• commit-queue@webkit.org's avatar
    JSC should throw a more descriptive exception when blocking 'eval' via CSP. · 7415e10e
    commit-queue@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=94331
    
    Patch by Mike West <mkwst@chromium.org> on 2012-09-14
    Reviewed by Geoffrey Garen.
    
    Source/JavaScriptCore:
    
    Unless explicitly whitelisted, the 'script-src' Content Security Policy
    directive blocks 'eval' and 'eval'-like constructs such as
    'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
    thrown, but the associated message is poor: "Eval is disabled" doesn't
    give developers enough information about why their code isn't behaving
    as expected.
    
    This patch adds an 'errorMessage' parameter to the JavaScriptCore method
    used to disable 'eval'; ContentSecurityPolicy has the opportunity to
    pass in a more detailed and descriptive error that contains more context
    for the developer.
    
    * runtime/Executable.cpp:
    (JSC::EvalExecutable::compileInternal):
        Drop the hard-coded "Eval is disabled" error message in favor of
        reading the error message off the global object.
    * runtime/FunctionConstructor.cpp:
    (JSC::FunctionConstructor::getCallData):
        Drop the hard-coded "Function constructor is disabled" error message
        in favor of reading the error message off the global object.
    * runtime/JSGlobalObject.h:
    (JSGlobalObject):
    (JSC::JSGlobalObject::evalEnabled):
        Making this accessor method const.
    (JSC::JSGlobalObject::evalDisabledErrorMessage):
        Accessor for the error message set via 'setEvalDisabled'.
    (JSC::JSGlobalObject::setEvalEnabled):
        Adding an 'errorMessage' parameter which is stored on the global
        object, and used when exceptions are thrown.
    
    Source/WebCore:
    
    Unless explicitly whitelisted, the 'script-src' Content Security Policy
    directive blocks 'eval' and 'eval'-like constructs such as
    'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
    thrown, but the associated message is poor: "Eval is disabled" doesn't
    give developers enough information about why their code isn't behaving
    as expected.
    
    This patch adds an 'errorMessage' parameter to the JavaScriptCore method
    used to disable 'eval'; ContentSecurityPolicy has the opportunity to
    pass in a more detailed and descriptive error that contains more context
    for the developer.
    
    The new error message is tested by adjusting existing tests; nothing new
    is required.
    
    * bindings/js/ScriptController.cpp:
    (WebCore::ScriptController::initScript):
        Read the error message off the document's ContentSecurityPolicy.
    (WebCore::ScriptController::disableEval):
    * bindings/js/ScriptController.h:
    (ScriptController):
        Pipe the error message through to JSGlobalObject when disabling eval
    * bindings/js/WorkerScriptController.cpp:
    (WebCore::WorkerScriptController::disableEval):
    * bindings/js/WorkerScriptController.h:
    (WorkerScriptController):
        Pipe the error message through to JSGlobalObject when disabling eval
    * bindings/v8/ScriptController.cpp:
    (WebCore::ScriptController::disableEval):
    * bindings/v8/ScriptController.h:
    (ScriptController):
    * bindings/v8/WorkerScriptController.cpp:
    (WebCore::WorkerScriptController::disableEval):
    * bindings/v8/WorkerScriptController.h:
    (WorkerScriptController):
        Placeholder for V8 piping to be built in webk.it/94332.
    * dom/Document.cpp:
    (WebCore::Document::disableEval):
    * dom/Document.h:
    (Document):
    * dom/ScriptExecutionContext.h:
    (ScriptExecutionContext):
        Pipe the error message through to the ScriptController when
        disabling eval.
    * page/ContentSecurityPolicy.cpp:
    (WebCore::CSPDirectiveList::evalDisabledErrorMessage):
        Accessor for the error message that ought be displayed to developers
        when 'eval' used while disabled for a specific directive list.
    (WebCore::CSPDirectiveList::setEvalDisabledErrorMessage):
        Mutator for the error message that ought be displayed to developers
        when 'eval' used while disabled for a specific directive list.
    (CSPDirectiveList):
    (WebCore::CSPDirectiveList::create):
        Upon creation of a CSPDirectiveList, set the error message if the
        directive list disables 'eval'.
    (WebCore::ContentSecurityPolicy::didReceiveHeader):
        Pass the error message into ScriptExecutionContext::disableEval.
    (WebCore::ContentSecurityPolicy::evalDisabledErrorMessage):
        Public accessor for the policy's error message; walks the list of
        directive lists and returns the first error message found.
    (WebCore):
    * page/ContentSecurityPolicy.h:
    * workers/WorkerContext.cpp:
    (WebCore::WorkerContext::disableEval):
    * workers/WorkerContext.h:
    (WorkerContext):
        Pipe the error message through to the ScriptController when
        disabling eval.
    
    LayoutTests:
    
    * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
    * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt:
    * http/tests/security/contentSecurityPolicy/function-constructor-blocked-expected.txt:
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128670 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    7415e10e
JSGlobalObject.h 21.3 KB