Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(172)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/page/DOMSecurityPolicy.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixed broken nonce behavior on script redirects. Added test for redirects as well. Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« Source/core/page/ContentSecurityPolicy.cpp ('K') | « Source/core/page/ContentSecurityPolicy.cpp ('k') | Source/core/workers/AbstractWorker.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2012 Google, Inc. All rights reserved. 2 * Copyright (C) 2012 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after
63 if (!isPolicyActiveInContext(context)) 63 if (!isPolicyActiveInContext(context))
64 return true; 64 return true;
65 65
66 KURL parsedURL = context->completeURL(url); 66 KURL parsedURL = context->completeURL(url);
67 if (!parsedURL.isValid()) 67 if (!parsedURL.isValid())
68 return false; // FIXME: Figure out how to throw a JavaScript error. 68 return false; // FIXME: Figure out how to throw a JavaScript error.
69 69
70 return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentS ecurityPolicy::SuppressReport); 70 return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentS ecurityPolicy::SuppressReport);
71 } 71 }
72 72
73 template<bool (ContentSecurityPolicy::*allowWithURLAndNonce)(const KURL&, bool, ContentSecurityPolicy::ReportingStatus) const>
74 bool isAllowedWithURLAndNonce(ScriptExecutionContext* context, const String& url , bool validNonce)
75 {
76 if (!isPolicyActiveInContext(context))
77 return true;
78
79 KURL parsedURL = context->completeURL(url);
80 if (!parsedURL.isValid())
81 return false; // FIXME: Figure out how to throw a JavaScript error.
82
83 return (context->contentSecurityPolicy()->*allowWithURLAndNonce)(parsedURL, validNonce, ContentSecurityPolicy::SuppressReport);
84 }
85
86 template<bool (ContentSecurityPolicy::*allowWithNonce)(bool, const String&, cons t WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
87 bool isAllowedWithNonce(ScriptExecutionContext* context, bool validNonce)
88 {
89 if (!isPolicyActiveInContext(context))
90 return true;
91
92 return (context->contentSecurityPolicy()->*allowWithNonce)(validNonce, Strin g(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
93 }
abarth-chromium 2013/05/16 00:59:27 I don't understand why this code is needed. Can w
jww 2013/05/16 20:59:00 Done.
94
73 template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WT F::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> 95 template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WT F::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
74 bool isAllowed(ScriptExecutionContext* context) 96 bool isAllowed(ScriptExecutionContext* context)
75 { 97 {
76 if (!isPolicyActiveInContext(context)) 98 if (!isPolicyActiveInContext(context))
77 return true; 99 return true;
78 100
79 return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF:: OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport); 101 return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF:: OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
80 } 102 }
81 103
82 } // namespace 104 } // namespace
(...skipping 17 matching lines...) Expand all
100 RefPtr<DOMStringList> result = DOMStringList::create(); 122 RefPtr<DOMStringList> result = DOMStringList::create();
101 123
102 if (isActive()) 124 if (isActive())
103 scriptExecutionContext()->contentSecurityPolicy()->gatherReportURIs(*res ult.get()); 125 scriptExecutionContext()->contentSecurityPolicy()->gatherReportURIs(*res ult.get());
104 126
105 return result.release(); 127 return result.release();
106 } 128 }
107 129
108 bool DOMSecurityPolicy::allowsInlineScript() const 130 bool DOMSecurityPolicy::allowsInlineScript() const
109 { 131 {
110 return isAllowed<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionC ontext()); 132 return isAllowedWithNonce<&ContentSecurityPolicy::allowInlineScript>(scriptE xecutionContext(), false);
111 } 133 }
112 134
113 bool DOMSecurityPolicy::allowsInlineStyle() const 135 bool DOMSecurityPolicy::allowsInlineStyle() const
114 { 136 {
115 return isAllowed<&ContentSecurityPolicy::allowInlineStyle>(scriptExecutionCo ntext()); 137 return isAllowed<&ContentSecurityPolicy::allowInlineStyle>(scriptExecutionCo ntext());
116 } 138 }
117 139
118 bool DOMSecurityPolicy::allowsEval() const 140 bool DOMSecurityPolicy::allowsEval() const
119 { 141 {
120 if (!isActive()) 142 if (!isActive())
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
159 return isAllowedWithURL<&ContentSecurityPolicy::allowObjectFromSource>(scrip tExecutionContext(), url); 181 return isAllowedWithURL<&ContentSecurityPolicy::allowObjectFromSource>(scrip tExecutionContext(), url);
160 } 182 }
161 183
162 bool DOMSecurityPolicy::allowsPluginType(const String& type) const 184 bool DOMSecurityPolicy::allowsPluginType(const String& type) const
163 { 185 {
164 return isAllowedWithType<&ContentSecurityPolicy::allowPluginType>(scriptExec utionContext(), type); 186 return isAllowedWithType<&ContentSecurityPolicy::allowPluginType>(scriptExec utionContext(), type);
165 } 187 }
166 188
167 bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const 189 bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const
168 { 190 {
169 return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(scrip tExecutionContext(), url); 191 return isAllowedWithURLAndNonce<&ContentSecurityPolicy::allowScriptFromSourc e>(scriptExecutionContext(), url, false);
170 } 192 }
171 193
172 bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const 194 bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const
173 { 195 {
174 return isAllowedWithURL<&ContentSecurityPolicy::allowStyleFromSource>(script ExecutionContext(), url); 196 return isAllowedWithURL<&ContentSecurityPolicy::allowStyleFromSource>(script ExecutionContext(), url);
175 } 197 }
176 198
177 } // namespace WebCore 199 } // namespace WebCore
OLDNEW
« Source/core/page/ContentSecurityPolicy.cpp ('K') | « Source/core/page/ContentSecurityPolicy.cpp ('k') | Source/core/workers/AbstractWorker.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698