Index: third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp |
index 79cbfa20062664e1c59f98a8965f8009ef47324e..a007e9ee320eee6dc7430eb8dccde6e947838b08 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp |
@@ -607,12 +607,17 @@ bool SourceListDirective::subsumes( |
normalizedB.append(other[0]->m_policy->getSelfSource()); |
bool allowInlineOther = other[0]->m_allowInline; |
+ bool allowEvalOther = other[0]->m_allowEval; |
bool allowDynamicOther = other[0]->m_allowDynamic; |
+ bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; |
bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); |
for (size_t i = 1; i < other.size(); i++) { |
allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
+ allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; |
+ allowHashedAttributesOther = |
+ allowHashedAttributesOther && other[i]->m_allowHashedAttributes; |
isHashOrNoncePresentOther = |
isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); |
normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
@@ -620,12 +625,23 @@ bool SourceListDirective::subsumes( |
const ContentSecurityPolicy::DirectiveType type = |
ContentSecurityPolicy::getDirectiveType(m_directiveName); |
- bool allowAllInlineOther = |
- allowInlineOther && !isHashOrNoncePresentOther && |
- (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
- !allowDynamicOther); |
- if (!allowAllInline() && allowAllInlineOther) |
- return false; |
+ if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || |
+ type == ContentSecurityPolicy::DirectiveType::StyleSrc) { |
+ if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc && |
Mike West
2016/11/29 12:05:48
Default? Or is |type| the effective directive here
amalika
2016/11/29 13:37:45
Yes! It is only the operative directive. On CSPDir
|
+ !m_allowDynamic && !allowAllInline() && allowDynamicOther) { |
+ return false; |
+ } |
+ if (!m_allowEval && allowEvalOther) |
+ return false; |
+ if (!m_allowHashedAttributes && allowHashedAttributesOther) |
+ return false; |
+ bool allowAllInlineOther = |
+ allowInlineOther && !isHashOrNoncePresentOther && |
+ (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
+ !allowDynamicOther); |
+ if (!allowAllInline() && allowAllInlineOther) |
+ return false; |
+ } |
return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
} |