Chromium Code Reviews Chromium Code Reviews
Issue 14949017:
Implementation of W3C compliant CSP script-src nonce. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| Index: Source/core/dom/ScriptElement.cpp |
| diff --git a/Source/core/dom/ScriptElement.cpp b/Source/core/dom/ScriptElement.cpp |
| index b39ba0f764eb9a17d075831ea5b754571f123056..1b3d28010b6b266a88bc24a8e5291ed4f83216f8 100644 |
| --- a/Source/core/dom/ScriptElement.cpp |
| +++ b/Source/core/dom/ScriptElement.cpp |
| @@ -254,8 +254,6 @@ bool ScriptElement::requestScript(const String& sourceUrl) |
| return false; |
| if (!m_element->inDocument() || m_element->document() != originalDocument) |
| return false; |
| - if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_startLineNumber, m_element->document()->completeURL(sourceUrl))) |
| - return false; |
| ASSERT(!m_cachedScript); |
| if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { |
| @@ -293,10 +291,9 @@ void ScriptElement::executeScript(const ScriptSourceCode& sourceCode) |
| Frame* frame = document->frame(); |
| bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()->shouldBypassMainWorldContentSecurityPolicy()); |
| - if (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), document->url(), m_startLineNumber)) |
| - return; |
| - if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurityPolicy()->allowInlineScript(document->url(), m_startLineNumber))) |
| + const String& nonce = m_element->fastGetAttribute(HTMLNames::nonceAttr); |
| + if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurityPolicy()->allowInlineScript(nonce, document->url(), m_startLineNumber))) |
|
Mike West
2013/05/14 08:07:38
Nit: You probably don't need the temp variable her
jww
2013/05/14 20:49:30
Done.
|
| return; |
| if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowedByNosniff()) { |
