| Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
|
| diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
|
| index d501f9bbe8cf94dc2ef1ebf0f6b6d96467255f76..eef9c62fb00e3d4e9e96e65f3443fd979bbb851b 100644
|
| --- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
|
| +++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
|
| @@ -163,11 +163,6 @@ bool CSPDirectiveList::checkEval(SourceListDirective* directive) const {
|
| return !directive || directive->allowEval();
|
| }
|
|
|
| -bool CSPDirectiveList::checkInline(SourceListDirective* directive) const {
|
| - return !directive ||
|
| - (directive->allowInline() && !directive->isHashOrNoncePresent());
|
| -}
|
| -
|
| bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive,
|
| const String& nonce) const {
|
| return directive && directive->allowNonce(nonce);
|
| @@ -385,7 +380,7 @@ bool CSPDirectiveList::checkInlineAndReportViolation(
|
| const WTF::OrdinalNumber& contextLine,
|
| bool isScript,
|
| const String& hashValue) const {
|
| - if (checkInline(directive))
|
| + if (!directive || directive->allowAllInline())
|
| return true;
|
|
|
| String suffix = String();
|
| @@ -507,14 +502,16 @@ bool CSPDirectiveList::allowJavaScriptURLs(
|
| const String& contextURL,
|
| const WTF::OrdinalNumber& contextLine,
|
| ContentSecurityPolicy::ReportingStatus reportingStatus) const {
|
| + SourceListDirective* directive = operativeDirective(m_scriptSrc.get());
|
| if (reportingStatus == ContentSecurityPolicy::SendReport) {
|
| return checkInlineAndReportViolation(
|
| - operativeDirective(m_scriptSrc.get()),
|
| + directive,
|
| "Refused to execute JavaScript URL because it violates the following "
|
| "Content Security Policy directive: ",
|
| element, contextURL, contextLine, true, "sha256-...");
|
| }
|
| - return checkInline(operativeDirective(m_scriptSrc.get()));
|
| +
|
| + return !directive || directive->allowAllInline();
|
| }
|
|
|
| bool CSPDirectiveList::allowInlineEventHandlers(
|
| @@ -522,6 +519,7 @@ bool CSPDirectiveList::allowInlineEventHandlers(
|
| const String& contextURL,
|
| const WTF::OrdinalNumber& contextLine,
|
| ContentSecurityPolicy::ReportingStatus reportingStatus) const {
|
| + SourceListDirective* directive = operativeDirective(m_scriptSrc.get());
|
| if (reportingStatus == ContentSecurityPolicy::SendReport) {
|
| return checkInlineAndReportViolation(
|
| operativeDirective(m_scriptSrc.get()),
|
| @@ -529,7 +527,8 @@ bool CSPDirectiveList::allowInlineEventHandlers(
|
| "following Content Security Policy directive: ",
|
| element, contextURL, contextLine, true, "sha256-...");
|
| }
|
| - return checkInline(operativeDirective(m_scriptSrc.get()));
|
| +
|
| + return !directive || directive->allowAllInline();
|
| }
|
|
|
| bool CSPDirectiveList::allowInlineScript(
|
| @@ -539,7 +538,8 @@ bool CSPDirectiveList::allowInlineScript(
|
| const WTF::OrdinalNumber& contextLine,
|
| ContentSecurityPolicy::ReportingStatus reportingStatus,
|
| const String& content) const {
|
| - if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce))
|
| + SourceListDirective* directive = operativeDirective(m_scriptSrc.get());
|
| + if (isMatchingNoncePresent(directive, nonce))
|
| return true;
|
| if (element && isHTMLScriptElement(element) &&
|
| !toHTMLScriptElement(element)->loader()->isParserInserted() &&
|
| @@ -548,12 +548,13 @@ bool CSPDirectiveList::allowInlineScript(
|
| }
|
| if (reportingStatus == ContentSecurityPolicy::SendReport) {
|
| return checkInlineAndReportViolation(
|
| - operativeDirective(m_scriptSrc.get()),
|
| + directive,
|
| "Refused to execute inline script because it violates the following "
|
| "Content Security Policy directive: ",
|
| element, contextURL, contextLine, true, getSha256String(content));
|
| }
|
| - return checkInline(operativeDirective(m_scriptSrc.get()));
|
| +
|
| + return !directive || directive->allowAllInline();
|
| }
|
|
|
| bool CSPDirectiveList::allowInlineStyle(
|
| @@ -563,16 +564,18 @@ bool CSPDirectiveList::allowInlineStyle(
|
| const WTF::OrdinalNumber& contextLine,
|
| ContentSecurityPolicy::ReportingStatus reportingStatus,
|
| const String& content) const {
|
| - if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce))
|
| + SourceListDirective* directive = operativeDirective(m_styleSrc.get());
|
| + if (isMatchingNoncePresent(directive, nonce))
|
| return true;
|
| if (reportingStatus == ContentSecurityPolicy::SendReport) {
|
| return checkInlineAndReportViolation(
|
| - operativeDirective(m_styleSrc.get()),
|
| + directive,
|
| "Refused to apply inline style because it violates the following "
|
| "Content Security Policy directive: ",
|
| element, contextURL, contextLine, false, getSha256String(content));
|
| }
|
| - return checkInline(operativeDirective(m_styleSrc.get()));
|
| +
|
| + return !directive || directive->allowAllInline();
|
| }
|
|
|
| bool CSPDirectiveList::allowEval(
|
|
|
Chromium Code Reviews
Issue 2536713002:
Part 3.3: Is policy list subsumed under subsuming policy? (Closed)
