Diff
Modified: trunk/LayoutTests/ChangeLog (196241 => 196242)
--- trunk/LayoutTests/ChangeLog 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/LayoutTests/ChangeLog 2016-02-07 22:26:46 UTC (rev 196242)
@@ -1,3 +1,21 @@
+2016-02-07 Daniel Bates <daba...@apple.com>
+
+ CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy
+ https://bugs.webkit.org/show_bug.cgi?id=153622
+ <rdar://problem/24400023>
+
+ Reviewed by Gavin Barraclough and Andy Estes.
+
+ Add tests to ensure that a Web Worker initiated from an isolated world can bypass the main world
+ Content Security Policy.
+
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html: Added.
+
2016-02-07 Carlos Garcia Campos <cgar...@igalia.com>
REGRESSION(r195661): [GTK] Scrollbar tests crashing after overlay scrollbar groundwork
Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt (0 => 196242)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval-expected.txt 2016-02-07 22:26:46 UTC (rev 196242)
@@ -0,0 +1,3 @@
+This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to call eval().
+
+PASS worker called eval().
Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html (0 => 196242)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html 2016-02-07 22:26:46 UTC (rev 196242)
@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to call <code>eval()</code>.</p>
+<pre id="result"></pre>
+<script>
+window._onmessage_ = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var script = [
+ 'try {',
+ ' eval("1 + 0");',
+ ' self.postMessage("PASS worker called eval().");',
+ '} catch (exception) {',
+ ' self.postMessage("FAIL should not have thrown an exception. Threw exception " + exception + ".");',
+ '}',
+ ].join("\n");
+
+ var worker;
+ try {
+ worker = new Worker(window.URL.createObjectURL(new Blob([script])));
+ worker._onmessage_ = function (event) { window.postMessage(event.data, "*") };
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt (0 => 196242)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr-expected.txt 2016-02-07 22:26:46 UTC (rev 196242)
@@ -0,0 +1,3 @@
+This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to make an XHR request.
+
+PASS
Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html (0 => 196242)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html 2016-02-07 22:26:46 UTC (rev 196242)
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'none'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to make an XHR request.</p>
+<pre id="result"></pre>
+<script>
+window._onmessage_ = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var script = [
+ 'var exception;',
+ 'var xhr;',
+ 'try {',
+ ' var isAsynchronous = false;',
+ ' xhr = new XMLHttpRequest;',
+ ' xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", isAsynchronous);',
+ ' xhr.send();',
+ '} catch (e) {',
+ ' exception = e;',
+ '}',
+ 'if (exception)',
+ ' self.postMessage("FAIL should not have thrown an exception. Threw exception " + exception + ".");',
+ 'else',
+ ' self.postMessage(xhr.response);',
+ ].join("\n");
+
+ var worker;
+ try {
+ worker = new Worker(window.URL.createObjectURL(new Blob([script])));
+ worker._onmessage_ = function (event) { window.postMessage(event.data, "*") };
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt (0 => 196242)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-expected.txt 2016-02-07 22:26:46 UTC (rev 196242)
@@ -0,0 +1,3 @@
+This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to be instantiated with a script URL not listed in the CSP of the page.
+
+PASS worker instantiated.
Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html (0 => 196242)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html 2016-02-07 22:26:46 UTC (rev 196242)
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+<!-- FIXME: Add child-src 'none' once we implement the child-src directive. -->
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to be instantiated with a script URL not listed in the CSP of the page.</p>
+<pre id="result"></pre>
+<script>
+window._onmessage_ = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var worker;
+ try {
+ worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/worker.php?type=alert-pass");
+ window.postMessage("PASS worker instantiated.", "*");
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (196241 => 196242)
--- trunk/Source/WebCore/ChangeLog 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/ChangeLog 2016-02-07 22:26:46 UTC (rev 196242)
@@ -1,3 +1,86 @@
+2016-02-07 Daniel Bates <daba...@apple.com>
+
+ CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy
+ https://bugs.webkit.org/show_bug.cgi?id=153622
+ <rdar://problem/24400023>
+
+ Reviewed by Gavin Barraclough.
