Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1393)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/page/DOMSecurityPolicy.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixes from comments and nits from Adam and Mike. Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« Source/core/loader/cache/CachedResourceLoader.cpp ('K') | « Source/core/page/ContentSecurityPolicy.cpp ('k') | Source/core/workers/AbstractWorker.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/page/DOMSecurityPolicy.cpp
diff --git a/Source/core/page/DOMSecurityPolicy.cpp b/Source/core/page/DOMSecurityPolicy.cpp
index 97f91bc5c20e8f74c1db16ee7e3b262a231ed363..a5a0ea981a0dd7203886876bede86e55a1d51ead 100644
--- a/Source/core/page/DOMSecurityPolicy.cpp
+++ b/Source/core/page/DOMSecurityPolicy.cpp
@@ -70,6 +70,28 @@ bool isAllowedWithURL(ScriptExecutionContext* context, const String& url)
return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentSecurityPolicy::SuppressReport);
}
+template<bool (ContentSecurityPolicy::*allowWithURLAndNonce)(const KURL&, const String&, ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedWithURLAndNonce(ScriptExecutionContext* context, const String& url, const String& nonce)
+{
+ if (!isPolicyActiveInContext(context))
+ return true;
+
+ KURL parsedURL = context->completeURL(url);
+ if (!parsedURL.isValid())
+ return false; // FIXME: Figure out how to throw a JavaScript error.
+
+ return (context->contentSecurityPolicy()->*allowWithURLAndNonce)(parsedURL, nonce, ContentSecurityPolicy::SuppressReport);
+}
+
+template<bool (ContentSecurityPolicy::*allowWithNonce)(const String&, const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedWithNonce(ScriptExecutionContext* context, const String& nonce)
+{
+ if (!isPolicyActiveInContext(context))
+ return true;
+
+ return (context->contentSecurityPolicy()->*allowWithNonce)(nonce, String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
+}
+
template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
bool isAllowed(ScriptExecutionContext* context)
{
@@ -107,7 +129,7 @@ PassRefPtr<DOMStringList> DOMSecurityPolicy::reportURIs() const
bool DOMSecurityPolicy::allowsInlineScript() const
{
- return isAllowed<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionContext());
+ return isAllowedWithNonce<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionContext(), String());
}
bool DOMSecurityPolicy::allowsInlineStyle() const
@@ -166,7 +188,7 @@ bool DOMSecurityPolicy::allowsPluginType(const String& type) const
bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const
{
- return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url);
+ return isAllowedWithURLAndNonce<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url, String());
}
bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const
« Source/core/loader/cache/CachedResourceLoader.cpp ('K') | « Source/core/page/ContentSecurityPolicy.cpp ('k') | Source/core/workers/AbstractWorker.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698