| Index: third_party/WebKit/Source/core/dom/ScriptLoader.cpp
|
| diff --git a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
|
| index 9b2b21cf6d0836b52f9addbcf3a64d77d82464b6..a8337a8df390e92e0f5c4ad23955a52e56086473 100644
|
| --- a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
|
| +++ b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
|
| @@ -300,19 +300,15 @@ bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOptio
|
| request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(), crossOrigin);
|
| request.setCharset(scriptCharset());
|
|
|
| - // Skip fetch-related CSP checks if the script element has a valid nonce, or if dynamically
|
| - // injected script is whitelisted and this script is not parser-inserted.
|
| + // Skip fetch-related CSP checks if dynamically injected script is whitelisted and this script is not parser-inserted.
|
| bool scriptPassesCSPDynamic = (!isParserInserted() && elementDocument->contentSecurityPolicy()->allowDynamic());
|
| - bool scriptPassesCSPNonce = elementDocument->contentSecurityPolicy()->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
|
|
|
| - if (scriptPassesCSPDynamic)
|
| - UseCounter::count(elementDocument->frame(), UseCounter::ScriptPassesCSPDynamic);
|
| -
|
| - if (scriptPassesCSPNonce)
|
| - UseCounter::count(elementDocument->frame(), UseCounter::ScriptPassesCSPNonce);
|
| + request.setContentSecurityPolicyNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
|
|
|
| - if (scriptPassesCSPDynamic || scriptPassesCSPNonce)
|
| + if (scriptPassesCSPDynamic) {
|
| + UseCounter::count(elementDocument->frame(), UseCounter::ScriptPassesCSPDynamic);
|
| request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
|
| + }
|
| request.setDefer(defer);
|
|
|
| String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityAttr);
|
| @@ -375,11 +371,10 @@ bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* com
|
|
|
| const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();
|
| bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWorldCSP())
|
| - || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr))
|
| || csp->allowScriptWithHash(sourceCode.source().toString(), ContentSecurityPolicy::InlineType::Block)
|
| || (!isParserInserted() && csp->allowDynamic());
|
|
|
| - if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineScript(elementDocument->url(), m_startLineNumber, sourceCode.source().toString()))) {
|
| + if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineScript(elementDocument->url(), m_element->fastGetAttribute(HTMLNames::nonceAttr), m_startLineNumber, sourceCode.source().toString()))) {
|
| return false;
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 2020223002:
Refactor nonce support. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@inline