Diff - 9d220b6656871fa29e68844522af3eaad45de845^! - WebKit

commit	9d220b6656871fa29e68844522af3eaad45de845	[log] [tgz]
author	abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Sat Jun 09 19:35:02 2012 +0000
committer	abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Sat Jun 09 19:35:02 2012 +0000
tree	39f82520f931e2d8df215c43aec2bd027a837179
parent	eb180db3197566c3443e9723b095362ffa87dd04 [diff]

Can't use eval in iframes sanbdoxed via CSP header https://bugs.webkit.org/show_bug.cgi?id=88450 Reviewed by Mihai Parparita. Source/WebCore: The initial empty document in a frame inherits the security context of its parent (including the CSP policy). When we load the real document, in some cases we'll do a "secure transition" to the new document. That means that we leave the global object in place in case the parent document has created any properties that it expects will be visible to the new document. If the parent document has a CSP policy that blocks eval, the "no eval" bit will be set on the global object of the initial document. When we perform a "secure transition" to the new document, we'll keep the bit, which is wrong. In this patch, we reset the bit by always enabling eval when clearing the context, regardless of whether we're performing a "secure transition". Test: http/tests/security/contentSecurityPolicy/iframe-inside-csp.html * bindings/js/ScriptController.cpp: (WebCore::ScriptController::enableEval): (WebCore): * bindings/js/ScriptController.h: (ScriptController): * bindings/v8/ScriptController.cpp: (WebCore::ScriptController::enableEval): (WebCore): (WebCore::ScriptController::disableEval): * bindings/v8/ScriptController.h: (ScriptController): * loader/FrameLoader.cpp: (WebCore::FrameLoader::clear): LayoutTests: * http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt: Added. * http/tests/security/contentSecurityPolicy/iframe-inside-csp.html: Added. * http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@119913 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp index 2e50352..e46f9e1 100644 --- a/Source/WebCore/loader/FrameLoader.cpp +++ b/Source/WebCore/loader/FrameLoader.cpp

@@ -540,6 +540,8 @@ if (clearScriptObjects) m_frame->script()->clearScriptObjects(); + m_frame->script()->enableEval(); + m_frame->navigationScheduler()->clear(); m_checkTimer.stop();