Implementation of W3C compliant CSP script-src nonce.

Source/core/page/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 51 matching lines @@
     return isASCIIAlphanumeric(c) || c == '-';
 }
 
 bool isDirectiveValueCharacter(UChar c)
 {
     return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
 }
 
 bool isNonceCharacter(UChar c)
 {
-    return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';'
+    return isASCIIAlphanumeric(c);
 }
 
 bool isSourceCharacter(UChar c)
 {
     return !isASCIISpace(c);
 }
 
 bool isPathComponentCharacter(UChar c)
 {
     return c != '?' && c != '#';
@@ skipping 34 matching lines @@
 static const char objectSrc[] = "object-src";
 static const char reportURI[] = "report-uri";
 static const char sandbox[] = "sandbox";
 static const char scriptSrc[] = "script-src";
 static const char styleSrc[] = "style-src";
 
 // CSP 1.1 Directives
 static const char baseURI[] = "base-uri";
 static const char formAction[] = "form-action";
 static const char pluginTypes[] = "plugin-types";
 static const char scriptNonce[] = "script-nonce";

[Mike West, 2013/05/14 08:07:38]

You can kill this now, I believe.

[jww, 2013/05/14 20:49:30]

Done.

 static const char reflectedXSS[] = "reflected-xss";
 
 bool isDirectiveName(const String& name)
 {
     return (equalIgnoringCase(name, connectSrc)
         || equalIgnoringCase(name, defaultSrc)
         || equalIgnoringCase(name, fontSrc)
         || equalIgnoringCase(name, frameSrc)
         || equalIgnoringCase(name, imgSrc)
         || equalIgnoringCase(name, mediaSrc)
         || equalIgnoringCase(name, objectSrc)
         || equalIgnoringCase(name, reportURI)
         || equalIgnoringCase(name, sandbox)
         || equalIgnoringCase(name, scriptSrc)
         || equalIgnoringCase(name, styleSrc)
         || equalIgnoringCase(name, baseURI)
         || equalIgnoringCase(name, formAction)
         || equalIgnoringCase(name, pluginTypes)
         || equalIgnoringCase(name, scriptNonce)

[Mike West, 2013/05/14 08:07:38]

And this.

[jww, 2013/05/14 20:49:30]

Done.

         || equalIgnoringCase(name, reflectedXSS)
     );
 }
 
 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type)
 {
     switch (type) {
     case ContentSecurityPolicy::PrefixedEnforce:
         return UseCounter::PrefixedContentSecurityPolicy;
     case ContentSecurityPolicy::Enforce:
@@ skipping 156 matching lines @@
 };
 
 class CSPSourceList {
 public:
     CSPSourceList(ContentSecurityPolicy*, const String& directiveName);
 
     void parse(const String&);
     bool matches(const KURL&);
     bool allowInline() const { return m_allowInline; }
     bool allowEval() const { return m_allowEval; }
+    bool allowNonce(const String& nonce) const { return !nonce.isNull() && m_nonces.contains(nonce); }
 
 private:
     void parse(const UChar* begin, const UChar* end);
 
     bool parseSource(const UChar* begin, const UChar* end, String& scheme, String& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard);
     bool parseScheme(const UChar* begin, const UChar* end, String& scheme);
     bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hostHasWildcard);
     bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
     bool parsePath(const UChar* begin, const UChar* end, String& path);
 
     void addSourceSelf();
     void addSourceStar();
     void addSourceUnsafeInline();
     void addSourceUnsafeEval();
+    void addSourceNonce(String& nonce);

[abarth-chromium, 2013/05/14 05:58:16]

const String&   <-- we generally use const references unless the parameter is an
out parameter.

[jww, 2013/05/14 20:49:30]

Done.

 
     ContentSecurityPolicy* m_policy;
     Vector<CSPSource> m_list;
     String m_directiveName;
     bool m_allowStar;
     bool m_allowInline;
     bool m_allowEval;
+    // Set of nonces that indicate whitelisted scripts

[abarth-chromium, 2013/05/14 05:58:16]

I'd skip this comment.  CSPSourceList isn't specific to scripts, so this comment
is going to be wrong once we add nonce support to style-src.

[jww, 2013/05/14 20:49:30]

Done.