+
+ Fixes an issue where Web Workers initiated from an isolated world (say, a Safari Content Script Extension)
+ would be subject to the Content Security Policy of the page.
+
+ Currently code in an isolated world that does not execute in a Web Worker is exempt from the CSP of
+ the page. However, code that runs inside a Web Worker that was initiated from an isolated world is
+ subject to the CSP of the page. Instead, such Web Worker code should also be exempt from the CSP of
+ the page.
+
+ Tests: http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-eval.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-xhr.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html
+
+ * Modules/websockets/WebSocket.cpp:
+ (WebCore::WebSocket::connect): Modified to ask the script execution context whether to bypass the
+ main world Content Security Policy now that script execution context knows this information.
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy): Deleted; moved logic from here...
+ * bindings/js/ScriptController.h:
+ * dom/Document.cpp:
+ (WebCore::Document::shouldBypassMainWorldContentSecurityPolicy): ...to here.
+ * dom/Document.h:
+ * dom/ScriptExecutionContext.h:
+ (WebCore::ScriptExecutionContext::shouldBypassMainWorldContentSecurityPolicy): Added; defaults to false -
+ do not bypass the main world Content Security Policy.
+ * page/EventSource.cpp:
+ (WebCore::EventSource::create): Modified to ask the script execution context whether to bypass the
+ main world Content Security Policy now that script execution context knows this information.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy): Deleted.
+ * page/csp/ContentSecurityPolicy.h:
+ * workers/AbstractWorker.cpp:
+ (WebCore::AbstractWorker::resolveURL): Bypass the main world Content Security Policy if applicable.
+ Added FIXME comment to enforce the child-src directive of the document's CSP (as opposed to the script-src
+ directive) on the worker's script URL. Also, scriptExecutionContext()->contentSecurityPolicy() should
+ always be non-null just as we expect scriptExecutionContext()->securityOrigin() to be non-null. Assert
+ this invariant to catch cases where a ScriptExecutionContext is not properly initialized.
+ * workers/DedicatedWorkerGlobalScope.cpp:
+ (WebCore::DedicatedWorkerGlobalScope::create): Modified to take boolean argument shouldBypassMainWorldContentSecurityPolicy
+ as to whether to bypass the main world Content Security Policy and only apply the Content Security
+ Policy headers when shouldBypassMainWorldContentSecurityPolicy is false.
+ (WebCore::DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
+ as to whether to bypass the main world Content Security Policy.
+ * workers/DedicatedWorkerGlobalScope.h:
+ * workers/DedicatedWorkerThread.cpp:
+ (WebCore::DedicatedWorkerThread::DedicatedWorkerThread): Ditto.
+ (WebCore::DedicatedWorkerThread::createWorkerGlobalScope): Ditto.
+ * workers/DedicatedWorkerThread.h:
+ * workers/Worker.cpp:
+ (WebCore::Worker::create): Store whether we should bypass the main world Content Security Policy so
+ that we can pass it to WorkerMessagingProxy::startWorkerGlobalScope() in Worker::notifyFinished().
+ We need to store this decision here as opposed to determining it at any later time (say, in Worker::notifyFinished())
+ because it is dependent on the current _javascript_ program stack at the time this function is invoked.
+ (WebCore::Worker::notifyFinished): Pass whether to bypass the main world Content Security Policy.
+ * workers/Worker.h:
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::WorkerGlobalScope::WorkerGlobalScope): Modified to take a boolean as to whether to bypass the
+ main world Content Security Policy and store it in a member field. Also, always instantiate a Content
+ Security Policy object as our current code assumes that one is always created.
+ * workers/WorkerGlobalScope.h:
+ * workers/WorkerGlobalScopeProxy.h:
+ * workers/WorkerMessagingProxy.cpp:
+ (WebCore::WorkerMessagingProxy::startWorkerGlobalScope): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
+ as to whether to bypass the main world Content Security Policy.
+ * workers/WorkerMessagingProxy.h:
+ * workers/WorkerThread.cpp:
+ (WebCore::WorkerThreadStartupData::WorkerThreadStartupData): Modified to take a boolean argument as to
+ whether to bypass the main world Content Security Policy and store it in a member field.
