Insert meta tag turning on content-security-protection for chrome://settings, history, downloads ...

Insert meta tag turning on content-security-protection for chrome://settings, history, downloads pages now that the webkit inspector has been revised to stop calling JS eval().
Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=86708

[abarth-chromium, 2011-05-20 22:22:01]

This is fantastic!  LGTM

[Tom Sepez, 2011-05-20 22:48:06]

Heh.  Missed a few in downloads and history:

<body onload="load();"
i18n-values=".style.fontFamily:fontfamily;.style.fontSize:fontsize"> 
<a href="" onclick="setSearch(''); return false;">

[abarth-chromium, 2011-05-20 22:59:59]

Silly inline event handlers.

[Tom Sepez, 2011-05-23 18:16:14]

Please review changes to JS.  Also, I moved the inclusion of the new script down
in the .html files to avoid introducing yet another script once the elements
were defined.


Suggestions on who might also want to look at the JS stylings?

[abarth-chromium, 2011-05-23 18:22:07]

http://codereview.chromium.org/7038046/diff/5001/chrome/browser/resources/dow...
File chrome/browser/resources/downloads.js (right):

http://codereview.chromium.org/7038046/diff/5001/chrome/browser/resources/dow...
chrome/browser/resources/downloads.js:597: $('search-form').onclick = function
() {
Shouldn't one of these be onsubmit?

[Tom Sepez, 2011-05-23 18:26:14]

D'oh.

[Tom Sepez, 2011-05-23 20:37:15]

Current hangup is chrome/test/data/webui/test_api.js ...

  function runTest(currentTest, testArguments) {
    try {
      currentTest = eval(currentTest);
      console.log('Running test ' + currentTest.name);
      currentTest.apply(null, testArguments);
    } catch (e) {
      console.log(
          'Failed: ' + currentTest.name + '\nwith exception: ' + e.message);

      fail(e.message);
      return;
    }

[abarth-chromium, 2011-05-23 20:56:45]

Maybe add 'unsafe-eval' as a script-src for now and then iterate?

Adam


On Mon, May 23, 2011 at 1:37 PM,  <tsepez@chromium.org> wrote:
> Current hangup is chrome/test/data/webui/test_api.js ...
>
>  function runTest(currentTest, testArguments) {
>    try {
>      currentTest = eval(currentTest);
>      console.log('Running test ' + currentTest.name);
>      currentTest.apply(null, testArguments);
>    } catch (e) {
>      console.log(
>          'Failed: ' + currentTest.name + '\nwith exception: ' + e.message);
>
>      fail(e.message);
>      return;
>    }
>
>
> http://codereview.chromium.org/7038046/
>

[Tom Sepez, 2011-05-23 21:00:35]

Can probably replace the eval(currentTest) with this[currentTest], for the cases
where we're passing a string naming a function in global scope. 

On the off chance that some clever person is passing an actual expression that
evaluates to a function object, fall back to eval if this fails.

Glad the eval is in the test code, not the product.

[abarth-chromium, 2011-05-23 21:05:11]

That could work.  maybe try it and see what the trybot thinks.

Adam


On Mon, May 23, 2011 at 2:00 PM,  <tsepez@chromium.org> wrote:
> Can probably replace the eval(currentTest) with this[currentTest], for the
> cases
> where we're passing a string naming a function in global scope.
>
> On the off chance that some clever person is passing an actual expression
> that
> evaluates to a function object, fall back to eval if this fails.
>
> Glad the eval is in the test code, not the product.
>
> http://codereview.chromium.org/7038046/
>

[Tom Sepez, 2011-05-23 22:48:36]

Suspect the RTL failures are caused by
third_party/bidichecker/bidichecker_packaged.js:

...if(b)try{return eval("("+a+")")}catch(c){}...

[abarth-chromium, 2011-05-23 22:58:59]

> ...if(b)try{return eval("("+a+")")}catch(c){}...

^^^ That looks suspiciously like an attempt at JSON.parse.

