153148 2016-01-15 14:44:41 -0800 CSP: 'eval()' blocked in report-only mode should send a violation report 2018-06-13 21:55:53 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All RESOLVED DUPLICATE 111869 BlinkMergeCandidate, InRadar P2 Normal --- 1 dbates dbates bfulgham dbates webkit-bug-importer oldest_to_newest 1155948 0 dbates 2016-01-15 14:44:41 -0800 We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=155752>. CSP: 'eval()' blocked in report-only mode should send a violation report. Currently, 'eval()' is blocked inside V8 when an enforce-mode Content Security Policy is specified for a document. Report-only policies don't trigger this mechanism, and therefore can deliver violation reports neither to the 'report-uri' in the policy nor the console. This patch changes ContentSecurityPolicy::didReceiveHeader to disable eval inside V8 for report-only policies as well, and relies on the V8Initializer::codeGenerationCheckCallbackInMainThread callback to give V8 the final go/no-go decision regarding the code's execution. This patch has the negative performance side-effect of calling back from V8 to core whenever 'eval()' is encountered on a page with an CSP that blocks eval. Given that the page isn't expecting to run 'eval()' at all, that impact seems like something we can live with (though it is fairly significant). 1159596 1 webkit-bug-importer 2016-01-27 20:29:35 -0800 <rdar://problem/24383146> 1432927 2 dbates 2018-06-13 21:55:53 -0700 *** This bug has been marked as a duplicate of bug 111869 ***