Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1110)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/page/DOMSecurityPolicy.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixed broken nonce behavior on script redirects. Added test for redirects as well. Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« Source/core/page/ContentSecurityPolicy.cpp ('K') | « Source/core/page/ContentSecurityPolicy.cpp ('k') | Source/core/workers/AbstractWorker.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/page/DOMSecurityPolicy.cpp
diff --git a/Source/core/page/DOMSecurityPolicy.cpp b/Source/core/page/DOMSecurityPolicy.cpp
index 97f91bc5c20e8f74c1db16ee7e3b262a231ed363..5d6e439beeae6d69d453bd7f1f255e8f57b14f00 100644
--- a/Source/core/page/DOMSecurityPolicy.cpp
+++ b/Source/core/page/DOMSecurityPolicy.cpp
@@ -70,6 +70,28 @@ bool isAllowedWithURL(ScriptExecutionContext* context, const String& url)
return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentSecurityPolicy::SuppressReport);
}
+template<bool (ContentSecurityPolicy::*allowWithURLAndNonce)(const KURL&, bool, ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedWithURLAndNonce(ScriptExecutionContext* context, const String& url, bool validNonce)
+{
+ if (!isPolicyActiveInContext(context))
+ return true;
+
+ KURL parsedURL = context->completeURL(url);
+ if (!parsedURL.isValid())
+ return false; // FIXME: Figure out how to throw a JavaScript error.
+
+ return (context->contentSecurityPolicy()->*allowWithURLAndNonce)(parsedURL, validNonce, ContentSecurityPolicy::SuppressReport);
+}
+
+template<bool (ContentSecurityPolicy::*allowWithNonce)(bool, const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedWithNonce(ScriptExecutionContext* context, bool validNonce)
+{
+ if (!isPolicyActiveInContext(context))
+ return true;
+
+ return (context->contentSecurityPolicy()->*allowWithNonce)(validNonce, String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
+}
abarth-chromium 2013/05/16 00:59:27 I don't understand why this code is needed. Can w
jww 2013/05/16 20:59:00 Done.
+
template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
bool isAllowed(ScriptExecutionContext* context)
{
@@ -107,7 +129,7 @@ PassRefPtr<DOMStringList> DOMSecurityPolicy::reportURIs() const
bool DOMSecurityPolicy::allowsInlineScript() const
{
- return isAllowed<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionContext());
+ return isAllowedWithNonce<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionContext(), false);
}
bool DOMSecurityPolicy::allowsInlineStyle() const
@@ -166,7 +188,7 @@ bool DOMSecurityPolicy::allowsPluginType(const String& type) const
bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const
{
- return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url);
+ return isAllowedWithURLAndNonce<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url, false);
}
bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const
« Source/core/page/ContentSecurityPolicy.cpp ('K') | « Source/core/page/ContentSecurityPolicy.cpp ('k') | Source/core/workers/AbstractWorker.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698