[Tom Sepez, 2011-05-23 23:43:19]

Interestingly, that eval didn't get hit.  
Time to look for other -- oh:
  var Mb=new Function("a","return a");

(I hate the Function function).

[abarth-chromium, 2011-05-23 23:46:06]

That's easily fixable by using a real function:

var Mb = function(a) { return a; }

On Mon, May 23, 2011 at 4:43 PM,  <tsepez@chromium.org> wrote:
> Interestingly, that eval didn't get hit.
> Time to look for other -- oh:
>  var Mb=new Function("a","return a");
>
> (I hate the Function function).
>
> http://codereview.chromium.org/7038046/
>

[Tom Sepez, 2011-05-24 00:01:48]

and ... window.execScript() for good measure, too.

[abarth-chromium, 2011-05-24 00:04:25]

On 2011/05/24 00:01:48, Tom Sepez wrote:
> and ... window.execScript() for good measure, too.

execScript is being removed from the product as we speak.  If this code is using
it, it's going to break.  Where did we get this code from?

[Tom Sepez, 2011-05-24 00:33:38]

closure/goog/json/json.js:
/**                                                                             
 * Parses a JSON string and returns the result. This throws an exception if     
 * the string is an invalid JSON string.                                        
 *                                                                              
 * Note that this is very slow on large strings. If you trust the source of     
 * the string then you should use unsafeParse instead.                          
 *                                                                              
 * @param {*} s The JSON string to parse.                                       
 * @return {Object} The object generated from the JSON string.                  
 */
goog.json.parse = function(s) {
  var o = String(s);
  if (goog.json.isValid_(o)) {
    /** @preserveTry */
    try {
      return eval('(' + o + ')');
    } catch (ex) {
    }
  }
  throw Error('Invalid JSON string: ' + o);
};



closure/goog/base.js:
/**                                                                             
 * Builds an object structure for the provided namespace path,                  
 * ensuring that names that already exist are not overwritten. For              
 * example:                                                                     
 * "a.b.c" -> a = {};a.b={};a.b.c={};                                           
 * Used by goog.provide and goog.exportSymbol.                                  
 * @param {string} name name of the object that this file defines.              
 * @param {*=} opt_object the object to expose at the end of the path.          
 * @param {Object=} opt_objectToExportTo The object to add the path to; default
 *     is |goog.global|.                                                        
 * @private                                                                     
 */
goog.exportPath_ = function(name, opt_object, opt_objectToExportTo) {
  var parts = name.split('.');
  var cur = opt_objectToExportTo || goog.global;

  // Internet Explorer exhibits strange behavior when throwing errors from      
  // methods externed in this manner.  See the testExportSymbolExceptions in    
  // base_test.html for an example.                                             
  if (!(parts[0] in cur) && cur.execScript) {
    cur.execScript('var ' + parts[0]);
  }
...


closure/goog/reflect/reflect.js:
/**                                                                             
 * To assert to the compiler that an operation is needed when it would          
 * otherwise be stripped. For example:                                          
 * <code>                                                                       
 *     // Force a layout                                                        
 *     goog.reflect.sinkValue(dialog.offsetHeight);                             
 * </code>                                                                      
 * @type {Function}                                                             
 */
goog.reflect.sinkValue = new Function('a', 'return a');

[Tom Sepez, 2011-05-24 21:38:00]

Latest patch takes the easy way out with unsafe-eval.  We still move the inline
handlers out-of-line, just to clear that obstacle while we're at it.

[abarth-chromium, 2011-05-24 21:41:17]

LGTM.  (Not sure if someone else should review this patch also.)

http://codereview.chromium.org/7038046/diff/10002/chrome/test/data/webui/test...
File chrome/test/data/webui/test_api.js (right):

http://codereview.chromium.org/7038046/diff/10002/chrome/test/data/webui/test...
chrome/test/data/webui/test_api.js:63: }
Ok.  (Probably no { } for the if.)

[Tom Sepez, 2011-05-25 18:20:33]

Ok, lets have arv or estade take a look too.

[Tom Sepez, 2011-05-25 18:20:59]

erv, evan -- could you take a look at this?