+    HashSet<String> m_nonces;
 };
 
 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& directiveName)
     : m_policy(policy)
     , m_directiveName(directiveName)
     , m_allowStar(false)
     , m_allowInline(false)
     , m_allowEval(false)
 {
 }
@@ skipping 84 matching lines @@
     if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) {
         addSourceUnsafeInline();
         return true;
     }
 
     if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) {
         addSourceUnsafeEval();
         return true;
     }
 
-    const UChar* position = begin;
+    const UChar* position;

[abarth-chromium, 2013/05/14 05:58:16]

There's no reason to have this variable declared here.  We should move it down
to line 486 so that you can declare and initialize it at the same time.

[jww, 2013/05/14 20:49:30]

I declared it up here because I actually use it in the 'if' statement directly
below it. Is that okay, or do you think I should use a new variable instead
within the 'if' statement?

EDIT: I like Mike's suggestion of factoring all this code into its own
parseNonce function, so I believe my question above is now irrelevant.
On 2013/05/14 05:58:16, abarth wrote:

+
+    const char noncePrefix[] = "'nonce-";
+    const int noncePrefixLen = strlen(noncePrefix);

[abarth-chromium, 2013/05/14 05:58:16]

It's better if you use a String that's an ASCIILiteral.  Then the compiler will
compute the length for you.

[jww, 2013/05/14 20:49:30]

I'm unclear on how to get the length in a compiler-friendly way if I declare an
ASCIILiteral. However, I noticed that there's a common use of
DEFINE_STATIC_LOCAL to make String objects from ASCIILiterals, so I changed it
to use that. Let me know if that's acceptable or unacceptable.
On 2013/05/14 05:58:16, abarth wrote:

+
+    if (equalIgnoringCase(noncePrefix, begin, noncePrefixLen) && (*(end - 1) == '\'')) {

[abarth-chromium, 2013/05/14 05:58:16]

There's no reason to check the end - 1 condition.  If the ' isn't in the right
place, we want to error out on line 479 rather than try to consume the the
directive another way.

[Mike West, 2013/05/14 08:07:38]

Given the length, it might also be reasonable to split this block out into
'parseNonce()', similar to the 'parseHost()', etc. we use in other places in
this function.

[jww, 2013/05/14 20:49:30]

Done.

[jww, 2013/05/14 20:49:30]

Done.

+        String nonce;
+        const UChar* nonceBegin = position = begin + noncePrefixLen;

[abarth-chromium, 2013/05/14 05:58:16]

We generally don't use compound statements like this one.  It's more readable if
you use two lines.

[jww, 2013/05/14 20:49:30]

Done.

+        skipWhile<isNonceCharacter>(position, end);
+
+        // According to the W3C spec, we need to accept the empty string as a
+        // valid nonce (that is, "script-src 'nonce-'" is valid and is a nonce
+        // of the empty string ""). Hence why we do a <= comparrion rather than
+        // just a < comparrison.
+        if (nonceBegin <= position) {

[abarth-chromium, 2013/05/14 05:58:16]

There's no way this can fail to be true.  I'd just make this an ASSERT and not
worry about handling the case where it's not true.

[jww, 2013/05/14 20:49:30]

Done.

+            nonce = String(nonceBegin, position - nonceBegin);
+        } else {
+            // This is a really odd error condition. Maybe this should be an
+            // ASSERT or do-not-reach?
+            return false;
+        }
+
+        if ((position + 1) != end  && *position != '\'') {
+            // There is an invalid nonce character here. We should report the
+            // invalid character, but also eat up any characters until the
+            // single quote.
+            position = end;

[abarth-chromium, 2013/05/14 05:58:16]

Position is a local variable.  THere's no reason to do this assignment.

[jww, 2013/05/14 20:49:30]

Whoops. Remnants of an old misunderstanding :-)
On 2013/05/14 05:58:16, abarth wrote:

+            return false;
+        }
+
+        addSourceNonce(nonce);
+        return true;
+    }
+
+    position = begin;
     const UChar* beginHost = begin;
     const UChar* beginPath = end;
     const UChar* beginPort = 0;
 
     skipWhile<isNotColonOrSlash>(position, end);
 
     if (position == end) {
         // host
         //     ^
         return parseHost(beginHost, position, host, hostHasWildcard);
@@ skipping 195 matching lines @@
 void CSPSourceList::addSourceUnsafeInline()
 {
     m_allowInline = true;
 }
 
 void CSPSourceList::addSourceUnsafeEval()
 {
     m_allowEval = true;
 }
 
+void CSPSourceList::addSourceNonce(String& nonce)
+{
+    m_nonces.add(String(nonce));

[abarth-chromium, 2013/05/14 05:58:16]

There's no reason to call the String constructor again here.

[jww, 2013/05/14 20:49:30]

Done.