+ (WebCore::WorkerThread::WorkerThread): Pass through a boolean argument shouldBypassMainWorldContentSecurityPolicy
+ as to whether to bypass the main world Content Security Policy.
+ (WebCore::WorkerThread::workerThread): Ditto.
+ * workers/WorkerThread.h:
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::open): Modified to ask the script execution context whether to bypass the
+ main world Content Security Policy now that script execution context knows this information.
+
2016-02-07 Dan Bernstein <m...@apple.com>
[Cocoa] Replace __has_include guards around inclusion of Apple-internal-SDK headers with USE(APPLE_INTERNAL_SDK)
Modified: trunk/Source/WebCore/Modules/websockets/WebSocket.cpp (196241 => 196242)
--- trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -238,8 +238,7 @@
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(*scriptExecutionContext());
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url, shouldBypassMainWorldContentSecurityPolicy)) {
+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
m_state = CLOSED;
// FIXME: Should this be throwing an exception?
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (196241 => 196242)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -519,17 +519,6 @@
return evaluateInWorld(sourceCode, world);
}
-bool ScriptController::shouldBypassMainWorldContentSecurityPolicy()
-{
- CallFrame* callFrame = JSDOMWindow::commonVM().topCallFrame;
- if (callFrame == CallFrame::noCaller())
- return false;
- DOMWrapperWorld& domWrapperWorld = currentWorld(callFrame);
- if (domWrapperWorld.isNormal())
- return false;
- return true;
-}
-
bool ScriptController::canExecuteScripts(ReasonForCallingCanExecuteScripts reason)
{
if (m_frame.document() && m_frame.document()->isSandboxed(SandboxScripts)) {
Modified: trunk/Source/WebCore/bindings/js/ScriptController.h (196241 => 196242)
--- trunk/Source/WebCore/bindings/js/ScriptController.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/bindings/js/ScriptController.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -166,8 +166,6 @@
WEBCORE_EXPORT NPObject* windowScriptNPObject();
#endif
- bool shouldBypassMainWorldContentSecurityPolicy();
-
private:
WEBCORE_EXPORT JSDOMWindowShell* initScript(DOMWrapperWorld&);
Modified: trunk/Source/WebCore/dom/Document.cpp (196241 => 196242)
--- trunk/Source/WebCore/dom/Document.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -2431,6 +2431,17 @@
#endif
}
+bool Document::shouldBypassMainWorldContentSecurityPolicy() const
+{
+ JSC::CallFrame* callFrame = JSDOMWindow::commonVM().topCallFrame;
+ if (callFrame == JSC::CallFrame::noCaller())
+ return false;
+ DOMWrapperWorld& domWrapperWorld = currentWorld(callFrame);
+ if (domWrapperWorld.isNormal())
+ return false;
+ return true;
+}
+
void Document::platformSuspendOrStopActiveDOMObjects()
{
#if PLATFORM(IOS)
Modified: trunk/Source/WebCore/dom/Document.h (196241 => 196242)
--- trunk/Source/WebCore/dom/Document.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/dom/Document.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -603,6 +603,7 @@
void prepareForDestruction();
// Override ScriptExecutionContext methods to do additional work
+ bool shouldBypassMainWorldContentSecurityPolicy() const override final;
virtual void suspendActiveDOMObjects(ActiveDOMObject::ReasonForSuspension) override final;
virtual void resumeActiveDOMObjects(ActiveDOMObject::ReasonForSuspension) override final;
virtual void stopActiveDOMObjects() override final;
Modified: trunk/Source/WebCore/dom/ScriptExecutionContext.h (196241 => 196242)
--- trunk/Source/WebCore/dom/ScriptExecutionContext.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/dom/ScriptExecutionContext.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -82,6 +82,8 @@
virtual SecurityOrigin* topOrigin() const = 0;
+ virtual bool shouldBypassMainWorldContentSecurityPolicy() const { return false; }
+
PublicURLManager& publicURLManager();
// Active objects are not garbage collected even if inaccessible, e.g. because their activity may result in callbacks being invoked.
