<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE bugzilla SYSTEM "https://bugs.webkit.org/page.cgi?id=bugzilla.dtd">

<bugzilla version="5.0.4.1"
          urlbase="https://bugs.webkit.org/"
          
          maintainer="admin@webkit.org"
>

    <bug>
          <bug_id>111867</bug_id>
          
          <creation_ts>2013-03-08 10:03:48 -0800</creation_ts>
          <short_desc>CSP: &apos;eval()&apos; is blocked in report-only mode.</short_desc>
          <delta_ts>2014-11-06 20:47:50 -0800</delta_ts>
          <reporter_accessible>1</reporter_accessible>
          <cclist_accessible>1</cclist_accessible>
          <classification_id>1</classification_id>
          <classification>Unclassified</classification>
          <product>WebKit</product>
          <component>WebCore Misc.</component>
          <version>528+ (Nightly build)</version>
          <rep_platform>Unspecified</rep_platform>
          <op_sys>Unspecified</op_sys>
          <bug_status>RESOLVED</bug_status>
          <resolution>FIXED</resolution>
          
          <see_also>https://bugs.webkit.org/show_bug.cgi?id=138492</see_also>
          <bug_file_loc></bug_file_loc>
          <status_whiteboard></status_whiteboard>
          <keywords></keywords>
          <priority>P2</priority>
          <bug_severity>Normal</bug_severity>
          <target_milestone>---</target_milestone>
          
          <blocked>111869</blocked>
          <everconfirmed>1</everconfirmed>
          <reporter name="Mike West">mkwst</reporter>
          <assigned_to name="Mike West">mkwst</assigned_to>
          <cc>abarth</cc>
    
    <cc>mkwst+watchlist</cc>
    
    <cc>webkit.review.bot</cc>
          

      

      

      

          <comment_sort_order>oldest_to_newest</comment_sort_order>  
          <long_desc isprivate="0" >
    <commentid>851279</commentid>
    <comment_count>0</comment_count>
    <who name="Mike West">mkwst</who>
    <bug_when>2013-03-08 10:03:48 -0800</bug_when>
    <thetext>In report-only mode, CSP should allow &apos;eval()&apos; to execute; it should not be blocked. That&apos;s not what we&apos;re currently doing. See http://stackoverflow.com/questions/15273841/eval-isnt-executed-in-chrome-when-using-content-security-policy-report-only/15300012#15300012.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>851295</commentid>
    <comment_count>1</comment_count>
      <attachid>192248</attachid>
    <who name="Mike West">mkwst</who>
    <bug_when>2013-03-08 10:15:17 -0800</bug_when>
    <thetext>Created attachment 192248
Patch</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>851384</commentid>
    <comment_count>2</comment_count>
      <attachid>192248</attachid>
    <who name="Adam Barth">abarth</who>
    <bug_when>2013-03-08 11:52:05 -0800</bug_when>
    <thetext>Comment on attachment 192248
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=192248&amp;action=review

&gt; Source/WebCore/page/ContentSecurityPolicy.cpp:-1460
&gt; -    if (!allowEval(0, SuppressReport))
&gt; -        m_scriptExecutionContext-&gt;disableEval(evalDisabledErrorMessage());

Why did you move this into the loop?  It seems like we can just add a check for |type| to this code here.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>851390</commentid>
    <comment_count>3</comment_count>
    <who name="Mike West">mkwst</who>
    <bug_when>2013-03-08 11:57:46 -0800</bug_when>
    <thetext>(In reply to comment #2)
&gt; (From update of attachment 192248 [details])
&gt; View in context: https://bugs.webkit.org/attachment.cgi?id=192248&amp;action=review
&gt; 
&gt; &gt; Source/WebCore/page/ContentSecurityPolicy.cpp:-1460
&gt; &gt; -    if (!allowEval(0, SuppressReport))
&gt; &gt; -        m_scriptExecutionContext-&gt;disableEval(evalDisabledErrorMessage());
&gt; 
&gt; Why did you move this into the loop?  It seems like we can just add a check for |type| to this code here.

I moved it into the loop because it was the simplest mechanism for checking whether a specific policy was report-only, as opposed to checking if the combined set of policies allowed eval or not.

