Chromium Code Reviews
DescriptionFix bug where a second CSP without script-src would cause failure
After an earlier change to make sure report-only mode did not
erroneously cause a policy failure (see
https://codereview.chromium.org/1980533002), the logic was changed so
that checking the script/style nonce would fail if a policy has no nonce
entry for a directive. Unfortunately, this had the side effect of
disallowing scripts/styles if there are two policies, and one allows
inline scripts via nonce, and the other simply did not mention scripts.
This modifies the nonce logic so that the allow[Script|Style]Nonce no
longer returns a simple bool and instead returns a disposition of Allow,
Deny, or NoPolicy. In the last case, this will not cause a failure in
and of itself, and will allow other policies to be processed before a
decision is made.
BUG=614416, 611652
TBR=mkwst@chromium.org
Committed: https://crrev.com/d9341c818db0c3f07aba8ad98e51eeeb71271506
Cr-Commit-Position: refs/heads/master@{#396104}
Patch Set 1 #
Total comments: 2
Patch Set 2 : Address estark's comments #
Messages
Total messages: 15 (7 generated)
|
||||||||||||||||||||||||||||||||||||||||||||||