+}
+
 class CSPDirective {
 public:
     CSPDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
         : m_name(name)
         , m_text(name + ' ' + value)
         , m_policy(policy)
     {
     }
 
     const String& text() const { return m_text; }
 
 protected:
     const ContentSecurityPolicy* policy() const { return m_policy; }
 
 private:
     String m_name;
     String m_text;
     ContentSecurityPolicy* m_policy;
 };
 
-class NonceDirective : public CSPDirective {
-public:
-    NonceDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
-        : CSPDirective(name, value, policy)
-    {
-        parse(value);
-    }
-
-    bool allows(const String& nonce) const
-    {
-        return (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptNonce);
-    }
-
-private:
-    void parse(const String& value)
-    {
-        String nonce;
-        const UChar* position = value.characters();
-        const UChar* end = position + value.length();
-
-        skipWhile<isASCIISpace>(position, end);
-        const UChar* nonceBegin = position;
-        if (position == end) {
-            policy()->reportInvalidNonce(String());
-            m_scriptNonce = "";
-            return;
-        }
-        skipWhile<isNonceCharacter>(position, end);
-        if (nonceBegin < position)
-            nonce = String(nonceBegin, position - nonceBegin);
-
-        // Trim off trailing whitespace: If we're not at the end of the string, log
-        // an error.
-        skipWhile<isASCIISpace>(position, end);
-        if (position < end) {
-            policy()->reportInvalidNonce(value);
-            m_scriptNonce = "";
-        } else
-            m_scriptNonce = nonce;
-    }
-
-    String m_scriptNonce;
-};
-
 class MediaListDirective : public CSPDirective {
 public:
     MediaListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
         : CSPDirective(name, value, policy)
     {
         parse(value);
     }
 
     bool allows(const String& type)
     {
@@ skipping 72 matching lines @@
         m_sourceList.parse(value);
     }
 
     bool allows(const KURL& url)
     {
         return m_sourceList.matches(url.isEmpty() ? policy()->url() : url);
     }
 
     bool allowInline() const { return m_sourceList.allowInline(); }
     bool allowEval() const { return m_sourceList.allowEval(); }
+    bool allowNonce(const String& nonce) const { return m_sourceList.allowNonce(nonce.stripWhiteSpace()); }
 
 private:
     CSPSourceList m_sourceList;
 };
 
 class CSPDirectiveList {
     WTF_MAKE_FAST_ALLOCATED;
 public:
     static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const String&, ContentSecurityPolicy::HeaderType);
 
     const String& header() const { return m_header; }
     ContentSecurityPolicy::HeaderType headerType() const { return m_headerType; }
 
     bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     bool allowEval(ScriptState*, ContentSecurityPolicy::ReportingStatus) const;
-    bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL&) const;
     bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ContentSecurityPolicy::ReportingStatus) const;
 
     bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
+    bool allowNonce(const String&) const;
 
     void gatherReportURIs(DOMStringList&) const;
     const String& evalDisabledErrorMessage() { return m_evalDisabledErrorMessage; }
     ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
     bool isReportOnly() const { return m_reportOnly; }
     const Vector<KURL>& reportURIs() const { return m_reportURIs; }
 
 private:
     CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType);
 
     void parse(const String&);
 
     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
     void parseReportURI(const String& name, const String& value);
-    void parseScriptNonce(const String& name, const String& value);
     void parsePluginTypes(const String& name, const String& value);
     void parseReflectedXSS(const String& name, const String& value);
     void addDirective(const String& name, const String& value);
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
 
     template <class CSPDirectiveType>
     void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
 
     SourceListDirective* operativeDirective(SourceListDirective*) const;
     void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
 
     bool checkEval(SourceListDirective*) const;
     bool checkInline(SourceListDirective*) const;
-    bool checkNonce(NonceDirective*, const String&) const;
+    bool checkNonce(SourceListDirective*, const String&) const;
     bool checkSource(SourceListDirective*, const KURL&) const;
     bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
 
     void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
 
     bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
     bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
-    bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
 
     bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective) const;
     bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
 
     bool denyIfEnforcingPolicy() const { return m_reportOnly; }
 
     ContentSecurityPolicy* m_policy;
 
     String m_header;
     ContentSecurityPolicy::HeaderType m_headerType;
 
     bool m_reportOnly;
     bool m_haveSandboxPolicy;
     ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition;
 