We don&apos;t currently have a mechanism of distinguishing between these two cases:

* Content-Security-Policy: script-src &apos;self&apos;;

and

* Content-Security-Policy-Report-Only: script-src &apos;self&apos;;
* Content-Security-Policy: img-src &apos;none&apos;;

For most directives, this doesn&apos;t matter, as we do the report-only check inline with the request. For eval, on the other hand, we have to tell V8/JSC whether it should allow or deny &apos;eval()&apos; a priori. See also bug 111869 for another consequence of this.

I think the behavior of ContentSecurityPolicy::allowEval should probably change, as you suggest, but I&apos;m not sure how that needs to look</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>851415</commentid>
    <comment_count>4</comment_count>
    <who name="Adam Barth">abarth</who>
    <bug_when>2013-03-08 12:16:19 -0800</bug_when>
    <thetext>Doesn&apos;t the HeaderType argument tell you?</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>851419</commentid>
    <comment_count>5</comment_count>
      <attachid>192248</attachid>
    <who name="Adam Barth">abarth</who>
    <bug_when>2013-03-08 12:18:15 -0800</bug_when>
    <thetext>Comment on attachment 192248
Patch

I understand now.  After the loop we&apos;re querying all previous headers too.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>851502</commentid>
    <comment_count>6</comment_count>
      <attachid>192248</attachid>
    <who name="WebKit Review Bot">webkit.review.bot</who>
    <bug_when>2013-03-08 14:21:58 -0800</bug_when>
    <thetext>Comment on attachment 192248
Patch

Clearing flags on attachment: 192248

Committed r145268: &lt;http://trac.webkit.org/changeset/145268&gt;</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>851503</commentid>
    <comment_count>7</comment_count>
    <who name="WebKit Review Bot">webkit.review.bot</who>
    <bug_when>2013-03-08 14:22:02 -0800</bug_when>
    <thetext>All reviewed patches have been landed.  Closing bug.</thetext>
  </long_desc>
      
          <attachment
              isobsolete="0"
              ispatch="1"
              isprivate="0"
          >
            <attachid>192248</attachid>
            <date>2013-03-08 10:15:17 -0800</date>
            <delta_ts>2013-03-08 14:21:58 -0800</delta_ts>
            <desc>Patch</desc>
            <filename>bug-111867-20130308191119.patch</filename>
            <type>text/plain</type>
            <size>5403</size>
            <attacher name="Mike West">mkwst</attacher>
            