Modified: trunk/Source/WebCore/page/EventSource.cpp (196241 => 196242)
--- trunk/Source/WebCore/page/EventSource.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/page/EventSource.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -85,8 +85,7 @@
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(context);
- if (!context.contentSecurityPolicy()->allowConnectToSource(fullURL, shouldBypassMainWorldContentSecurityPolicy)) {
+ if (!context.contentSecurityPolicy()->allowConnectToSource(fullURL, context.shouldBypassMainWorldContentSecurityPolicy())) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return nullptr;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (196241 => 196242)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -1775,15 +1775,5 @@
return false;
#endif
}
-
-bool ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext& context)
-{
- if (is<Document>(context)) {
- auto& document = downcast<Document>(context);
- return document.frame() && document.frame()->script().shouldBypassMainWorldContentSecurityPolicy();
- }
- return false;
}
-
-}
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (196241 => 196242)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -102,8 +102,6 @@
bool experimentalFeaturesEnabled() const;
- static bool shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext&);
-
// The following functions are used by internal data structures to call back into this object when parsing, validating,
// and applying a Content Security Policy.
// FIXME: We should make the various directives serve only as state stores for the parsed policy and remove these functions.
Modified: trunk/Source/WebCore/workers/AbstractWorker.cpp (196241 => 196242)
--- trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -62,7 +62,10 @@
return URL();
}
- if (scriptExecutionContext()->contentSecurityPolicy() && !scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL)) {
+ // FIXME: Enforce the child-src directive instead of script-src per <https://w3c.github.io/webappsec-csp/2/#directive-child-src-workers> (29 August 2015).
+ // See <https://bugs.webkit.org/show_bug.cgi?id=153562>.
+ ASSERT(scriptExecutionContext()->contentSecurityPolicy());
+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
ec = SECURITY_ERR;
return URL();
}
Modified: trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp (196241 => 196242)
--- trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -40,15 +40,16 @@
namespace WebCore {
-Ref<DedicatedWorkerGlobalScope> DedicatedWorkerGlobalScope::create(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, PassRefPtr<SecurityOrigin> topOrigin)
+Ref<DedicatedWorkerGlobalScope> DedicatedWorkerGlobalScope::create(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin)
{
- Ref<DedicatedWorkerGlobalScope> context = adoptRef(*new DedicatedWorkerGlobalScope(url, userAgent, thread, topOrigin));
- context->applyContentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders);
+ Ref<DedicatedWorkerGlobalScope> context = adoptRef(*new DedicatedWorkerGlobalScope(url, userAgent, thread, shouldBypassMainWorldContentSecurityPolicy, topOrigin));
+ if (!shouldBypassMainWorldContentSecurityPolicy)
+ context->applyContentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders);
return context;
}
-DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, PassRefPtr<SecurityOrigin> topOrigin)
- : WorkerGlobalScope(url, userAgent, thread, topOrigin)
+DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin)
+ : WorkerGlobalScope(url, userAgent, thread, shouldBypassMainWorldContentSecurityPolicy, topOrigin)
{
}
Modified: trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h (196241 => 196242)
--- trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -42,7 +42,7 @@
class DedicatedWorkerGlobalScope : public WorkerGlobalScope {
public:
typedef WorkerGlobalScope Base;
- static Ref<DedicatedWorkerGlobalScope> create(const URL&, const String& userAgent, DedicatedWorkerThread&, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin);
+ static Ref<DedicatedWorkerGlobalScope> create(const URL&, const String& userAgent, DedicatedWorkerThread&, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin);
virtual ~DedicatedWorkerGlobalScope();
virtual bool isDedicatedWorkerGlobalScope() const override { return true; }
@@ -60,7 +60,7 @@
DedicatedWorkerThread& thread();
private:
- DedicatedWorkerGlobalScope(const URL&, const String& userAgent, DedicatedWorkerThread&, PassRefPtr<SecurityOrigin> topOrigin);