     OwnPtr<MediaListDirective> m_pluginTypes;
-    OwnPtr<NonceDirective> m_scriptNonce;
     OwnPtr<SourceListDirective> m_baseURI;
     OwnPtr<SourceListDirective> m_connectSrc;
     OwnPtr<SourceListDirective> m_defaultSrc;
     OwnPtr<SourceListDirective> m_fontSrc;
     OwnPtr<SourceListDirective> m_formAction;
     OwnPtr<SourceListDirective> m_frameSrc;
     OwnPtr<SourceListDirective> m_imgSrc;
     OwnPtr<SourceListDirective> m_mediaSrc;
     OwnPtr<SourceListDirective> m_objectSrc;
     OwnPtr<SourceListDirective> m_scriptSrc;
@@ skipping 39 matching lines @@
 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
 {
     return !directive || directive->allowEval();
 }
 
 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const
 {
     return !directive || directive->allowInline();
 }
 
-bool CSPDirectiveList::checkNonce(NonceDirective* directive, const String& nonce) const
+bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const
 {
-    return !directive || directive->allows(nonce);
+    return !directive || directive->allowNonce(nonce);
 }
 
 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& url) const
 {
     return !directive || directive->allows(url);
 }
 
 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const String& type, const String& typeAttribute) const
 {
     if (!directive)
@@ skipping 18 matching lines @@
         suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.";
 
     reportViolation(directive->text(), scriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, state);
     if (!m_reportOnly) {
         m_policy->reportBlockedScriptExecutionToInspector(directive->text());
         return false;
     }
     return true;
 }
 
-bool CSPDirectiveList::checkNonceAndReportViolation(NonceDirective* directive, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
-{
-    if (checkNonce(directive, nonce))
-        return true;
-    reportViolation(directive->text(), scriptNonce, consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
-    return denyIfEnforcingPolicy();
-}
-
 bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* directive, const String& type, const String& typeAttribute, const String& consoleMessage) const
 {
     if (checkMediaType(directive, type, typeAttribute))
         return true;
 
     String message = makeString(consoleMessage, "\'", directive->text(), "\'.");
     if (typeAttribute.isEmpty())
         message = message + " When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').";
 
     reportViolation(directive->text(), pluginTypes, message + "\n", KURL());
@@ skipping 51 matching lines @@
         suffix = " Note that '" + effectiveDirective + "' was not explicitly set, so 'default-src' is used as a fallback.";
 
     reportViolation(directive->text(), effectiveDirective, prefix + url.elidedString() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url);
     return denyIfEnforcingPolicy();
 }
 
 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: ")));
     if (reportingStatus == ContentSecurityPolicy::SendReport) {
-        return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
-                && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
+        return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true);
     } else {
-        return (checkInline(operativeDirective(m_scriptSrc.get()))
-                && checkNonce(m_scriptNonce.get(), String()));
+        return checkInline(operativeDirective(m_scriptSrc.get()));
     }
 }
 
 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: ")));
     if (reportingStatus == ContentSecurityPolicy::SendReport) {
-        return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
-                && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
+        return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true);
     } else {
-        return (checkInline(operativeDirective(m_scriptSrc.get()))
-                && checkNonce(m_scriptNonce.get(), String()));
+        return checkInline(operativeDirective(m_scriptSrc.get()));
     }
 }
 
 bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline script because it violates the following Content Security Policy directive: ")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true) :
         checkInline(operativeDirective(m_scriptSrc.get()));
 }
 
 bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to apply inline style because it violates the following Content Security Policy directive: ")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine, false) :
         checkInline(operativeDirective(m_styleSrc.get()));
 }
 
 bool CSPDirectiveList::allowEval(ScriptState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to evaluate script because it violates the following Content Security Policy directive: ")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) :
         checkEval(operativeDirective(m_scriptSrc.get()));
 }
 
-bool CSPDirectiveList::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& url) const
-{
-    DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute script because it violates the following Content Security Policy directive: ")));
-    if (url.isEmpty())
-        return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, consoleMessage, contextURL, contextLine);
-    return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, "Refused to load '" + url.elidedString() + "' because it violates the following Content Security Policy directive: ", contextURL, contextLine);
-}
-
 bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAttribute, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribute, "Refused to load '" + url.elidedString() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ") :
         checkMediaType(m_pluginTypes.get(), type, typeAttribute);
 }
 
 bool CSPDirectiveList::allowScriptFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
@@ skipping 67 matching lines @@
         checkSource(m_formAction.get(), url);
 }
 
 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) :
         checkSource(m_baseURI.get(), url);
 }
 
