Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1517)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/loader/cache/CachedResourceLoader.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixes from comments and nits from Adam and Mike. Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« Source/core/loader/cache/CachedResourceLoader.h ('K') | « Source/core/loader/cache/CachedResourceLoader.h ('k') | Source/core/page/ContentSecurityPolicy.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/loader/cache/CachedResourceLoader.cpp
diff --git a/Source/core/loader/cache/CachedResourceLoader.cpp b/Source/core/loader/cache/CachedResourceLoader.cpp
index 6f1a33037b25294ae8fea1cae4247c88ef6ae961..8e3d4bfe488d0473d6812081de8a925d6098bd86 100644
--- a/Source/core/loader/cache/CachedResourceLoader.cpp
+++ b/Source/core/loader/cache/CachedResourceLoader.cpp
@@ -146,7 +146,7 @@ CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou
if (Frame* f = frame()) {
if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoDismissal) {
KURL requestURL = request.resourceRequest().url();
- if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL))
+ if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, NULL))
abarth-chromium 2013/05/14 21:11:08 NULL -> 0
jww 2013/05/14 22:55:30 Done.
PingLoader::loadImage(f, requestURL);
return 0;
}
@@ -268,7 +268,7 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const
return true;
}
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, PassRefPtr<Element> initiatorElement, bool forPreload)
{
if (document() && !document()->securityOrigin()->canDisplay(url)) {
if (!forPreload)
@@ -308,13 +308,15 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
break;
}
+ const String& nonce = (initiatorElement != NULL) ? initiatorElement->fastGetAttribute(HTMLNames::nonceAttr) : AtomicString();
abarth-chromium 2013/05/14 21:11:08 (initiatorElement != NULL) -> initiatorElement
jww 2013/05/14 22:55:30 Done.
+
switch (type) {
case CachedResource::XSLStyleSheet:
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+ if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, nonce))
return false;
break;
case CachedResource::Script:
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+ if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, nonce))
return false;
if (frame()) {
@@ -379,7 +381,7 @@ CachedResourceHandle<CachedResource> CachedResourceLoader::requestResource(Cache
if (!url.isValid())
return 0;
- if (!canRequest(type, url, request.forPreload()))
+ if (!canRequest(type, url, request.initiatorElement(), request.forPreload()))
return 0;
if (Frame* f = frame())
« Source/core/loader/cache/CachedResourceLoader.h ('K') | « Source/core/loader/cache/CachedResourceLoader.h ('k') | Source/core/page/ContentSecurityPolicy.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698