+ DedicatedWorkerGlobalScope(const URL&, const String& userAgent, DedicatedWorkerThread&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin);
};
} // namespace WebCore
Modified: trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp (196241 => 196242)
--- trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -38,8 +38,8 @@
namespace WebCore {
-DedicatedWorkerThread::DedicatedWorkerThread(const URL& url, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerObjectProxy& workerObjectProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
- : WorkerThread(url, userAgent, sourceCode, workerLoaderProxy, workerObjectProxy, startMode, contentSecurityPolicyResponseHeaders, topOrigin)
+DedicatedWorkerThread::DedicatedWorkerThread(const URL& url, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerObjectProxy& workerObjectProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin)
+ : WorkerThread(url, userAgent, sourceCode, workerLoaderProxy, workerObjectProxy, startMode, contentSecurityPolicyResponseHeaders, shouldBypassMainWorldContentSecurityPolicy, topOrigin)
, m_workerObjectProxy(workerObjectProxy)
{
}
@@ -48,9 +48,9 @@
{
}
-Ref<WorkerGlobalScope> DedicatedWorkerThread::createWorkerGlobalScope(const URL& url, const String& userAgent, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, PassRefPtr<SecurityOrigin> topOrigin)
+Ref<WorkerGlobalScope> DedicatedWorkerThread::createWorkerGlobalScope(const URL& url, const String& userAgent, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin)
{
- return DedicatedWorkerGlobalScope::create(url, userAgent, *this, contentSecurityPolicyResponseHeaders, topOrigin);
+ return DedicatedWorkerGlobalScope::create(url, userAgent, *this, contentSecurityPolicyResponseHeaders, shouldBypassMainWorldContentSecurityPolicy, topOrigin);
}
void DedicatedWorkerThread::runEventLoop()
Modified: trunk/Source/WebCore/workers/DedicatedWorkerThread.h (196241 => 196242)
--- trunk/Source/WebCore/workers/DedicatedWorkerThread.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/DedicatedWorkerThread.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -48,11 +48,11 @@
WorkerObjectProxy& workerObjectProxy() const { return m_workerObjectProxy; }
protected:
- virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin) override;
+ virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin) override;
virtual void runEventLoop() override;
private:
- DedicatedWorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerObjectProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
+ DedicatedWorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerObjectProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin);
WorkerObjectProxy& m_workerObjectProxy;
};
Modified: trunk/Source/WebCore/workers/Worker.cpp (196241 => 196242)
--- trunk/Source/WebCore/workers/Worker.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/Worker.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -87,6 +87,8 @@
if (scriptURL.isEmpty())
return nullptr;
+ worker->m_shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy();
+
// The worker context does not exist while loading, so we must ensure that the worker object is not collected, nor are its event listeners.
worker->setPendingActivity(worker.ptr());
@@ -166,7 +168,7 @@
dispatchEvent(Event::create(eventNames().errorEvent, false, true));
else {
const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders = m_contentSecurityPolicyResponseHeaders ? m_contentSecurityPolicyResponseHeaders.value() : scriptExecutionContext()->contentSecurityPolicy()->responseHeaders();
- m_contextProxy->startWorkerGlobalScope(m_scriptLoader->url(), scriptExecutionContext()->userAgent(m_scriptLoader->url()), m_scriptLoader->script(), contentSecurityPolicyResponseHeaders, DontPauseWorkerGlobalScopeOnStart);
+ m_contextProxy->startWorkerGlobalScope(m_scriptLoader->url(), scriptExecutionContext()->userAgent(m_scriptLoader->url()), m_scriptLoader->script(), contentSecurityPolicyResponseHeaders, m_shouldBypassMainWorldContentSecurityPolicy, DontPauseWorkerGlobalScopeOnStart);
InspectorInstrumentation::scriptImported(scriptExecutionContext(), m_scriptLoader->identifier(), m_scriptLoader->script());
}
m_scriptLoader = nullptr;
Modified: trunk/Source/WebCore/workers/Worker.h (196241 => 196242)
--- trunk/Source/WebCore/workers/Worker.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/Worker.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -86,6 +86,7 @@
RefPtr<WorkerScriptLoader> m_scriptLoader;
WorkerGlobalScopeProxy* m_contextProxy; // The proxy outlives the worker to perform thread shutdown.
