Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(379)

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 2260103003: CSP: Experimentally harden against nonce-stealing injections. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: aaj@ Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index a067f38e631590fa6047db724bfee1ed00187d7e..b0eff9003490465d9fd15f8f576de651d8fdea8c 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -29,6 +29,7 @@
#include "bindings/core/v8/SourceLocation.h"
#include "core/dom/DOMStringList.h"
#include "core/dom/Document.h"
+#include "core/dom/Element.h"
#include "core/dom/SandboxFlags.h"
#include "core/events/SecurityPolicyViolationEvent.h"
#include "core/fetch/IntegrityMetadata.h"
@@ -60,6 +61,7 @@
#include "public/platform/Platform.h"
#include "public/platform/WebAddressSpace.h"
#include "public/platform/WebURLRequest.h"
+#include "wtf/NotFound.h"
#include "wtf/PtrUtil.h"
#include "wtf/StringHasher.h"
#include "wtf/text/ParsingUtilities.h"
@@ -135,6 +137,26 @@ bool ContentSecurityPolicy::isDirectiveName(const String& name)
|| equalIgnoringCase(name, RequireSRIFor));
}
+bool ContentSecurityPolicy::isNonceableElement(const Element* element)
+{
+ if (!element->fastHasAttribute(HTMLNames::nonceAttr))
+ return false;
+
+ bool nonceable = true;
+
+ DEFINE_STATIC_LOCAL(AtomicString, scriptString, ("<script"));
jww 2016/08/19 19:23:00 What about whitespace (e.g. "< script"), albeit pe
+ for (const Attribute& attr : element->attributes()) {
+ if (attr.name().localName().findIgnoringASCIICase(scriptString) != WTF::kNotFound
+ || attr.value().findIgnoringASCIICase(scriptString) != WTF::kNotFound) {
+ nonceable = false;
+ break;
+ }
+ }
+
+ UseCounter::count(element->document(), nonceable ? UseCounter::CleanScriptElementWithNonce : UseCounter::PotentiallyInjectedScriptElementWithNonce);
+ return nonceable;
+}
+
static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type)
{
switch (type) {
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h ('k') | tools/metrics/histograms/histograms.xml » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698