third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp - Issue 2020223002: Refactor nonce support.

Unified Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Issue 2020223002: Refactor nonce support. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@inline

Patch Set: Rebase. Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« third_party/WebKit/Source/core/fetch/ScriptResource.h ('K') | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h ('k') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

index 88a1a283c59ca8a73b60b4dbfe3d79f794a6cf50..d90f9266bb2925e3255599e4c592c0aeadb5c845 100644

--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

@@ -120,7 +120,7 @@ bool CSPDirectiveList::checkInline(SourceListDirective* directive) const

return !directive || (directive->allowInline() && !directive->isHashOrNoncePresent());

}

-bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const

+bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, const String& nonce) const

{

return directive && directive->allowNonce(nonce);

}

@@ -320,19 +320,21 @@ bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const

return checkInline(operativeDirective(m_scriptSrc.get()));

}

-bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus, const String& content) const

+bool CSPDirectiveList::allowInlineScript(const String& contextURL, const String& nonce, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus, const String& content) const

{

- if (reportingStatus == ContentSecurityPolicy::SendReport) {

+ if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce))

+ return true;

+ if (reportingStatus == ContentSecurityPolicy::SendReport)

return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), "Refused to execute inline script because it violates the following Content Security Policy directive: ", contextURL, contextLine, true, getSha256String(content));

- }

return checkInline(operativeDirective(m_scriptSrc.get()));

}

-bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus, const String& content) const

+bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const String& nonce, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus, const String& content) const

{

- if (reportingStatus == ContentSecurityPolicy::SendReport) {

+ if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce))

+ return true;

+ if (reportingStatus == ContentSecurityPolicy::SendReport)

return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), "Refused to apply inline style because it violates the following Content Security Policy directive: ", contextURL, contextLine, false, getSha256String(content));

- }

return checkInline(operativeDirective(m_styleSrc.get()));

}

@@ -351,8 +353,10 @@ bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAtt

checkMediaType(m_pluginTypes.get(), type, typeAttribute);

}

-bool CSPDirectiveList::allowScriptFromSource(const KURL& url, ResourceRequest::RedirectStatus redirectStatus, ContentSecurityPolicy::ReportingStatus reportingStatus) const

+bool CSPDirectiveList::allowScriptFromSource(const KURL& url, const String& nonce, ResourceRequest::RedirectStatus redirectStatus, ContentSecurityPolicy::ReportingStatus reportingStatus) const

{

+ if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce))

+ return true;

return reportingStatus == ContentSecurityPolicy::SendReport ? checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, ContentSecurityPolicy::ScriptSrc, redirectStatus) : checkSource(operativeDirective(m_scriptSrc.get()), url, redirectStatus);

}

@@ -382,8 +386,10 @@ bool CSPDirectiveList::allowImageFromSource(const KURL& url, ResourceRequest::Re

return reportingStatus == ContentSecurityPolicy::SendReport ? checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, ContentSecurityPolicy::ImgSrc, redirectStatus) : checkSource(operativeDirective(m_imgSrc.get()), url, redirectStatus);

}

-bool CSPDirectiveList::allowStyleFromSource(const KURL& url, ResourceRequest::RedirectStatus redirectStatus, ContentSecurityPolicy::ReportingStatus reportingStatus) const

+bool CSPDirectiveList::allowStyleFromSource(const KURL& url, const String& nonce, ResourceRequest::RedirectStatus redirectStatus, ContentSecurityPolicy::ReportingStatus reportingStatus) const

{

+ if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce))

+ return true;

return reportingStatus == ContentSecurityPolicy::SendReport ? checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, ContentSecurityPolicy::StyleSrc, redirectStatus) : checkSource(operativeDirective(m_styleSrc.get()), url, redirectStatus);

}

@@ -427,22 +433,6 @@ bool CSPDirectiveList::allowAncestors(LocalFrame* frame, const KURL& url, Conten

return reportingStatus == ContentSecurityPolicy::SendReport ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame, url) : checkAncestors(m_frameAncestors.get(), frame);

}

-CSPDirectiveList::NoncePolicyDisposition CSPDirectiveList::allowScriptNonce(const String& nonce) const

- SourceListDirective* directive = operativeDirective(m_scriptSrc.get());

- if (!directive)

- return NoncePolicyDisposition::NoDirective;

- return checkNonce(directive, nonce) ? NoncePolicyDisposition::Allowed : NoncePolicyDisposition::Denied;

-CSPDirectiveList::NoncePolicyDisposition CSPDirectiveList::allowStyleNonce(const String& nonce) const

- SourceListDirective* directive = operativeDirective(m_styleSrc.get());

- if (!directive)

- return NoncePolicyDisposition::NoDirective;

- return checkNonce(directive, nonce) ? NoncePolicyDisposition::Allowed : NoncePolicyDisposition::Denied;

bool CSPDirectiveList::allowScriptHash(const CSPHashValue& hashValue, ContentSecurityPolicy::InlineType type) const

{

if (type == ContentSecurityPolicy::InlineType::Attribute) {