Optional<ContentSecurityPolicyResponseHeaders> m_contentSecurityPolicyResponseHeaders;
+ bool m_shouldBypassMainWorldContentSecurityPolicy { false };
};
} // namespace WebCore
Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.cpp (196241 => 196242)
--- trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -62,12 +62,13 @@
namespace WebCore {
-WorkerGlobalScope::WorkerGlobalScope(const URL& url, const String& userAgent, WorkerThread& thread, PassRefPtr<SecurityOrigin> topOrigin)
+WorkerGlobalScope::WorkerGlobalScope(const URL& url, const String& userAgent, WorkerThread& thread, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin)
: m_url(url)
, m_userAgent(userAgent)
, m_script(std::make_unique<WorkerScriptController>(this))
, m_thread(thread)
, m_closing(false)
+ , m_shouldBypassMainWorldContentSecurityPolicy(shouldBypassMainWorldContentSecurityPolicy)
, m_eventQueue(*this)
, m_topOrigin(topOrigin)
{
Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.h (196241 => 196242)
--- trunk/Source/WebCore/workers/WorkerGlobalScope.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -67,6 +67,8 @@
virtual void disableEval(const String& errorMessage) override;
+ bool shouldBypassMainWorldContentSecurityPolicy() const override final { return m_shouldBypassMainWorldContentSecurityPolicy; }
+
WorkerScriptController* script() { return m_script.get(); }
void clearScript() { m_script = nullptr; }
@@ -130,7 +132,7 @@
#endif
protected:
- WorkerGlobalScope(const URL&, const String& userAgent, WorkerThread&, PassRefPtr<SecurityOrigin> topOrigin);
+ WorkerGlobalScope(const URL&, const String& userAgent, WorkerThread&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin);
void applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders&);
virtual void logExceptionToConsole(const String& errorMessage, const String& sourceURL, int lineNumber, int columnNumber, RefPtr<Inspector::ScriptCallStack>&&) override;
@@ -159,6 +161,7 @@
WorkerThread& m_thread;
bool m_closing;
+ bool m_shouldBypassMainWorldContentSecurityPolicy;
HashSet<Observer*> m_workerObservers;
Modified: trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h (196241 => 196242)
--- trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -49,7 +49,7 @@
virtual ~WorkerGlobalScopeProxy() { }
- virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, WorkerThreadStartMode) = 0;
+ virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, WorkerThreadStartMode) = 0;
virtual void terminateWorkerGlobalScope() = 0;
Modified: trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp (196241 => 196242)
--- trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -72,12 +72,12 @@
|| (is<WorkerGlobalScope>(*m_scriptExecutionContext) && currentThread() == downcast<WorkerGlobalScope>(*m_scriptExecutionContext).thread().threadID()));
}
-void WorkerMessagingProxy::startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, WorkerThreadStartMode startMode)
+void WorkerMessagingProxy::startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, WorkerThreadStartMode startMode)
{
// FIXME: This need to be revisited when we support nested worker one day
ASSERT(m_scriptExecutionContext);
Document& document = downcast<Document>(*m_scriptExecutionContext);
- RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode, contentSecurityPolicyResponseHeaders, document.topOrigin());
+ RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode, contentSecurityPolicyResponseHeaders, shouldBypassMainWorldContentSecurityPolicy, document.topOrigin());
workerThreadCreated(thread);
thread->start();
}
Modified: trunk/Source/WebCore/workers/WorkerMessagingProxy.h (196241 => 196242)
--- trunk/Source/WebCore/workers/WorkerMessagingProxy.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerMessagingProxy.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -52,7 +52,7 @@
// Implementations of WorkerGlobalScopeProxy.
// (Only use these methods in the worker object thread.)
- virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, WorkerThreadStartMode) override;
+ virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, WorkerThreadStartMode) override;
virtual void terminateWorkerGlobalScope() override;
virtual void postMessageToWorkerGlobalScope(PassRefPtr<SerializedScriptValue>, std::unique_ptr<MessagePortChannelArray>) override;
virtual bool hasPendingActivity() const override;
Modified: trunk/Source/WebCore/workers/WorkerThread.cpp (196241 => 196242)
--- trunk/Source/WebCore/workers/WorkerThread.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerThread.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -70,31 +70,33 @@
struct WorkerThreadStartupData {
WTF_MAKE_NONCOPYABLE(WorkerThreadStartupData); WTF_MAKE_FAST_ALLOCATED;
public:
- WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
+ WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin);
URL m_scriptURL;
String m_userAgent;
String m_sourceCode;
WorkerThreadStartMode m_startMode;
ContentSecurityPolicyResponseHeaders m_contentSecurityPolicyResponseHeaders;
+ bool m_shouldBypassMainWorldContentSecurityPolicy;
RefPtr<SecurityOrigin> m_topOrigin;
};
-WorkerThreadStartupData::WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
+WorkerThreadStartupData::WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin)
: m_scriptURL(scriptURL.isolatedCopy())
, m_userAgent(userAgent.isolatedCopy())
, m_sourceCode(sourceCode.isolatedCopy())
, m_startMode(startMode)
, m_contentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders.isolatedCopy())
+ , m_shouldBypassMainWorldContentSecurityPolicy(shouldBypassMainWorldContentSecurityPolicy)
, m_topOrigin(topOrigin ? &topOrigin->isolatedCopy().get() : nullptr)
{
}
-WorkerThread::WorkerThread(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerReportingProxy& workerReportingProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
+WorkerThread::WorkerThread(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerReportingProxy& workerReportingProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin)
: m_threadID(0)
, m_workerLoaderProxy(workerLoaderProxy)
, m_workerReportingProxy(workerReportingProxy)
- , m_startupData(std::make_unique<WorkerThreadStartupData>(scriptURL, userAgent, sourceCode, startMode, contentSecurityPolicyResponseHeaders, topOrigin))
+ , m_startupData(std::make_unique<WorkerThreadStartupData>(scriptURL, userAgent, sourceCode, startMode, contentSecurityPolicyResponseHeaders, shouldBypassMainWorldContentSecurityPolicy, topOrigin))
#if ENABLE(NOTIFICATIONS) || ENABLE(LEGACY_NOTIFICATIONS)
, m_notificationClient(0)
#endif
@@ -144,7 +146,7 @@
{
LockHolder lock(m_threadCreationMutex);
- m_workerGlobalScope = createWorkerGlobalScope(m_startupData->m_scriptURL, m_startupData->m_userAgent, m_startupData->m_contentSecurityPolicyResponseHeaders, m_startupData->m_topOrigin.release());
+ m_workerGlobalScope = createWorkerGlobalScope(m_startupData->m_scriptURL, m_startupData->m_userAgent, m_startupData->m_contentSecurityPolicyResponseHeaders, m_startupData->m_shouldBypassMainWorldContentSecurityPolicy, m_startupData->m_topOrigin.release());
if (m_runLoop.terminated()) {
// The worker was terminated before the thread had a chance to run. Since the context didn't exist yet,
Modified: trunk/Source/WebCore/workers/WorkerThread.h (196241 => 196242)
--- trunk/Source/WebCore/workers/WorkerThread.h 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/workers/WorkerThread.h 2016-02-07 22:26:46 UTC (rev 196242)
@@ -68,10 +68,10 @@
#endif
protected:
- WorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerReportingProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
+ WorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerReportingProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, const SecurityOrigin* topOrigin);
// Factory method for creating a new worker context for the thread.
- virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin) = 0;
+ virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, bool shouldBypassMainWorldContentSecurityPolicy, PassRefPtr<SecurityOrigin> topOrigin) = 0;
// Executes the event loop for the worker thread. Derived classes can override to perform actions before/after entering the event loop.
virtual void runEventLoop();
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (196241 => 196242)
--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-02-07 19:25:31 UTC (rev 196241)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-02-07 22:26:46 UTC (rev 196242)
@@ -498,8 +498,7 @@
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldContentSecurityPolicy = ContentSecurityPolicy::shouldBypassMainWorldContentSecurityPolicy(*scriptExecutionContext());
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url, shouldBypassMainWorldContentSecurityPolicy)) {
+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return;
