CSP: Experimentally harden against nonce-stealing injections.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 11 matching lines @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "core/frame/csp/ContentSecurityPolicy.h"
 
 #include "bindings/core/v8/ScriptController.h"
 #include "bindings/core/v8/SourceLocation.h"
 #include "core/dom/DOMStringList.h"
 #include "core/dom/Document.h"
+#include "core/dom/Element.h"
 #include "core/dom/SandboxFlags.h"
 #include "core/events/SecurityPolicyViolationEvent.h"
 #include "core/fetch/IntegrityMetadata.h"
 #include "core/frame/FrameClient.h"
 #include "core/frame/LocalDOMWindow.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/UseCounter.h"
 #include "core/frame/csp/CSPDirectiveList.h"
 #include "core/frame/csp/CSPSource.h"
 #include "core/frame/csp/CSPSourceList.h"
@@ skipping 11 matching lines @@
 #include "platform/network/EncodedFormData.h"
 #include "platform/network/ResourceRequest.h"
 #include "platform/network/ResourceResponse.h"
 #include "platform/weborigin/KURL.h"
 #include "platform/weborigin/KnownPorts.h"
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/Platform.h"
 #include "public/platform/WebAddressSpace.h"
 #include "public/platform/WebURLRequest.h"
+#include "wtf/NotFound.h"
 #include "wtf/PtrUtil.h"
 #include "wtf/StringHasher.h"
 #include "wtf/text/ParsingUtilities.h"
 #include "wtf/text/StringBuilder.h"
 #include "wtf/text/StringUTF8Adaptor.h"
 #include <memory>
 
 namespace blink {
 
 // CSP Level 1 Directives
@@ skipping 55 matching lines @@
         || equalIgnoringCase(name, PluginTypes)
         || equalIgnoringCase(name, ReflectedXSS)
         || equalIgnoringCase(name, Referrer)
         || equalIgnoringCase(name, ManifestSrc)
         || equalIgnoringCase(name, BlockAllMixedContent)
         || equalIgnoringCase(name, UpgradeInsecureRequests)
         || equalIgnoringCase(name, TreatAsPublicAddress)
         || equalIgnoringCase(name, RequireSRIFor));
 }
 
+bool ContentSecurityPolicy::isNonceableElement(const Element* element)
+{
+    if (!element->fastHasAttribute(HTMLNames::nonceAttr))
+        return false;
+
+    bool nonceable = true;
+
+    DEFINE_STATIC_LOCAL(AtomicString, scriptString, ("<script"));

[jww, 2016/08/19 19:23:00]

What about whitespace (e.g. "< script"), albeit perhaps uncommon? Also, aren't
style elements also a concern?

In general, this seems very brittle, so I'm concerned that we're not really
solving the issue here. I'd love a comment explaining exactly what we're trying
to prevent, and if we expect it to be complete or a "best effort," sort of like
the XSS auditor.

+    for (const Attribute& attr : element->attributes()) {
+        if (attr.name().localName().findIgnoringASCIICase(scriptString) != WTF::kNotFound
+            || attr.value().findIgnoringASCIICase(scriptString) != WTF::kNotFound) {
+            nonceable = false;
+            break;
+        }
+    }
+
+    UseCounter::count(element->document(), nonceable ? UseCounter::CleanScriptElementWithNonce : UseCounter::PotentiallyInjectedScriptElementWithNonce);
+    return nonceable;
+}
+
 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type)
 {
     switch (type) {
     case ContentSecurityPolicyHeaderTypeEnforce:
         return UseCounter::ContentSecurityPolicy;
     case ContentSecurityPolicyHeaderTypeReport:
         return UseCounter::ContentSecurityPolicyReportOnly;
     }
     ASSERT_NOT_REACHED();
     return UseCounter::NumberOfFeatures;
@@ skipping 982 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace blink