-
commit-queue@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=94331 Patch by Mike West <mkwst@chromium.org> on 2012-09-14 Reviewed by Geoffrey Garen. Source/JavaScriptCore: Unless explicitly whitelisted, the 'script-src' Content Security Policy directive blocks 'eval' and 'eval'-like constructs such as 'new Function()'. When 'eval' is encountered in code, an 'EvalError' is thrown, but the associated message is poor: "Eval is disabled" doesn't give developers enough information about why their code isn't behaving as expected. This patch adds an 'errorMessage' parameter to the JavaScriptCore method used to disable 'eval'; ContentSecurityPolicy has the opportunity to pass in a more detailed and descriptive error that contains more context for the developer. * runtime/Executable.cpp: (JSC::EvalExecutable::compileInternal): Drop the hard-coded "Eval is disabled" error message in favor of reading the error message off the global object. * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::getCallData): Drop the hard-coded "Function constructor is disabled" error message in favor of reading the error message off the global object. * runtime/JSGlobalObject.h: (JSGlobalObject): (JSC::JSGlobalObject::evalEnabled): Making this accessor method const. (JSC::JSGlobalObject::evalDisabledErrorMessage): Accessor for the error message set via 'setEvalDisabled'. (JSC::JSGlobalObject::setEvalEnabled): Adding an 'errorMessage' parameter which is stored on the global object, and used when exceptions are thrown. Source/WebCore: Unless explicitly whitelisted, the 'script-src' Content Security Policy directive blocks 'eval' and 'eval'-like constructs such as 'new Function()'. When 'eval' is encountered in code, an 'EvalError' is thrown, but the associated message is poor: "Eval is disabled" doesn't give developers enough information about why their code isn't behaving as expected. This patch adds an 'errorMessage' parameter to the JavaScriptCore method used to disable 'eval'; ContentSecurityPolicy has the opportunity to pass in a more detailed and descriptive error that contains more context for the developer. The new error message is tested by adjusting existing tests; nothing new is required. * bindings/js/ScriptController.cpp: (WebCore::ScriptController::initScript): Read the error message off the document's ContentSecurityPolicy. (WebCore::ScriptController::disableEval): * bindings/js/ScriptController.h: (ScriptController): Pipe the error message through to JSGlobalObject when disabling eval * bindings/js/WorkerScriptController.cpp: (WebCore::WorkerScriptController::disableEval): * bindings/js/WorkerScriptController.h: (WorkerScriptController): Pipe the error message through to JSGlobalObject when disabling eval * bindings/v8/ScriptController.cpp: (WebCore::ScriptController::disableEval): * bindings/v8/ScriptController.h: (ScriptController): * bindings/v8/WorkerScriptController.cpp: (WebCore::WorkerScriptController::disableEval): * bindings/v8/WorkerScriptController.h: (WorkerScriptController): Placeholder for V8 piping to be built in webk.it/94332. * dom/Document.cpp: (WebCore::Document::disableEval): * dom/Document.h: (Document): * dom/ScriptExecutionContext.h: (ScriptExecutionContext): Pipe the error message through to the ScriptController when disabling eval. * page/ContentSecurityPolicy.cpp: (WebCore::CSPDirectiveList::evalDisabledErrorMessage): Accessor for the error message that ought be displayed to developers when 'eval' used while disabled for a specific directive list. (WebCore::CSPDirectiveList::setEvalDisabledErrorMessage): Mutator for the error message that ought be displayed to developers when 'eval' used while disabled for a specific directive list. (CSPDirectiveList): (WebCore::CSPDirectiveList::create): Upon creation of a CSPDirectiveList, set the error message if the directive list disables 'eval'. (WebCore::ContentSecurityPolicy::didReceiveHeader): Pass the error message into ScriptExecutionContext::disableEval. (WebCore::ContentSecurityPolicy::evalDisabledErrorMessage): Public accessor for the policy's error message; walks the list of directive lists and returns the first error message found. (WebCore): * page/ContentSecurityPolicy.h: * workers/WorkerContext.cpp: (WebCore::WorkerContext::disableEval): * workers/WorkerContext.h: (WorkerContext): Pipe the error message through to the ScriptController when disabling eval. LayoutTests: * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt: * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt: * http/tests/security/contentSecurityPolicy/function-constructor-blocked-expected.txt: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128670 268f45cc-cd09-0410-ab3c-d52691b4dbfc
7415e10e