Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1348)

Unified Diff: Source/core/page/DOMSecurityPolicy.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: Source/core/page/DOMSecurityPolicy.cpp
diff --git a/Source/core/page/DOMSecurityPolicy.cpp b/Source/core/page/DOMSecurityPolicy.cpp
index 97f91bc5c20e8f74c1db16ee7e3b262a231ed363..bacf8ae68b6fbe5518fecb6656332e2eae8b9f51 100644
--- a/Source/core/page/DOMSecurityPolicy.cpp
+++ b/Source/core/page/DOMSecurityPolicy.cpp
@@ -70,6 +70,28 @@ bool isAllowedWithURL(ScriptExecutionContext* context, const String& url)
return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentSecurityPolicy::SuppressReport);
}
+template<bool (ContentSecurityPolicy::*allowWithURLAndNonce)(const KURL&, const String&, ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedWithURLAndNonce(ScriptExecutionContext* context, const String& url, const String& nonce)
+{
+ if (!isPolicyActiveInContext(context))
+ return true;
+
+ KURL parsedURL = context->completeURL(url);
+ if (!parsedURL.isValid())
+ return false; // FIXME: Figure out how to throw a JavaScript error.
+
+ return (context->contentSecurityPolicy()->*allowWithURLAndNonce)(parsedURL, nonce, ContentSecurityPolicy::SuppressReport);
+}
+
+template<bool (ContentSecurityPolicy::*allowWithNonce)(const String&, const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedWithNonce(ScriptExecutionContext* context, const String& nonce)
+{
+ if (!isPolicyActiveInContext(context))
+ return true;
+
+ return (context->contentSecurityPolicy()->*allowWithNonce)(nonce, String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
+}
+
template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
bool isAllowed(ScriptExecutionContext* context)
{
@@ -78,7 +100,6 @@ bool isAllowed(ScriptExecutionContext* context)
return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
}
-
abarth-chromium 2013/05/14 05:58:16 You should leave this blank line.
jww 2013/05/14 20:49:30 Done.
} // namespace
DOMSecurityPolicy::DOMSecurityPolicy(ScriptExecutionContext* context)
@@ -107,7 +128,7 @@ PassRefPtr<DOMStringList> DOMSecurityPolicy::reportURIs() const
bool DOMSecurityPolicy::allowsInlineScript() const
{
- return isAllowed<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionContext());
+ return isAllowedWithNonce<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionContext(), String());
}
bool DOMSecurityPolicy::allowsInlineStyle() const
@@ -166,7 +187,7 @@ bool DOMSecurityPolicy::allowsPluginType(const String& type) const
bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const
{
- return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url);
+ return isAllowedWithURLAndNonce<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url, String());
}
bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const

Powered by Google App Engine
This is Rietveld 408576698