolicy/eval-blocked.html: Added. 2011-04-29 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. CSP script-src should block eval https://bugs.webkit.org/show_bug.cgi?id=59850 ggaren recommend a different approach to this patch, essentially installing a new function for function-eval and changing the AST representation of operator-eval to call function-eval. However, I'm not sure that approach is workable because the ASTBuilder doesn't know about global objects, and there is added complication due to the cache. This approach is more dynamic, adding a branch in EvalExecutable to detect whether eval is current disabled in the lexical scope. The spec is slightly unclear about whether we should return undefined or throw an exception. I've asked Brandon to clarify the spec, but throwing an exception seems natural. * JavaScriptCore.exp: * runtime/Executable.cpp: (JSC::EvalExecutable::compileInternal): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::disableEval): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::isEvalEnabled): 2011-04-29 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. CSP script-src should block eval https://bugs.webkit.org/show_bug.cgi?id=59850 Rather than have JavaScriptCore call back into WebCore to learn whether eval is enabled, we push that bit of the policy into JavaScriptCore. Tests: http/tests/security/contentSecurityPolicy/eval-allowed.html http/tests/security/contentSecurityPolicy/eval-blocked.html * bindings/js/ScriptController.cpp: (WebCore::ScriptController::disableEval): * bindings/js/ScriptController.h: * page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::didReceiveHeader): (WebCore::ContentSecurityPolicy::internalAllowEval): (WebCore::ContentSecurityPolicy::allowEval): * page/ContentSecurityPolicy.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@85388 268f45cc-cd09-0410-ab3c-d52691b4dbfc
26a40f16