Implementation of W3C compliant CSP script-src nonce.

Source/core/loader/cache/CachedResourceLoader.cpp

Index: Source/core/loader/cache/CachedResourceLoader.cpp
diff --git a/Source/core/loader/cache/CachedResourceLoader.cpp b/Source/core/loader/cache/CachedResourceLoader.cpp
index 6f1a33037b25294ae8fea1cae4247c88ef6ae961..8cd8019db18f88dd3b36505067afebaa670737ea 100644
--- a/Source/core/loader/cache/CachedResourceLoader.cpp
+++ b/Source/core/loader/cache/CachedResourceLoader.cpp
@@ -146,7 +146,7 @@ CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou
     if (Frame* f = frame()) {
         if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoDismissal) {
             KURL requestURL = request.resourceRequest().url();
-            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL))
+            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, String()))
                 PingLoader::loadImage(f, requestURL);
             return 0;
         }
@@ -268,7 +268,7 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const
     return true;
 }
 
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, const String& nonce, bool forPreload)
 {
     if (document() && !document()->securityOrigin()->canDisplay(url)) {
         if (!forPreload)
@@ -310,11 +310,11 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
 
     switch (type) {
     case CachedResource::XSLStyleSheet:
-        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, nonce))
             return false;
         break;
     case CachedResource::Script:
-        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, nonce))
             return false;
 
         if (frame()) {
@@ -379,7 +379,8 @@ CachedResourceHandle<CachedResource> CachedResourceLoader::requestResource(Cache
     if (!url.isValid())
         return 0;
 
-    if (!canRequest(type, url, request.forPreload()))
+    const String& nonce = (request.initiatorElement() != NULL) ? request.initiatorElement()->fastGetAttribute(HTMLNames::nonceAttr) : AtomicString();

[abarth-chromium, 2013/05/14 05:58:16]

Can we put this in the CachedResourceRequest instead?  Then we can pass the
CachedResourceRequest directly to canRequest instead of exploding out the nonce
and "forPreload" parts of the request.

[jww, 2013/05/14 20:49:30]

This is tough because there are 3 call sites for canRequest, and one of them has
a ResourceRequest, but not a CachedResourceRequest. A not-quite as elegant
version of this would be to pass in an Element* instead. It won't get rid of the
forPreload argument, but it would move the fastGetAttribute into canRequest,
which I think does make sense to do.

On 2013/05/14 05:58:16, abarth wrote:

+    if (!canRequest(type, url, nonce, request.forPreload()))
         return 0;
 
     if (Frame* f = frame())