CSP: 'eval()' blocked in report-only mode should send a violation report.

CSP: 'eval()' blocked in report-only mode should send a violation report.

Currently, 'eval()' is blocked inside V8 when an enforce-mode Content
Security Policy is specified for a document. Report-only policies don't
trigger this mechanism, and therefore can deliver violation reports
neither to the 'report-uri' in the policy nor the console.

This patch changes ContentSecurityPolicy::didReceiveHeader to disable
eval inside V8 for report-only policies as well, and relies on the
V8Initializer::codeGenerationCheckCallbackInMainThread callback to give
V8 the final go/no-go decision regarding the code's execution.

This patch has the negative performance side-effect of calling back from
V8 to core whenever 'eval()' is encountered on a page with an CSP that
blocks eval. Given that the page isn't expecting to run 'eval()' at all, that
impact seems like something we can live with (though it is fairly
significant).

BUG=248257
R=abarth@chromium.org

Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=155752

[Mike West, 2013-07-19 07:22:36]

Hi Adam! This patch follows up on
http://src.chromium.org/viewvc/blink?view=rev&rev=153994 by asking V8 to trigger
the code generation callback for policies in report-only mode. More detail in
the description...

Would you mind taking a look?

-mike

[abarth-chromium, 2013-07-19 08:04:15]

> That impact seems unnoticable in my experimentation

Can you say a bit more about what experiments you ran?

[abarth-chromium, 2013-07-19 08:05:09]

lgtm

[commit-bot: I haz the power, 2013-07-19 08:05:28]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/mkwst@chromium.org/19787002/1

[commit-bot: I haz the power, 2013-07-19 08:24:47]

Retried try job too often on linux_layout for step(s) webkit_lint
http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=linux_layo...

[commit-bot: I haz the power, 2013-07-19 09:22:35]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/mkwst@chromium.org/19787002/1

[Mike West, 2013-07-19 11:12:19]

On 2013/07/19 08:04:15, abarth wrote:
> > That impact seems unnoticable in my experimentation
> 
> Can you say a bit more about what experiments you ran?

I'm glad you asked: I re-ran the test (benchmark.js running `eval('var x = 1 +
1;');` under content shell, after commenting out the expensive console logging
portion of CSP), and realized that I'd screwed up the benchmark.

Eval is about an order of magnitude slower on a page in report-only mode than on
a page that doesn't trigger the callback[1]:. :/

No CSP: eval x 1,185,009 ops/sec ±0.21% (102 runs sampled)
CSP: eval x 106,519 ops/sec ±0.10% (100 runs sampled)

This callback machinery is fairly expensive. I'm not sure what the impact is on
real-world sites, but I'm certainly less confident about landing this now...
clearing the CQ checkbox until we can chat a bit.

---

<!DOCTYPE html>
<html>
<head>
    <!-- <meta http-equiv="Content-Security-Policy-Report-Only"
content="script-src 'unsafe-inline' 'self'"> -->
    <script src="./benchmark.js"></script>
    <script>
      var suite = new Benchmark.Suite;
      suite.add('eval', function () {
        eval('var x = 1 + 1;');
      })
      .on('cycle', function(event) {
        console.log(String(event.target));
      })
      .on('complete', function() {
        console.log('Fastest is ' + this.filter('fastest').pluck('name'));
       })
       .run({ 'async': true });
    </script>
</head>
<body>
</body>
</html>

[abarth-chromium, 2013-07-19 18:19:38]

You might want to try evaling a non-constant string so the compiler can't just
optimize the call to eval away.

[Mike West, 2013-07-22 15:24:39]

On 2013/07/19 18:19:38, abarth wrote:
> You might want to try evaling a non-constant string so the compiler can't just
> optimize the call to eval away.

That makes things less completely miserable. Changing the `eval` line to `i++;
eval('var x = 1 + ' + i);` drops it down to a factor of 2 slower:

No CSP: eval x 56,192 ops/sec ±5.14% (88 runs sampled)
CSP: eval x 26,387 ops/sec ±2.95% (95 runs sampled)

It's still more than I expected. I don't have any good ideas about speeding it
up, however.

