Index: Source/core/frame/ContentSecurityPolicy.cpp |
diff --git a/Source/core/frame/ContentSecurityPolicy.cpp b/Source/core/frame/ContentSecurityPolicy.cpp |
index 4c3cbe42472a78353ff0c53ffac601e356ea6179..ec90e2aab0e3606640956ea8dee1ccbaa4dd1915 100644 |
--- a/Source/core/frame/ContentSecurityPolicy.cpp |
+++ b/Source/core/frame/ContentSecurityPolicy.cpp |
@@ -883,6 +883,7 @@ public: |
bool allowScriptNonce(const String&) const; |
bool allowStyleNonce(const String&) const; |
bool allowScriptHash(const SourceHashValue&) const; |
+ bool allowStyleHash(const SourceHashValue&) const; |
void gatherReportURIs(DOMStringList&) const; |
const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; } |
@@ -1266,6 +1267,11 @@ bool CSPDirectiveList::allowScriptHash(const SourceHashValue& hashValue) const |
return checkHash(operativeDirective(m_scriptSrc.get()), hashValue); |
} |
+bool CSPDirectiveList::allowStyleHash(const SourceHashValue& hashValue) const |
+{ |
+ return checkHash(operativeDirective(m_styleSrc.get()), hashValue); |
+} |
+ |
// policy = directive-list |
// directive-list = [ directive *( ";" [ directive ] ) ] |
// |
@@ -1462,6 +1468,7 @@ void CSPDirectiveList::addDirective(const String& name, const String& value) |
setCSPDirective<SourceListDirective>(name, value, m_imgSrc); |
} else if (equalIgnoringCase(name, styleSrc)) { |
setCSPDirective<SourceListDirective>(name, value, m_styleSrc); |
+ m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); |
} else if (equalIgnoringCase(name, fontSrc)) { |
setCSPDirective<SourceListDirective>(name, value, m_fontSrc); |
} else if (equalIgnoringCase(name, mediaSrc)) { |
@@ -1491,7 +1498,8 @@ void CSPDirectiveList::addDirective(const String& name, const String& value) |
ContentSecurityPolicy::ContentSecurityPolicy(ExecutionContextClient* client) |
: m_client(client) |
, m_overrideInlineStyleAllowed(false) |
- , m_sourceHashAlgorithmsUsed(HashAlgorithmsNone) |
+ , m_scriptHashAlgorithmsUsed(HashAlgorithmsNone) |
+ , m_styleHashAlgorithmsUsed(HashAlgorithmsNone) |
{ |
} |
@@ -1703,11 +1711,12 @@ bool ContentSecurityPolicy::allowStyleNonce(const String& nonce) const |
return isAllowedByAllWithNonce<&CSPDirectiveList::allowStyleNonce>(m_policies, nonce); |
} |
+// TODO(jww) We don't currently have a WTF SHA256 implementation. Once we |
+// have that, we should implement a proper check for sha256 hash values in |
+// both allowScriptHash and allowStyleHash. |
bool ContentSecurityPolicy::allowScriptHash(const String& source) const |
{ |
- // TODO(jww) We don't currently have a WTF SHA256 implementation. Once we |
- // have that, we should implement a proper check for sha256 hash values here. |
- if (HashAlgorithmsSha1 & m_sourceHashAlgorithmsUsed) { |
+ if (HashAlgorithmsSha1 & m_scriptHashAlgorithmsUsed) { |
Vector<uint8_t, 20> digest; |
SHA1 sourceSha1; |
sourceSha1.addBytes(UTF8Encoding().normalizeAndEncode(source, WTF::EntitiesForUnencodables)); |
@@ -1720,9 +1729,29 @@ bool ContentSecurityPolicy::allowScriptHash(const String& source) const |
return false; |
} |
+bool ContentSecurityPolicy::allowStyleHash(const String& source) const |
+{ |
+ if (HashAlgorithmsSha1 & m_styleHashAlgorithmsUsed) { |
+ Vector<uint8_t, 20> digest; |
+ SHA1 sourceSha1; |
+ sourceSha1.addBytes(UTF8Encoding().normalizeAndEncode(source, WTF::EntitiesForUnencodables)); |
+ sourceSha1.computeHash(digest); |
+ |
+ if (isAllowedByAllWithHash<&CSPDirectiveList::allowStyleHash>(m_policies, SourceHashValue(HashAlgorithmsSha1, Vector<uint8_t>(digest)))) |
+ return true; |
+ } |
+ |
+ return false; |
+} |
+ |
void ContentSecurityPolicy::usesScriptHashAlgorithms(uint8_t algorithms) |
{ |
- m_sourceHashAlgorithmsUsed |= algorithms; |
+ m_scriptHashAlgorithmsUsed |= algorithms; |
+} |
+ |
+void ContentSecurityPolicy::usesStyleHashAlgorithms(uint8_t algorithms) |
+{ |
+ m_styleHashAlgorithmsUsed |= algorithms; |
} |
bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const |