third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp - Issue 1420483005: CSP: Don't perform NFC normalization prior to hashing

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Issue 1420483005: CSP: Don't perform NFC normalization prior to hashing (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@nfc-frame

Patch Set: Flip normalization test, leave wtf/text alone Created 5 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html ('K') | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization-expected.txt ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "config.h"	5 #include "config.h"

6 #include "core/frame/csp/CSPDirectiveList.h"	6 #include "core/frame/csp/CSPDirectiveList.h"

7	7

8 #include "core/dom/Document.h"	8 #include "core/dom/Document.h"

9 #include "core/dom/SecurityContext.h"	9 #include "core/dom/SecurityContext.h"

10 #include "core/dom/SpaceSplitString.h"	10 #include "core/dom/SpaceSplitString.h"

11 #include "core/frame/LocalFrame.h"	11 #include "core/frame/LocalFrame.h"

12 #include "core/inspector/ConsoleMessage.h"	12 #include "core/inspector/ConsoleMessage.h"

13 #include "platform/Crypto.h"	13 #include "platform/Crypto.h"

14 #include "platform/ParsingUtilities.h"	14 #include "platform/ParsingUtilities.h"

15 #include "platform/RuntimeEnabledFeatures.h"	15 #include "platform/RuntimeEnabledFeatures.h"

16 #include "platform/network/ContentSecurityPolicyParsers.h"	16 #include "platform/network/ContentSecurityPolicyParsers.h"

17 #include "platform/weborigin/KURL.h"	17 #include "platform/weborigin/KURL.h"

18 #include "wtf/text/Base64.h"	18 #include "wtf/text/Base64.h"

19 #include "wtf/text/StringUTF8Adaptor.h"	19 #include "wtf/text/StringUTF8Adaptor.h"

20 #include "wtf/text/WTFString.h"	20 #include "wtf/text/WTFString.h"

21	21

22 namespace blink {	22 namespace blink {

23	23

24 namespace {	24 namespace {

25	25

26 String getSha256String(const String& content)	26 String getSha256String(const String& content)

27 {	27 {

28 DigestValue digest;	28 DigestValue digest;

29 StringUTF8Adaptor normalizedContent = normalizeSource(content);	29 StringUTF8Adaptor utf8Content(content);
	jww 2015/10/29 21:22:14 Since we're supposed to use the "script block's so Since we're supposed to use the "script block's source" (for script elements; it's similar for stylesheets, too), I don't think that technically we should be using utf8 here necessarily (http://www.w3.org/TR/html5/scripting-1.html#the-script-block's-source). But that's not your problem, so I'll try address that in a future CL. jsbell 2015/10/29 22:01:46 Acknowledged. Show quoted text On 2015/10/29 21:22:14, jww wrote: > Since we're supposed to use the "script block's source" (for script elements; > it's similar for stylesheets, too), I don't think that technically we should be > using utf8 here necessarily > (http://www.w3.org/TR/html5/scripting-1.html#the-script-block). But > that's not your problem, so I'll try address that in a future CL. Acknowledged.
30 bool digestSuccess = computeDigest(HashAlgorithmSha256, normalizedContent.da ta(), normalizedContent.length(), digest);	30 bool digestSuccess = computeDigest(HashAlgorithmSha256, utf8Content.data(), utf8Content.length(), digest);

31 if (!digestSuccess) {	31 if (!digestSuccess) {

32 return "sha256-...";	32 return "sha256-...";

33 }	33 }

34	34

35 return "sha256-" + base64Encode(reinterpret_cast<char*>(digest.data()), dige st.size(), Base64DoNotInsertLFs);	35 return "sha256-" + base64Encode(reinterpret_cast<char*>(digest.data()), dige st.size(), Base64DoNotInsertLFs);

36 }	36 }

37	37

38 }	38 }

39	39

40 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source)	40 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source)

(...skipping 756 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
797 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc);	797 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc);

798 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase( name, ContentSecurityPolicy::Suborigin)) {	798 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase( name, ContentSecurityPolicy::Suborigin)) {

799 applySuboriginPolicy(name, value);	799 applySuboriginPolicy(name, value);

800 } else {	800 } else {

801 m_policy->reportUnsupportedDirective(name);	801 m_policy->reportUnsupportedDirective(name);

802 }	802 }

803 }	803 }

804	804

805	805

806 } // namespace blink	806 } // namespace blink

OLD	NEW