              <data encoding="base64">U3VidmVyc2lvbiBSZXZpc2lvbjogMTQ1MjE2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D
aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZTM5M2FiZDk2ZTU5YjI1
MTJmYWYzNjdiZTdiOTIyYzg1YzhhMmJjNy4uMGVhNTMxOWJjZjczYzQ4NTY5NWE1MzBlYTg4ZmM2
MTg0ZmUyM2FmZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv
dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDMwIEBACisyMDEzLTAzLTA4ICBNaWtl
IFdlc3QgIDxta3dzdEBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgQ1NQOiAnZXZhbCgpJyBpcyBi
bG9ja2VkIGluIHJlcG9ydC1vbmx5IG1vZGUuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu
b3JnL3Nob3dfYnVnLmNnaT9pZD0xMTE4NjcKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg
KE9PUFMhKS4KKworICAgICAgICBTZXR0aW5nIGEgJ0NvbnRlbnQtU2VjdXJpdHktUG9saWN5LVJl
cG9ydC1Pbmx5JyBoZWFkZXIgc2hvdWxkIG5vdCBoYXZlCisgICAgICAgIGFueSBlZmZlY3Qgb24g
d2hhdCBhIHBhZ2UgYWN0dWFsbHkgZXhlY3V0ZXMuIEN1cnJlbnRseSwgaG93ZXZlciwgc2V0dGlu
ZworICAgICAgICBhICdzY3JpcHQtc3JjJyBkaXJlY3RpdmUgdGhhdCBkb2Vzbid0IHdoaXRlbGlz
dCAndW5zYWZlLWV2YWwnIGFjdHVhbGx5CisgICAgICAgIGJsb2NrcyAnZXZhbCgpJyBvbiB0aGUg
cGFnZS4gVGhpcyBwYXRjaCBmaXhlcyB0aGF0IGJ5IGNoZWNraW5nIHdoZXRoZXIKKyAgICAgICAg
d2UncmUgaW4gcmVwb3J0LW9ubHkgbW9kZSBiZWZvcmUgdHVybmluZyAnZXZhbCgpJyBvZmYgaW5z
aWRlIHRoZSBzY3JpcHQKKyAgICAgICAgZW5naW5lLgorCisgICAgICAgIFRoaXMgbGVhdmVzIHVz
IGluIGEgd2VpcmQgc3RhdGUsIGhvd2V2ZXIuIFdlIGRvbid0IGN1cnJlbnRseSBoYXZlIGFueQor
ICAgICAgICBtZWNoYW5pc20gb2YgZXhwbGFpbmluZyB0byB0aGUgVk0gdGhhdCB3ZSBqdXN0IHdh
bnQgdG8gYmUgbm90aWZpZWQgb2YKKyAgICAgICAgJ2V2YWwoKScgdXNhZ2UuIEkndmUgZmlsZWQg
aHR0cDovL3drYnVnLmNvbS8xMTE4NjkgdG8gY292ZXIgdGhpcworICAgICAgICBhc3BlY3QuCisK
KyAgICAgICAgVGVzdDogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kv
ZXZhbC1hbGxvd2VkLWluLXJlcG9ydC1vbmx5LW1vZGUuaHRtbAorCisgICAgICAgICogcGFnZS9D
b250ZW50U2VjdXJpdHlQb2xpY3kuY3BwOgorICAgICAgICAoV2ViQ29yZTo6Q29udGVudFNlY3Vy
aXR5UG9saWN5OjpkaWRSZWNlaXZlSGVhZGVyKToKKyAgICAgICAgICAgIEZvciBlYWNoIHBvbGlj
eSB3ZSBwYXJzZSwgY2hlY2sgdGhhdCB3ZSdyZSBvbmx5IHR1cm5pbmcgb2ZmIGV2YWwgaW4KKyAg
ICAgICAgICAgIHRoZSBWTSB3aGVuIHdlJ3JlIGluIGVuZm9yY2UgbW9kZS4gSWYgd2UncmUgaW4g
cmVwb3J0LW9ubHkgbW9kZSwKKyAgICAgICAgICAgIHNraXAgaXQuCisKIDIwMTMtMDMtMDggIFBo
aWxpcCBSb2dlcnMgIDxwZHJAZ29vZ2xlLmNvbT4KIAogICAgICAgICBQcmV2ZW50IGluZmluaXRl
IGxvb3AgaW4gU1ZHIHVzZSBjeWNsZSBkZXRlY3Rpb24KZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJD
b3JlL3BhZ2UvQ29udGVudFNlY3VyaXR5UG9saWN5LmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BhZ2Uv