[Mike West, 2013-07-22 15:28:14]

On 2013/07/19 18:19:38, abarth wrote:
> You might want to try evaling a non-constant string so the compiler can't just
> optimize the call to eval away.

Hrm. codereview ate my comment, apologies if it somehow appears twice.

Changing the eval to `eval("var x = 1 + " + (i++));` reduces the gap to a factor
of two:

No CSP: eval x 56,192 ops/sec ±5.14% (88 runs sampled)
CSP: eval x 26,422 ops/sec ±3.20% (90 runs sampled)

That's still not brilliant, but I don't have good ideas about reducing the gap
further.

[Mike West, 2013-07-22 15:32:06]

On 2013/07/22 15:28:14, Mike West wrote:
> On 2013/07/19 18:19:38, abarth wrote:
> > You might want to try evaling a non-constant string so the compiler can't
just
> > optimize the call to eval away.
> 
> Hrm. codereview ate my comment, apologies if it somehow appears twice.
> 
> Changing the eval to `eval("var x = 1 + " + (i++));` reduces the gap to a
factor
> of two:
> 
> No CSP: eval x 56,192 ops/sec ±5.14% (88 runs sampled)
> CSP: eval x 26,422 ops/sec ±3.20% (90 runs sampled)

Ran things one more time, since I apparently can't copy/paste consistently:

No CSP:
macpro [17:30] thir…arty/WebKit $ ../../out/Release/Content\
Shell.app/Contents/MacOS/Content\ Shell http://127.0.0.1:8001/eval.html
--enable-benchmarking
[93358:1799:0722/173111:32894956003470:INFO:CONSOLE(15)] "eval x 56,086 ops/sec
±5.09% (88 runs sampled)", source: http://127.0.0.1:8001/eval.html (15)
[93358:1799:0722/173111:32894975196116:INFO:CONSOLE(18)] "Fastest is eval",
source: http://127.0.0.1:8001/eval.html (18)
^C
CSP:
macpro [17:31] thir…arty/WebKit $ ../../out/Release/Content\
Shell.app/Contents/MacOS/Content\ Shell http://127.0.0.1:8001/csp-eval.html
--enable-benchmarking
[93370:1799:0722/173127:32910125209446:INFO:CONSOLE(15)] "eval x 26,110 ops/sec
±3.02% (93 runs sampled)", source: http://127.0.0.1:8001/csp-eval.html (15)
[93370:1799:0722/173127:32910129388630:INFO:CONSOLE(18)] "Fastest is eval",
source: http://127.0.0.1:8001/csp-eval.html (18)
^C

[abarth-chromium, 2013-07-22 18:08:37]

A factor of 2 doesn't sound that bad.  The page isn't expecting to call eval at
all, so if it's slower, that doesn't seem like a huge deal.

IMHO, we should implement rate-limiting for CSP reports before landing this CL. 
We could generate a ton of violation reports if the site calls eval in a loop.

[Mike West, 2013-07-22 19:40:28]

On 2013/07/22 18:08:37, abarth wrote:
> A factor of 2 doesn't sound that bad.  The page isn't expecting to call eval
at
> all, so if it's slower, that doesn't seem like a huge deal.
> 
> IMHO, we should implement rate-limiting for CSP reports before landing this
CL. 
> We could generate a ton of violation reports if the site calls eval in a loop.

That makes sense. Where would you like to see that scheduling happen?

Or would you be happier with something more like deduplication? We could save a
list of each report we send, and only send a new report if it doesn't exactly
match one that's already been fired off...

[Mike West, 2013-08-08 08:16:05]

https://codereview.chromium.org/21789002/ landed, which resolves the spam issue
you noted, Adam.

I'll rebase this patch onto ToT and land it this afternoon.

Thanks!

[Mike West, 2013-08-08 08:22:11]

Committed patchset #2 manually as r155752 (presubmit successful).