Chromium Code Reviews Chromium Code Reviews
Issue 14949017:
Implementation of W3C compliant CSP script-src nonce. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| Index: Source/core/page/DOMSecurityPolicy.cpp |
| diff --git a/Source/core/page/DOMSecurityPolicy.cpp b/Source/core/page/DOMSecurityPolicy.cpp |
| index 97f91bc5c20e8f74c1db16ee7e3b262a231ed363..bacf8ae68b6fbe5518fecb6656332e2eae8b9f51 100644 |
| --- a/Source/core/page/DOMSecurityPolicy.cpp |
| +++ b/Source/core/page/DOMSecurityPolicy.cpp |
| @@ -70,6 +70,28 @@ bool isAllowedWithURL(ScriptExecutionContext* context, const String& url) |
| return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentSecurityPolicy::SuppressReport); |
| } |
| +template<bool (ContentSecurityPolicy::*allowWithURLAndNonce)(const KURL&, const String&, ContentSecurityPolicy::ReportingStatus) const> |
| +bool isAllowedWithURLAndNonce(ScriptExecutionContext* context, const String& url, const String& nonce) |
| +{ |
| + if (!isPolicyActiveInContext(context)) |
| + return true; |
| + |
| + KURL parsedURL = context->completeURL(url); |
| + if (!parsedURL.isValid()) |
| + return false; // FIXME: Figure out how to throw a JavaScript error. |
| + |
| + return (context->contentSecurityPolicy()->*allowWithURLAndNonce)(parsedURL, nonce, ContentSecurityPolicy::SuppressReport); |
| +} |
| + |
| +template<bool (ContentSecurityPolicy::*allowWithNonce)(const String&, const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> |
| +bool isAllowedWithNonce(ScriptExecutionContext* context, const String& nonce) |
| +{ |
| + if (!isPolicyActiveInContext(context)) |
| + return true; |
| + |
| + return (context->contentSecurityPolicy()->*allowWithNonce)(nonce, String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport); |
| +} |
| + |
| template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> |
| bool isAllowed(ScriptExecutionContext* context) |
| { |
| @@ -78,7 +100,6 @@ bool isAllowed(ScriptExecutionContext* context) |
| return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport); |
| } |
| - |
|
abarth-chromium
2013/05/14 05:58:16
You should leave this blank line.
jww
2013/05/14 20:49:30
Done.
|
| } // namespace |
| DOMSecurityPolicy::DOMSecurityPolicy(ScriptExecutionContext* context) |
| @@ -107,7 +128,7 @@ PassRefPtr<DOMStringList> DOMSecurityPolicy::reportURIs() const |
| bool DOMSecurityPolicy::allowsInlineScript() const |
| { |
| - return isAllowed<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionContext()); |
| + return isAllowedWithNonce<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionContext(), String()); |
| } |
| bool DOMSecurityPolicy::allowsInlineStyle() const |
| @@ -166,7 +187,7 @@ bool DOMSecurityPolicy::allowsPluginType(const String& type) const |
| bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const |
| { |
| - return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url); |
| + return isAllowedWithURLAndNonce<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url, String()); |
| } |
| bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const |
