-
abarth@webkit.org authored
Reviewed by Eric Seidel. CSP should block string arguments to setTimeout and setInterval unless options eval-script https://bugs.webkit.org/show_bug.cgi?id=58610 Herein lies a four-way testing matrix. * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed-expected.txt: Added. * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html: Added. * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt: Added. * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html: Added. * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed-expected.txt: Added. * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html: Added. * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt: Added. * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html: Added. 2011-04-15 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. CSP should block string arguments to setTimeout and setInterval unless options eval-script https://bugs.webkit.org/show_bug.cgi?id=58610 It's somewhat sadness that the JSC and V8 code for setTimeout and setInterval are so different. I struggled for a while with how to handle the worker case, but I decided to punt on it for now. Tests: http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::setTimeout): (WebCore::JSDOMWindow::setInterval): * bindings/js/JSWorkerContextCustom.cpp: (WebCore::JSWorkerContext::setTimeout): (WebCore::JSWorkerContext::setInterval): * bindings/js/ScheduledAction.cpp: (WebCore::ScheduledAction::create): * bindings/js/ScheduledAction.h: * bindings/v8/custom/V8DOMWindowCustom.cpp: (WebCore::WindowSetTimeoutImpl): * page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowEval): * page/ContentSecurityPolicy.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@84073 268f45cc-cd09-0410-ab3c-d52691b4dbfc
a51b999f