third_party/WebKit/Source/core/dom/ScriptLoader.cpp - Issue 2260103003: CSP: Experimentally harden against nonce-stealing injections.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/dom/ScriptLoader.cpp

Issue 2260103003: CSP: Experimentally harden against nonce-stealing injections. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: yoav@ Created 4 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php ('k') | third_party/WebKit/Source/core/frame/UseCounter.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/dom/ScriptLoader.cpp

diff --git a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp

index 471a724b2edecac67d544a5c94e8991e2f113b74..ed5c0f3b2cb0978ec4f3a670470b771a4cfc23eb 100644

--- a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp

+++ b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp

@@ -302,7 +302,8 @@ bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOptio

// Skip fetch-related CSP checks if dynamically injected script is whitelisted and this script is not parser-inserted.

bool scriptPassesCSPDynamic = (!isParserInserted() && elementDocument->contentSecurityPolicy()->allowDynamic());

- request.setContentSecurityPolicyNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));

+ if (ContentSecurityPolicy::isNonceableElement(m_element.get()))

+ request.setContentSecurityPolicyNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));

if (scriptPassesCSPDynamic) {

UseCounter::count(elementDocument->frame(), UseCounter::ScriptPassesCSPDynamic);

@@ -373,7 +374,8 @@ bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)

|| csp->allowScriptWithHash(sourceCode.source(), ContentSecurityPolicy::InlineType::Block)

|| (!isParserInserted() && csp->allowDynamic());

- if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineScript(elementDocument->url(), m_element->fastGetAttribute(HTMLNames::nonceAttr), m_startLineNumber, sourceCode.source()))) {

+ AtomicString nonce = ContentSecurityPolicy::isNonceableElement(m_element.get()) ? m_element->fastGetAttribute(HTMLNames::nonceAttr) : AtomicString();

+ if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineScript(elementDocument->url(), nonce, m_startLineNumber, sourceCode.source()))) {

return false;

}