CSP 1.1: Ignore 'unsafe-inline' in presence of hashes or nonces.

Source/core/frame/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 284 matching lines @@
 
     void parse(const UChar* begin, const UChar* end);
 
     bool matches(const KURL&);
     bool allowInline() const { return m_allowInline; }
     bool allowEval() const { return m_allowEval; }
     bool allowNonce(const String& nonce) const { return !nonce.isNull() && m_nonces.contains(nonce); }
     bool allowHash(const SourceHashValue& hashValue) const { return m_hashes.contains(hashValue); }
     uint8_t hashAlgorithmsUsed() const { return m_hashAlgorithmsUsed; }
 
+    bool isHashOrNoncePresent() const { return !m_nonces.isEmpty() || m_hashAlgorithmsUsed != ContentSecurityPolicy::HashAlgorithmsNone; }
+
 private:
     bool parseSource(const UChar* begin, const UChar* end, String& scheme, String& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard);
     bool parseScheme(const UChar* begin, const UChar* end, String& scheme);
     bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hostHasWildcard);
     bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
     bool parsePath(const UChar* begin, const UChar* end, String& path);
     bool parseNonce(const UChar* begin, const UChar* end, String& nonce);
     bool parseHash(const UChar* begin, const UChar* end, Vector<uint8_t>& hash, ContentSecurityPolicy::HashAlgorithms&);
 
     void addSourceSelf();
@@ skipping 524 matching lines @@
 
     bool allows(const KURL& url)
     {
         return m_sourceList.matches(url.isEmpty() ? policy()->url() : url);
     }
 
     bool allowInline() const { return m_sourceList.allowInline(); }
     bool allowEval() const { return m_sourceList.allowEval(); }
     bool allowNonce(const String& nonce) const { return m_sourceList.allowNonce(nonce.stripWhiteSpace()); }
     bool allowHash(const SourceHashValue& hashValue) const { return m_sourceList.allowHash(hashValue); }
+    bool isHashOrNoncePresent() const { return m_sourceList.isHashOrNoncePresent(); }
 
     uint8_t hashAlgorithmsUsed() const { return m_sourceList.hashAlgorithmsUsed(); }
 
 private:
     CSPSourceList m_sourceList;
 };
 
 class CSPDirectiveList {
     WTF_MAKE_FAST_ALLOCATED;
 public:
@@ skipping 139 matching lines @@
     m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header);
 }
 
 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
 {
     return !directive || directive->allowEval();
 }
 
 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const
 {
-    return !directive || directive->allowInline();
+    return !directive || (directive->allowInline() && !directive->isHashOrNoncePresent());

[jochen (gone - plz use gerrit), 2014/01/20 09:17:37]

just a general note. checkInline() is a poor name. I guess it checks whether
inline scripts are allowed according to the directive? Maybe a better name would
be something like areInlineScriptsAllowedAccordingToDirective? not really gonna
win a contest with that one either :-/

 }
 
 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const
 {
     return !directive || directive->allowNonce(nonce);
 }
 
 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const SourceHashValue& hashValue) const
 {
     return !directive || directive->allowHash(hashValue);
@@ skipping 47 matching lines @@
     reportViolation(directive->text(), pluginTypes, message + "\n", KURL());
     return denyIfEnforcingPolicy();
 }
 
 bool CSPDirectiveList::checkInlineAndReportViolation(SourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const
 {
     if (checkInline(directive))
         return true;
 
     String suffix = String();
-    if (directive == m_defaultSrc)
+    if (directive->allowInline() && directive->isHashOrNoncePresent()) {
+        // If inline is allowed, but a hash or nonce is present, we ignore 'unsafe-inline'. Throw a reasonable error.
+        suffix = " Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.";
+    } else if (directive == m_defaultSrc) {
         suffix = " Note that '" + String(isScript ? "script" : "style") + "-src' was not explicitly set, so 'default-src' is used as a fallback.";
+    }
 
     reportViolationWithLocation(directive->text(), isScript ? scriptSrc : styleSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine);
 
     if (!m_reportOnly) {
         if (isScript)
             m_policy->reportBlockedScriptExecutionToInspector(directive->text());
         return false;
     }
     return true;
 }
@@ skipping 931 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace WebCore