Crash under ContentSecurityPolicy::reportViolation()

https://bugs.webkit.org/show_bug.cgi?id=264372 rdar://117727308 Reviewed by David Kilzer. The code was doing an early return in this case: ``` if (!usesReportTo && !is<Document>(m_scriptExecutionContext)) return; ``` Then proceeding to downcast m_scriptExecutionContext to a Document. This meant we would do a bad cast in the case where usesReportTo is true. * Source/WebCore/page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::reportViolation const): Canonical link: https://commits.webkit.org/270393@main
WebKit · Nov 8, 2023 · de70730 · de70730
1 parent 0def6ce
commit de70730
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/Source/WebCore/page/csp/ContentSecurityPolicy.cpp b/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
@@ -826,15 +826,12 @@ void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirec
     info.sample = violatedDirectiveList.shouldReportSample(effectiveViolatedDirective) ? sourceContent.left(40).toString() : emptyString();
 
     if (!m_client) {
-        if (!usesReportTo && !is<Document>(m_scriptExecutionContext))
+        // Unable to ref the document as it may have started destruction.
+        auto* document = dynamicDowncast<Document>(m_scriptExecutionContext);
+        if (!document || !document->frame())
             return;
 
-        auto& document = downcast<Document>(*m_scriptExecutionContext);
-        auto* frame = document.frame();
-        if (!frame)
-            return;
-
-        info.documentURI = shouldReportProtocolOnly(document.url()) ? document.url().protocol().toString() : document.url().strippedForUseAsReferrer();
+        info.documentURI = shouldReportProtocolOnly(document->url()) ? document->url().protocol().toString() : document->url().strippedForUseAsReferrer();
 
         auto stack = createScriptCallStack(JSExecState::currentState(), 2);
         auto* callFrame = stack->firstNonNativeCallFrame();