Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(615)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/frame/ContentSecurityPolicy.cpp

Issue 142113004: CSP 1.1: Ignore 'unsafe-inline' in presence of hashes or nonces. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/frame/ContentSecurityPolicy.cpp
diff --git a/Source/core/frame/ContentSecurityPolicy.cpp b/Source/core/frame/ContentSecurityPolicy.cpp
index 378c17bf983353b9b11d52bdb65306e417492a7f..2024cfd3b356b1fd68a5a63a4bd4a70f5218e6f2 100644
--- a/Source/core/frame/ContentSecurityPolicy.cpp
+++ b/Source/core/frame/ContentSecurityPolicy.cpp
@@ -302,6 +302,8 @@ public:
bool allowHash(const SourceHashValue& hashValue) const { return m_hashes.contains(hashValue); }
uint8_t hashAlgorithmsUsed() const { return m_hashAlgorithmsUsed; }
+ bool isHashOrNoncePresent() const { return !m_nonces.isEmpty() || m_hashAlgorithmsUsed != ContentSecurityPolicy::HashAlgorithmsNone; }
+
private:
bool parseSource(const UChar* begin, const UChar* end, String& scheme, String& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard);
bool parseScheme(const UChar* begin, const UChar* end, String& scheme);
@@ -846,6 +848,7 @@ public:
bool allowEval() const { return m_sourceList.allowEval(); }
bool allowNonce(const String& nonce) const { return m_sourceList.allowNonce(nonce.stripWhiteSpace()); }
bool allowHash(const SourceHashValue& hashValue) const { return m_sourceList.allowHash(hashValue); }
+ bool isHashOrNoncePresent() const { return m_sourceList.isHashOrNoncePresent(); }
uint8_t hashAlgorithmsUsed() const { return m_sourceList.hashAlgorithmsUsed(); }
@@ -1005,7 +1008,7 @@ bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
bool CSPDirectiveList::checkInline(SourceListDirective* directive) const
{
- return !directive || directive->allowInline();
+ return !directive || (directive->allowInline() && !directive->isHashOrNoncePresent());
jochen (gone - plz use gerrit) 2014/01/20 09:17:37 just a general note. checkInline() is a poor name.
}
bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const
@@ -1073,8 +1076,12 @@ bool CSPDirectiveList::checkInlineAndReportViolation(SourceListDirective* direct
return true;
String suffix = String();
- if (directive == m_defaultSrc)
+ if (directive->allowInline() && directive->isHashOrNoncePresent()) {
+ // If inline is allowed, but a hash or nonce is present, we ignore 'unsafe-inline'. Throw a reasonable error.
+ suffix = " Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.";
+ } else if (directive == m_defaultSrc) {
suffix = " Note that '" + String(isScript ? "script" : "style") + "-src' was not explicitly set, so 'default-src' is used as a fallback.";
+ }
reportViolationWithLocation(directive->text(), isScript ? scriptSrc : styleSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine);
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698