Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(33)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 1923273002: CSP: Allow hashed inline event handlers only with 'unsafe-hashed-attributes' (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h ('k') | third_party/WebKit/Source/core/frame/csp/SourceListDirective.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index f3d35c4d8f4fb9f247fe6c42e9448b45a8b179d7..950512fc3bd9385c4a1d926f40470d5a51b68772 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -372,11 +372,11 @@ bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const Strin
return true;
}
-template<bool (CSPDirectiveList::*allowed)(const CSPHashValue&) const>
-bool isAllowedByAllWithHash(const CSPDirectiveListVector& policies, const CSPHashValue& hashValue)
+template<bool (CSPDirectiveList::*allowed)(const CSPHashValue&, ContentSecurityPolicy::InlineType) const>
+bool isAllowedByAllWithHash(const CSPDirectiveListVector& policies, const CSPHashValue& hashValue, ContentSecurityPolicy::InlineType type)
{
for (const auto& policy : policies) {
- if (!(policy.get()->*allowed)(hashValue))
+ if (!(policy.get()->*allowed)(hashValue, type))
return false;
}
return true;
@@ -405,8 +405,8 @@ bool isAllowedByAllWithFrame(const CSPDirectiveListVector& policies, LocalFrame*
return true;
}
-template<bool (CSPDirectiveList::*allowed)(const CSPHashValue&) const>
-bool checkDigest(const String& source, uint8_t hashAlgorithmsUsed, const CSPDirectiveListVector& policies)
+template<bool (CSPDirectiveList::*allowed)(const CSPHashValue&, ContentSecurityPolicy::InlineType) const>
+bool checkDigest(const String& source, ContentSecurityPolicy::InlineType type, uint8_t hashAlgorithmsUsed, const CSPDirectiveListVector& policies)
{
// Any additions or subtractions from this struct should also modify the
// respective entries in the kSupportedPrefixes array in
@@ -431,7 +431,7 @@ bool checkDigest(const String& source, uint8_t hashAlgorithmsUsed, const CSPDire
DigestValue digest;
if (algorithmMap.cspHashAlgorithm & hashAlgorithmsUsed) {
bool digestSuccess = computeDigest(algorithmMap.algorithm, utf8Source.data(), utf8Source.length(), digest);
- if (digestSuccess && isAllowedByAllWithHash<allowed>(policies, CSPHashValue(algorithmMap.cspHashAlgorithm, digest)))
+ if (digestSuccess && isAllowedByAllWithHash<allowed>(policies, CSPHashValue(algorithmMap.cspHashAlgorithm, digest), type))
return true;
}
}
@@ -444,8 +444,12 @@ bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const
return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine, reportingStatus);
}
-bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowInlineEventHandler(const String& source, const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
+ // Inline event handlers may be whitelisted by hash, if 'unsafe-hash-attributes' is present in a policy. Check
+ // against the digest of the |source| first before proceeding on to checking whether inline script is allowed.
+ if (checkDigest<&CSPDirectiveList::allowScriptHash>(source, InlineType::Attribute, m_scriptHashAlgorithmsUsed, m_policies))
+ return true;
return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine, reportingStatus);
}
@@ -528,14 +532,14 @@ bool ContentSecurityPolicy::allowStyleWithNonce(const String& nonce) const
return isAllowedByAllWithNonce<&CSPDirectiveList::allowStyleNonce>(m_policies, nonce);
}
-bool ContentSecurityPolicy::allowScriptWithHash(const String& source) const
+bool ContentSecurityPolicy::allowScriptWithHash(const String& source, InlineType type) const
{
- return checkDigest<&CSPDirectiveList::allowScriptHash>(source, m_scriptHashAlgorithmsUsed, m_policies);
+ return checkDigest<&CSPDirectiveList::allowScriptHash>(source, type, m_scriptHashAlgorithmsUsed, m_policies);
}
-bool ContentSecurityPolicy::allowStyleWithHash(const String& source) const
+bool ContentSecurityPolicy::allowStyleWithHash(const String& source, InlineType type) const
{
- return checkDigest<&CSPDirectiveList::allowStyleHash>(source, m_styleHashAlgorithmsUsed, m_policies);
+ return checkDigest<&CSPDirectiveList::allowStyleHash>(source, type, m_styleHashAlgorithmsUsed, m_policies);
}
bool ContentSecurityPolicy::allowRequest(WebURLRequest::RequestContext context, const KURL& url, RedirectStatus redirectStatus, ReportingStatus reportingStatus) const
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h ('k') | third_party/WebKit/Source/core/frame/csp/SourceListDirective.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698