| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 26 matching lines...) Expand all Loading... |
| 37 #include "core/events/SecurityPolicyViolationEvent.h" | 37 #include "core/events/SecurityPolicyViolationEvent.h" |
| 38 #include "core/fetch/IntegrityMetadata.h" | 38 #include "core/fetch/IntegrityMetadata.h" |
| 39 #include "core/frame/FrameClient.h" | 39 #include "core/frame/FrameClient.h" |
| 40 #include "core/frame/LocalDOMWindow.h" | 40 #include "core/frame/LocalDOMWindow.h" |
| 41 #include "core/frame/LocalFrame.h" | 41 #include "core/frame/LocalFrame.h" |
| 42 #include "core/frame/UseCounter.h" | 42 #include "core/frame/UseCounter.h" |
| 43 #include "core/frame/csp/CSPDirectiveList.h" | 43 #include "core/frame/csp/CSPDirectiveList.h" |
| 44 #include "core/frame/csp/CSPSource.h" | 44 #include "core/frame/csp/CSPSource.h" |
| 45 #include "core/frame/csp/MediaListDirective.h" | 45 #include "core/frame/csp/MediaListDirective.h" |
| 46 #include "core/frame/csp/SourceListDirective.h" | 46 #include "core/frame/csp/SourceListDirective.h" |
| 47 #include "core/html/HTMLScriptElement.h" |
| 47 #include "core/inspector/ConsoleMessage.h" | 48 #include "core/inspector/ConsoleMessage.h" |
| 48 #include "core/inspector/InspectorInstrumentation.h" | 49 #include "core/inspector/InspectorInstrumentation.h" |
| 49 #include "core/loader/DocumentLoader.h" | 50 #include "core/loader/DocumentLoader.h" |
| 50 #include "core/loader/FrameLoaderClient.h" | 51 #include "core/loader/FrameLoaderClient.h" |
| 51 #include "core/loader/PingLoader.h" | 52 #include "core/loader/PingLoader.h" |
| 52 #include "core/workers/WorkerGlobalScope.h" | 53 #include "core/workers/WorkerGlobalScope.h" |
| 53 #include "platform/RuntimeEnabledFeatures.h" | 54 #include "platform/RuntimeEnabledFeatures.h" |
| 54 #include "platform/json/JSONValues.h" | 55 #include "platform/json/JSONValues.h" |
| 55 #include "platform/network/ContentSecurityPolicyParsers.h" | 56 #include "platform/network/ContentSecurityPolicyParsers.h" |
| 56 #include "platform/network/ContentSecurityPolicyResponseHeaders.h" | 57 #include "platform/network/ContentSecurityPolicyResponseHeaders.h" |
| (...skipping 11 matching lines...) Expand all Loading... |
| 68 #include "wtf/PtrUtil.h" | 69 #include "wtf/PtrUtil.h" |
| 69 #include "wtf/StringHasher.h" | 70 #include "wtf/StringHasher.h" |
| 70 #include "wtf/text/ParsingUtilities.h" | 71 #include "wtf/text/ParsingUtilities.h" |
| 71 #include "wtf/text/StringBuilder.h" | 72 #include "wtf/text/StringBuilder.h" |
| 72 #include "wtf/text/StringUTF8Adaptor.h" | 73 #include "wtf/text/StringUTF8Adaptor.h" |
| 73 #include <memory> | 74 #include <memory> |
| 74 | 75 |
| 75 namespace blink { | 76 namespace blink { |
| 76 | 77 |
| 77 bool ContentSecurityPolicy::isNonceableElement(const Element* element) { | 78 bool ContentSecurityPolicy::isNonceableElement(const Element* element) { |
| 78 if (!element->fastHasAttribute(HTMLNames::nonceAttr)) | 79 if (RuntimeEnabledFeatures::hideNonceContentAttributeEnabled() && |
| 80 isHTMLScriptElement(element)) { |
| 81 if (toHTMLScriptElement(element)->nonce().isNull()) |
| 82 return false; |
| 83 } else if (!element->fastHasAttribute(HTMLNames::nonceAttr)) { |
| 79 return false; | 84 return false; |
| 85 } |
| 80 | 86 |
| 81 bool nonceable = true; | 87 bool nonceable = true; |
| 82 | 88 |
| 83 // To prevent an attacker from hijacking an existing nonce via a dangling | 89 // To prevent an attacker from hijacking an existing nonce via a dangling |
| 84 // markup injection, we walk through the attributes of each nonced script | 90 // markup injection, we walk through the attributes of each nonced script |
| 85 // element: if their names or values contain "<script" or "<style", we won't | 91 // element: if their names or values contain "<script" or "<style", we won't |
| 86 // apply the nonce when loading script. | 92 // apply the nonce when loading script. |
| 87 // | 93 // |
| 88 // See http://blog.innerht.ml/csp-2015/#danglingmarkupinjection for an example | 94 // See http://blog.innerht.ml/csp-2015/#danglingmarkupinjection for an example |
| 89 // of the kind of attack this is aimed at mitigating. | 95 // of the kind of attack this is aimed at mitigating. |
| (...skipping 1516 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1606 CSPDirectiveListVector otherVector; | 1612 CSPDirectiveListVector otherVector; |
| 1607 for (const auto& policy : other.m_policies) { | 1613 for (const auto& policy : other.m_policies) { |
| 1608 if (!policy->isReportOnly()) | 1614 if (!policy->isReportOnly()) |
| 1609 otherVector.push_back(policy); | 1615 otherVector.push_back(policy); |
| 1610 } | 1616 } |
| 1611 | 1617 |
| 1612 return m_policies[0]->subsumes(otherVector); | 1618 return m_policies[0]->subsumes(otherVector); |
| 1613 } | 1619 } |
| 1614 | 1620 |
| 1615 } // namespace blink | 1621 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2628733005:
Experiment with hiding <script>'s 'nonce' content attribute. (Closed)
