Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(600)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/dom/ScriptElement.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixed broken nonce behavior on script redirects. Added test for redirects as well. Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.js ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | Source/core/loader/ResourceLoaderOptions.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/dom/ScriptElement.cpp
diff --git a/Source/core/dom/ScriptElement.cpp b/Source/core/dom/ScriptElement.cpp
index b39ba0f764eb9a17d075831ea5b754571f123056..3271784c7c6ae74b184f62b7a1d15094716780f3 100644
--- a/Source/core/dom/ScriptElement.cpp
+++ b/Source/core/dom/ScriptElement.cpp
@@ -254,8 +254,6 @@ bool ScriptElement::requestScript(const String& sourceUrl)
return false;
if (!m_element->inDocument() || m_element->document() != originalDocument)
return false;
- if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_startLineNumber, m_element->document()->completeURL(sourceUrl)))
- return false;
ASSERT(!m_cachedScript);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
@@ -293,10 +291,9 @@ void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)
Frame* frame = document->frame();
bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()->shouldBypassMainWorldContentSecurityPolicy());
- if (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), document->url(), m_startLineNumber))
- return;
- if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurityPolicy()->allowInlineScript(document->url(), m_startLineNumber)))
+ bool validNonce = document->contentSecurityPolicy()->allowNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
abarth-chromium 2013/05/16 00:59:27 Maybe isValidNonceForScript? Different types of r
jww 2013/05/16 20:59:00 Done.
+ if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurityPolicy()->allowInlineScript(validNonce, document->url(), m_startLineNumber)))
abarth-chromium 2013/05/16 00:59:27 Is there a reason to call allowInlineScript if the
jww 2013/05/16 20:59:00 Sure, I can do this. I guess my thought was to kee
return;
if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowedByNosniff()) {
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.js ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | Source/core/loader/ResourceLoaderOptions.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698