+bool CSPDirectiveList::allowNonce(const String& nonce) const
+{
+    return checkNonce(operativeDirective(m_scriptSrc.get()), nonce);
+}
+
 // policy            = directive-list
 // directive-list    = [ directive *( ";" [ directive ] ) ]
 //
 void CSPDirectiveList::parse(const String& policy)
 {
     m_header = policy;
     if (policy.isEmpty())
         return;
 
     const UChar* position = policy.characters();
@@ skipping 186 matching lines @@
         applySandboxPolicy(name, value);
     else if (equalIgnoringCase(name, reportURI))
         parseReportURI(name, value);
     else if (m_policy->experimentalFeaturesEnabled()) {
         if (equalIgnoringCase(name, baseURI))
             setCSPDirective<SourceListDirective>(name, value, m_baseURI);
         else if (equalIgnoringCase(name, formAction))
             setCSPDirective<SourceListDirective>(name, value, m_formAction);
         else if (equalIgnoringCase(name, pluginTypes))
             setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
-        else if (equalIgnoringCase(name, scriptNonce))
-            setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
         else if (equalIgnoringCase(name, reflectedXSS))
             parseReflectedXSS(name, value);
         else
             m_policy->reportUnsupportedDirective(name);
     }
     else
         m_policy->reportUnsupportedDirective(name);
 }
 
 ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
@@ skipping 85 matching lines @@
 template<bool (CSPDirectiveList::*allowed)(const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
 bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus)
 {
     for (size_t i = 0; i < policies.size(); ++i) {
         if (!(policies[i].get()->*allowed)(contextURL, contextLine, reportingStatus))
             return false;
     }
     return true;
 }
 
-template<bool (CSPDirectiveList::*allowed)(const String&, const String&, const WTF::OrdinalNumber&, const KURL&) const>
-bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& url)
+template<bool (CSPDirectiveList::*allowed)(const String&) const>
+bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce)
 {
     for (size_t i = 0; i < policies.size(); ++i) {
-        if (!(policies[i].get()->*allowed)(nonce, contextURL, contextLine, url))
+        if (!(policies[i].get()->*allowed)(nonce))
             return false;
     }
     return true;
 }
-
 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&, ContentSecurityPolicy::ReportingStatus) const>
 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
 {
     if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
         return true;
 
     for (size_t i = 0; i < policies.size(); ++i) {
         if (!(policies[i].get()->*allowFromURL)(url, reportingStatus))
             return false;
     }
     return true;
 }
 
 bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine, reportingStatus);
 }
 
 bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine, reportingStatus);
 }
 
-bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowInlineScript(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
-    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine, reportingStatus);
+    bool nonceAllowed = isAllowedByAllWithNonce<&CSPDirectiveList::allowNonce>(m_policies, nonce);
+    return nonceAllowed || isAllowedByAllWithContext<&CSPDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine, reportingStatus);
 }
 
 bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     if (m_overrideInlineStyleAllowed)
         return true;
     return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine, reportingStatus);
 }
 
 bool ContentSecurityPolicy::allowEval(ScriptState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithState<&CSPDirectiveList::allowEval>(m_policies, state, reportingStatus);
 }
 
 String ContentSecurityPolicy::evalDisabledErrorMessage() const
 {
     for (size_t i = 0; i < m_policies.size(); ++i) {
         if (!m_policies[i]->allowEval(0, SuppressReport))
             return m_policies[i]->evalDisabledErrorMessage();
     }
     return String();
 }
 
-bool ContentSecurityPolicy::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& url) const
-{
-    return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_policies, nonce, contextURL, contextLine, url);
-}
-
 bool ContentSecurityPolicy::allowPluginType(const String& type, const String& typeAttribute, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     for (size_t i = 0; i < m_policies.size(); ++i) {
         if (!m_policies[i]->allowPluginType(type, typeAttribute, url, reportingStatus))
             return false;
     }
     return true;
 }
 
-bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url, const String& nonce, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
-    return isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_policies, url, reportingStatus);
+    bool nonceAllowed = isAllowedByAllWithNonce<&CSPDirectiveList::allowNonce>(m_policies, nonce);
+    return nonceAllowed || isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_policies, url, reportingStatus);
 }
 
 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_policies, url, reportingStatus);
 }
 
 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m_policies, url, reportingStatus);
@@ skipping 262 matching lines @@
 {
     InspectorInstrumentation::scriptExecutionBlockedByCSP(m_scriptExecutionContext, directiveText);
 }
 
 bool ContentSecurityPolicy::experimentalFeaturesEnabled() const
 {
     return RuntimeEnabledFeatures::experimentalContentSecurityPolicyFeaturesEnabled();
 }
 
 }