Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(25)

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 2260103003: CSP: Experimentally harden against nonce-stealing injections. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: yoav@ Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 92920a39a22e4302c5a619b9b72cad197a7ebace..492e74575f3980a0ee6156e659baf3b39a7742ad 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -29,6 +29,7 @@
#include "bindings/core/v8/SourceLocation.h"
#include "core/dom/DOMStringList.h"
#include "core/dom/Document.h"
+#include "core/dom/Element.h"
#include "core/dom/SandboxFlags.h"
#include "core/events/SecurityPolicyViolationEvent.h"
#include "core/fetch/IntegrityMetadata.h"
@@ -60,6 +61,7 @@
#include "public/platform/Platform.h"
#include "public/platform/WebAddressSpace.h"
#include "public/platform/WebURLRequest.h"
+#include "wtf/NotFound.h"
#include "wtf/PtrUtil.h"
#include "wtf/StringHasher.h"
#include "wtf/text/ParsingUtilities.h"
@@ -135,6 +137,38 @@ bool ContentSecurityPolicy::isDirectiveName(const String& name)
|| equalIgnoringCase(name, RequireSRIFor));
}
+bool ContentSecurityPolicy::isNonceableElement(const Element* element)
+{
+ if (!element->fastHasAttribute(HTMLNames::nonceAttr))
+ return false;
+
+ bool nonceable = true;
+
+ // To prevent an attacker from hijacking an existing nonce via a dangling markup injection,
+ // we walk through the attributes of each nonced script element: if their names or values
+ // contain "<script" or "<style", we won't apply the nonce when loading script.
+ //
+ // See http://blog.innerht.ml/csp-2015/#danglingmarkupinjection for an example of the kind
+ // of attack this is aimed at mitigating.
+ DEFINE_STATIC_LOCAL(AtomicString, scriptString, ("<script"));
+ DEFINE_STATIC_LOCAL(AtomicString, styleString, ("<style"));
+ for (const Attribute& attr : element->attributes()) {
+ AtomicString name = attr.localName().lowerASCII();
+ AtomicString value = attr.value().lowerASCII();
+ if (name.find(scriptString) != WTF::kNotFound || name.find(styleString) != WTF::kNotFound
+ || value.find(scriptString) != WTF::kNotFound || value.find(styleString) != WTF::kNotFound) {
+ nonceable = false;
+ break;
+ }
+ }
+
+ UseCounter::count(element->document(), nonceable ? UseCounter::CleanScriptElementWithNonce : UseCounter::PotentiallyInjectedScriptElementWithNonce);
+
+ // This behavior is locked behind the experimental flag for the moment; if we
+ // decide to ship it, drop this check. https://crbug.com/639293
+ return !RuntimeEnabledFeatures::experimentalContentSecurityPolicyFeaturesEnabled() || nonceable;
+}
+
static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type)
{
switch (type) {
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h ('k') | tools/metrics/histograms/histograms.xml » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698