Commit 76f3d931 authored by weinig@apple.com's avatar weinig@apple.com

Wean ContentSecurityPolicy from the Document

https://bugs.webkit.org/show_bug.cgi?id=69387

Reviewed by Adam Barth.

* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::disableEval):
* bindings/js/WorkerScriptController.h:
* dom/Document.cpp:
(WebCore::Document::disableEval):
* dom/Document.h:
* workers/WorkerContext.cpp:
(WebCore::WorkerContext::disableEval):
* workers/WorkerContext.h:
* dom/ScriptExecutionContext.h:
Add pure virtual disableEval to ScriptExecutionContext, so that ContentSecurityPolicy
can call it for both Documents and WorkerContexts.

* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::didReceiveHeader):
Call the new ScriptExecutionContext::disableEval() function.

(WebCore::ContentSecurityPolicy::reportViolation):
Use ScriptExecutionContext::addMessage() instead of going directly to the DOMWindow.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96667 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 1abfc765
2011-10-04 Sam Weinig <sam@webkit.org>
Wean ContentSecurityPolicy from the Document
https://bugs.webkit.org/show_bug.cgi?id=69387
Reviewed by Adam Barth.
* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::disableEval):
* bindings/js/WorkerScriptController.h:
* dom/Document.cpp:
(WebCore::Document::disableEval):
* dom/Document.h:
* workers/WorkerContext.cpp:
(WebCore::WorkerContext::disableEval):
* workers/WorkerContext.h:
* dom/ScriptExecutionContext.h:
Add pure virtual disableEval to ScriptExecutionContext, so that ContentSecurityPolicy
can call it for both Documents and WorkerContexts.
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::didReceiveHeader):
Call the new ScriptExecutionContext::disableEval() function.
(WebCore::ContentSecurityPolicy::reportViolation):
Use ScriptExecutionContext::addMessage() instead of going directly to the DOMWindow.
2011-10-04 Anders Carlsson <andersca@apple.com>
Move code into ScrollElasticityController::beginScrollGesture()
......@@ -181,6 +181,14 @@ bool WorkerScriptController::isExecutionForbidden() const
return m_executionForbidden;
}
void WorkerScriptController::disableEval()
{
initScriptIfNeeded();
JSLock lock(SilenceAssertionsOnly);
m_workerContextWrapper->setEvalEnabled(false);
}
} // namespace WebCore
#endif // ENABLE(WORKERS)
......@@ -73,6 +73,8 @@ namespace WebCore {
void forbidExecution();
bool isExecutionForbidden() const;
void disableEval();
JSC::JSGlobalData* globalData() { return m_globalData.get(); }
private:
......
......@@ -2438,6 +2438,14 @@ String Document::userAgent(const KURL& url) const
return frame() ? frame()->loader()->userAgent(url) : String();
}
void Document::disableEval()
{
if (!frame())
return;
frame()->script()->disableEval();
}
CSSStyleSheet* Document::pageUserSheet()
{
if (m_pageUserSheet)
......
......@@ -612,6 +612,8 @@ public:
virtual String userAgent(const KURL&) const;
virtual void disableEval() OVERRIDE;
CSSStyleSheet* pageUserSheet();
void clearPageUserSheet();
void updatePageUserSheet();
......
......@@ -96,6 +96,8 @@ namespace WebCore {
virtual String userAgent(const KURL&) const = 0;
virtual void disableEval() = 0;
SecurityOrigin* securityOrigin() const { return m_securityOrigin.get(); }
ContentSecurityPolicy* contentSecurityPolicy() { return m_contentSecurityPolicy.get(); }
......
......@@ -27,12 +27,12 @@
#include "ContentSecurityPolicy.h"
#include "Console.h"
#include "DOMWindow.h"
#include "Document.h"
#include "FormData.h"
#include "FormDataList.h"
#include "Frame.h"
#include "PingLoader.h"
#include "ScriptCallStack.h"
#include "SecurityOrigin.h"
#include "TextEncoding.h"
#include <wtf/text/WTFString.h>
......@@ -491,18 +491,19 @@ void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType ty
break;
}
if (!checkEval(operativeDirective(m_scriptSrc.get()))) {
// FIXME: Support disabling eval for Workers.
if (m_scriptExecutionContext->isDocument()) {
if (Frame* frame = static_cast<Document*>(m_scriptExecutionContext)->frame())
frame->script()->disableEval();
}
}
if (!checkEval(operativeDirective(m_scriptSrc.get())))
m_scriptExecutionContext->disableEval();
}
void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage) const
{
// FIXME: Support reporting violations for Workers.
String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
m_scriptExecutionContext->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String(), 0);
if (m_reportURLs.isEmpty())
return;
// FIXME: Support sending reports from worker.
if (!m_scriptExecutionContext->isDocument())
return;
......@@ -511,12 +512,6 @@ void ContentSecurityPolicy::reportViolation(const String& directiveText, const S
if (!frame)
return;
String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String());
if (m_reportURLs.isEmpty())
return;
// We need to be careful here when deciding what information to send to the
// report-uri. Currently, we send only the current document's URL and the
// directive that was violated. The document's URL is safe to send because
......
......@@ -165,6 +165,11 @@ String WorkerContext::userAgent(const KURL&) const
return m_userAgent;
}
void WorkerContext::disableEval()
{
m_script->disableEval();
}
WorkerLocation* WorkerContext::location() const
{
if (!m_location)
......
......@@ -77,6 +77,8 @@ namespace WebCore {
virtual String userAgent(const KURL&) const;
virtual void disableEval() OVERRIDE;
WorkerScriptController* script() { return m_script.get(); }
void clearScript() { m_script.clear(); }
#if ENABLE(INSPECTOR)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment