Skip to content
Find file Blame History Permalink
  • abarth@webkit.org's avatar
    2011-04-15 Adam Barth <abarth@webkit.org> · a51b999f
    abarth@webkit.org authored 
            Reviewed by Eric Seidel.

        CSP should block string arguments to setTimeout and setInterval unless options eval-script
        https://bugs.webkit.org/show_bug.cgi?id=58610

        Herein lies a four-way testing matrix.

        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html: Added.
        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html: Added.
2011-04-15  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        CSP should block string arguments to setTimeout and setInterval unless options eval-script
        https://bugs.webkit.org/show_bug.cgi?id=58610

        It's somewhat sadness that the JSC and V8 code for setTimeout and
        setInterval are so different.  I struggled for a while with how to
        handle the worker case, but I decided to punt on it for now.

        Tests: http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html
               http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html
               http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html
               http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html

        * bindings/js/JSDOMWindowCustom.cpp:
        (WebCore::JSDOMWindow::setTimeout):
        (WebCore::JSDOMWindow::setInterval):
        * bindings/js/JSWorkerContextCustom.cpp:
        (WebCore::JSWorkerContext::setTimeout):
        (WebCore::JSWorkerContext::setInterval):
        * bindings/js/ScheduledAction.cpp:
        (WebCore::ScheduledAction::create):
        * bindings/js/ScheduledAction.h:
        * bindings/v8/custom/V8DOMWindowCustom.cpp:
        (WebCore::WindowSetTimeoutImpl):
        * page/ContentSecurityPolicy.cpp:
        (WebCore::ContentSecurityPolicy::allowEval):
        * page/ContentSecurityPolicy.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@84073 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    a51b999f