Q29udGVudFNlY3VyaXR5UG9saWN5LmNwcAppbmRleCA2OGM0NDFiNGIyMjMzZTdmZjY0NTY2NzU1
MjQ4YWIyYTVhZmJhZmY4Li41OWM2ZjUxZDhmMjgzODJiMmE3ZDIzNTRmNjgzOTM5Yzk3M2EyNzkx
IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wYWdlL0NvbnRlbnRTZWN1cml0eVBvbGljeS5j
cHAKKysrIGIvU291cmNlL1dlYkNvcmUvcGFnZS9Db250ZW50U2VjdXJpdHlQb2xpY3kuY3BwCkBA
IC0xNDQ4LDE2ICsxNDQ4LDE3IEBAIHZvaWQgQ29udGVudFNlY3VyaXR5UG9saWN5OjpkaWRSZWNl
aXZlSGVhZGVyKGNvbnN0IFN0cmluZyYgaGVhZGVyLCBIZWFkZXJUeXBlIHR5CiAKICAgICAgICAg
Ly8gaGVhZGVyMSxoZWFkZXIyIE9SIGhlYWRlcjEKICAgICAgICAgLy8gICAgICAgIF4gICAgICAg
ICAgICAgICAgICBeCi0gICAgICAgIG1fcG9saWNpZXMuYXBwZW5kKENTUERpcmVjdGl2ZUxpc3Q6
OmNyZWF0ZSh0aGlzLCBTdHJpbmcoYmVnaW4sIHBvc2l0aW9uIC0gYmVnaW4pLCB0eXBlKSk7Cisg
ICAgICAgIE93blB0cjxDU1BEaXJlY3RpdmVMaXN0PiBwb2xpY3kgPSBDU1BEaXJlY3RpdmVMaXN0
OjpjcmVhdGUodGhpcywgU3RyaW5nKGJlZ2luLCBwb3NpdGlvbiAtIGJlZ2luKSwgdHlwZSk7Cisg
ICAgICAgIGlmICghcG9saWN5LT5pc1JlcG9ydE9ubHkoKSAmJiAhcG9saWN5LT5hbGxvd0V2YWwo
MCwgU3VwcHJlc3NSZXBvcnQpKQorICAgICAgICAgICAgbV9zY3JpcHRFeGVjdXRpb25Db250ZXh0
LT5kaXNhYmxlRXZhbChwb2xpY3ktPmV2YWxEaXNhYmxlZEVycm9yTWVzc2FnZSgpKTsKKworICAg
ICAgICBtX3BvbGljaWVzLmFwcGVuZChwb2xpY3kucmVsZWFzZSgpKTsKIAogICAgICAgICAvLyBT
a2lwIHRoZSBjb21tYSwgYW5kIGJlZ2luIHRoZSBuZXh0IGhlYWRlciBmcm9tIHRoZSBjdXJyZW50
IHBvc2l0aW9uLgogICAgICAgICBBU1NFUlQocG9zaXRpb24gPT0gZW5kIHx8ICpwb3NpdGlvbiA9
PSAnLCcpOwogICAgICAgICBza2lwRXhhY3RseShwb3NpdGlvbiwgZW5kLCAnLCcpOwogICAgICAg
ICBiZWdpbiA9IHBvc2l0aW9uOwogICAgIH0KLQotICAgIGlmICghYWxsb3dFdmFsKDAsIFN1cHBy
ZXNzUmVwb3J0KSkKLSAgICAgICAgbV9zY3JpcHRFeGVjdXRpb25Db250ZXh0LT5kaXNhYmxlRXZh
bChldmFsRGlzYWJsZWRFcnJvck1lc3NhZ2UoKSk7CiB9CiAKIHZvaWQgQ29udGVudFNlY3VyaXR5
UG9saWN5OjpzZXRPdmVycmlkZUFsbG93SW5saW5lU3R5bGUoYm9vbCB2YWx1ZSkKZGlmZiAtLWdp
dCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCA5
Yzc1ODAxMzcwNGUyZjY5ZTY4Mzg1NmFhYWMzZTQ4MTk0NzBmODhhLi41ZDAzNDdmZDBlNDE4MWUx
ZWU2OTA1N2VkYTU5Yjg1MGRhYTUyMTI2IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM
b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTMtMDMt
MDggIE1pa2UgV2VzdCAgPG1rd3N0QGNocm9taXVtLm9yZz4KKworICAgICAgICBDU1A6ICdldmFs
KCknIGlzIGJsb2NrZWQgaW4gcmVwb3J0LW9ubHkgbW9kZS4KKyAgICAgICAgaHR0cHM6Ly9idWdz
LndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTExMTg2NworCisgICAgICAgIFJldmlld2VkIGJ5
IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50
U2VjdXJpdHlQb2xpY3kvZXZhbC1hbGxvd2VkLWluLXJlcG9ydC1vbmx5LW1vZGUtZXhwZWN0ZWQu
dHh0OiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0
eVBvbGljeS9ldmFsLWFsbG93ZWQtaW4tcmVwb3J0LW9ubHktbW9kZS5odG1sOiBBZGRlZC4KKwog
