third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp - Issue 2401573003: CSP: Fix 'strict-dynamic' with multiple policies.

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 2401573003: CSP: Fix 'strict-dynamic' with multiple policies. (Closed)

Patch Set: Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h ('K') | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h ('k') | third_party/WebKit/Source/core/html/parser/PreloadRequest.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

index 5e9a939b06e3bb280540b4a91c2a5da21a7a94aa..b37d950fc6acee908a3731c75db2d8f06f1b63ea 100644

--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

@@ -529,6 +529,30 @@ bool isAllowedByAllWithURLWithNonce(

return isAllowed;

}

+template <bool (CSPDirectiveList::*allowFromURLWithNonceAndParser)(

+ const KURL&,

+ const String& nonce,

+ ParserDisposition parserDisposition,

+ RedirectStatus,

+ ContentSecurityPolicy::ReportingStatus) const>

+bool isAllowedByAllWithURLNonceAndParser(

+ const CSPDirectiveListVector& policies,

+ const KURL& url,

+ const String& nonce,

+ ParserDisposition parserDisposition,

+ RedirectStatus redirectStatus,

+ ContentSecurityPolicy::ReportingStatus reportingStatus) {

+ if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))

+ return true;

+ bool isAllowed = true;

+ for (const auto& policy : policies) {

+ isAllowed &= (policy.get()->*allowFromURLWithNonceAndParser)(

+ url, nonce, parserDisposition, redirectStatus, reportingStatus);

+ }

+ return isAllowed;

template <bool (CSPDirectiveList::*allowed)(

LocalFrame*,

const KURL&,

@@ -705,11 +729,13 @@ bool ContentSecurityPolicy::allowPluginTypeForDocument(

bool ContentSecurityPolicy::allowScriptFromSource(

const KURL& url,

const String& nonce,

+ ParserDisposition parserDisposition,

RedirectStatus redirectStatus,

ContentSecurityPolicy::ReportingStatus reportingStatus) const {

- return isAllowedByAllWithURLWithNonce<

+ return isAllowedByAllWithURLNonceAndParser<

&CSPDirectiveList::allowScriptFromSource>(

- m_policies, url, nonce, redirectStatus, reportingStatus);

+ m_policies, url, nonce, parserDisposition, redirectStatus,

+ reportingStatus);

}

bool ContentSecurityPolicy::allowScriptWithHash(const String& source,

@@ -742,6 +768,7 @@ bool ContentSecurityPolicy::allowRequest(

const KURL& url,

const String& nonce,

const IntegrityMetadataSet& integrityMetadata,

+ ParserDisposition parserDisposition,

RedirectStatus redirectStatus,

ReportingStatus reportingStatus) const {

if (integrityMetadata.isEmpty() &&

@@ -775,9 +802,11 @@ bool ContentSecurityPolicy::allowRequest(

return allowChildFrameFromSource(url, redirectStatus, reportingStatus);

case WebURLRequest::RequestContextImport:

case WebURLRequest::RequestContextScript:

- return allowScriptFromSource(url, nonce, redirectStatus, reportingStatus);

+ return allowScriptFromSource(url, nonce, parserDisposition,

+ redirectStatus, reportingStatus);

case WebURLRequest::RequestContextXSLT:

- return allowScriptFromSource(url, nonce, redirectStatus, reportingStatus);

+ return allowScriptFromSource(url, nonce, parserDisposition,

+ redirectStatus, reportingStatus);

case WebURLRequest::RequestContextManifest:

return allowManifestFromSource(url, redirectStatus, reportingStatus);

case WebURLRequest::RequestContextServiceWorker:

@@ -900,11 +929,13 @@ bool ContentSecurityPolicy::allowWorkerContextFromSource(

UseCounter::count(*document, UseCounter::WorkerSubjectToCSP);

if (isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource>(

m_policies, url, redirectStatus, SuppressReport) &&

- !isAllowedByAllWithURLWithNonce<

+ !isAllowedByAllWithURLNonceAndParser<

&CSPDirectiveList::allowScriptFromSource>(

- m_policies, url, AtomicString(), redirectStatus, SuppressReport))

+ m_policies, url, AtomicString(), NotParserInserted, redirectStatus,

+ SuppressReport)) {

UseCounter::count(*document,

UseCounter::WorkerAllowedByChildBlockedByScript);

+ }

}

return isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource>(