Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
index a067f38e631590fa6047db724bfee1ed00187d7e..b0eff9003490465d9fd15f8f576de651d8fdea8c 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
@@ -29,6 +29,7 @@ |
#include "bindings/core/v8/SourceLocation.h" |
#include "core/dom/DOMStringList.h" |
#include "core/dom/Document.h" |
+#include "core/dom/Element.h" |
#include "core/dom/SandboxFlags.h" |
#include "core/events/SecurityPolicyViolationEvent.h" |
#include "core/fetch/IntegrityMetadata.h" |
@@ -60,6 +61,7 @@ |
#include "public/platform/Platform.h" |
#include "public/platform/WebAddressSpace.h" |
#include "public/platform/WebURLRequest.h" |
+#include "wtf/NotFound.h" |
#include "wtf/PtrUtil.h" |
#include "wtf/StringHasher.h" |
#include "wtf/text/ParsingUtilities.h" |
@@ -135,6 +137,26 @@ bool ContentSecurityPolicy::isDirectiveName(const String& name) |
|| equalIgnoringCase(name, RequireSRIFor)); |
} |
+bool ContentSecurityPolicy::isNonceableElement(const Element* element) |
+{ |
+ if (!element->fastHasAttribute(HTMLNames::nonceAttr)) |
+ return false; |
+ |
+ bool nonceable = true; |
+ |
+ DEFINE_STATIC_LOCAL(AtomicString, scriptString, ("<script")); |
jww
2016/08/19 19:23:00
What about whitespace (e.g. "< script"), albeit pe
|
+ for (const Attribute& attr : element->attributes()) { |
+ if (attr.name().localName().findIgnoringASCIICase(scriptString) != WTF::kNotFound |
+ || attr.value().findIgnoringASCIICase(scriptString) != WTF::kNotFound) { |
+ nonceable = false; |
+ break; |
+ } |
+ } |
+ |
+ UseCounter::count(element->document(), nonceable ? UseCounter::CleanScriptElementWithNonce : UseCounter::PotentiallyInjectedScriptElementWithNonce); |
+ return nonceable; |
+} |
+ |
static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type) |
{ |
switch (type) { |