MjAxMy0wMy0wOCAgUGhpbGlwIFJvZ2VycyAgPHBkckBnb29nbGUuY29tPgogCiAgICAgICAgIFBy
ZXZlbnQgaW5maW5pdGUgbG9vcCBpbiBTVkcgdXNlIGN5Y2xlIGRldGVjdGlvbgpkaWZmIC0tZ2l0
IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kv
ZXZhbC1hbGxvd2VkLWluLXJlcG9ydC1vbmx5LW1vZGUtZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVz
dHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvZXZhbC1hbGxvd2Vk
LWluLXJlcG9ydC1vbmx5LW1vZGUtZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0Cmlu
ZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjRhNjMyMWU1Yzkz
YTkyNzUzYWY0MWIzOTU2YTkxZDE0ZGYxZjU5MGMKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRU
ZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9ldmFsLWFsbG93
ZWQtaW4tcmVwb3J0LW9ubHktbW9kZS1leHBlY3RlZC50eHQKQEAgLTAsMCArMSw1IEBACitDT05T
T0xFIE1FU1NBR0U6IFRoZSBDb250ZW50IFNlY3VyaXR5IFBvbGljeSAnc2NyaXB0LXNyYyAnc2Vs
ZicnIHdhcyBkZWxpdmVyZWQgaW4gcmVwb3J0LW9ubHkgbW9kZSwgYnV0IGRvZXMgbm90IHNwZWNp
ZnkgYSAncmVwb3J0LXVyaSc7IHRoZSBwb2xpY3kgd2lsbCBoYXZlIG5vIGVmZmVjdC4gUGxlYXNl
IGVpdGhlciBhZGQgYSAncmVwb3J0LXVyaScgZGlyZWN0aXZlLCBvciBkZWxpdmVyIHRoZSBwb2xp
Y3kgdmlhIHRoZSAnQ29udGVudC1TZWN1cml0eS1Qb2xpY3knIGhlYWRlci4KK0NPTlNPTEUgTUVT
U0FHRTogbGluZSA3OiBbUmVwb3J0IE9ubHldIFJlZnVzZWQgdG8gZXhlY3V0ZSBpbmxpbmUgc2Ny
aXB0IGJlY2F1c2UgaXQgdmlvbGF0ZXMgdGhlIGZvbGxvd2luZyBDb250ZW50IFNlY3VyaXR5IFBv
bGljeSBkaXJlY3RpdmU6ICJzY3JpcHQtc3JjICdzZWxmJyIuCisKK0FMRVJUOiBQQVNTOiBldmFs
KCkgZXhlY3V0ZWQgYXMgZXhwZWN0ZWQuCisKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAv
dGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L2V2YWwtYWxsb3dlZC1pbi1yZXBv
cnQtb25seS1tb2RlLmh0bWwgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRl
bnRTZWN1cml0eVBvbGljeS9ldmFsLWFsbG93ZWQtaW4tcmVwb3J0LW9ubHktbW9kZS5odG1sCm5l
dyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAuLjc5YWU2YjQ0OTExNmE1Mzg3NTE0OWMyMzAxZjhhOGY3Y2JhYTg1YzYKLS0tIC9k
ZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1
cml0eVBvbGljeS9ldmFsLWFsbG93ZWQtaW4tcmVwb3J0LW9ubHktbW9kZS5odG1sCkBAIC0wLDAg
KzEsMTQgQEAKKzwhRE9DVFlQRSBodG1sPgorPGh0bWw+Cis8aGVhZD4KKyAgICA8bWV0YSBodHRw
LWVxdWl2PSJDb250ZW50LVNlY3VyaXR5LVBvbGljeS1SZXBvcnQtT25seSIgY29udGVudD0ic2Ny
aXB0LXNyYyAnc2VsZiciPgorPC9oZWFkPgorPGJvZHk+CisgICAgPHNjcmlwdD4KKyAgICAgICAg
aWYgKHdpbmRvdy50ZXN0UnVubmVyKQorICAgICAgICAgICAgdGVzdFJ1bm5lci5kdW1wQXNUZXh0
KCk7CisKKyAgICAgICAgZXZhbCgiYWxlcnQoJ1BBU1M6IGV2YWwoKSBleGVjdXRlZCBhcyBleHBl
Y3RlZC4nKTsiKTsKKyAgICA8L3NjcmlwdD4KKzwvYm9keT4KKzwvaHRtbD4K
</data>

          </attachment>
      

    </bug>

</bugzilla>