OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 26 matching lines...) Expand all Loading... |
37 #include "core/events/SecurityPolicyViolationEvent.h" | 37 #include "core/events/SecurityPolicyViolationEvent.h" |
38 #include "core/fetch/IntegrityMetadata.h" | 38 #include "core/fetch/IntegrityMetadata.h" |
39 #include "core/frame/FrameClient.h" | 39 #include "core/frame/FrameClient.h" |
40 #include "core/frame/LocalDOMWindow.h" | 40 #include "core/frame/LocalDOMWindow.h" |
41 #include "core/frame/LocalFrame.h" | 41 #include "core/frame/LocalFrame.h" |
42 #include "core/frame/UseCounter.h" | 42 #include "core/frame/UseCounter.h" |
43 #include "core/frame/csp/CSPDirectiveList.h" | 43 #include "core/frame/csp/CSPDirectiveList.h" |
44 #include "core/frame/csp/CSPSource.h" | 44 #include "core/frame/csp/CSPSource.h" |
45 #include "core/frame/csp/MediaListDirective.h" | 45 #include "core/frame/csp/MediaListDirective.h" |
46 #include "core/frame/csp/SourceListDirective.h" | 46 #include "core/frame/csp/SourceListDirective.h" |
| 47 #include "core/html/HTMLScriptElement.h" |
47 #include "core/inspector/ConsoleMessage.h" | 48 #include "core/inspector/ConsoleMessage.h" |
48 #include "core/inspector/InspectorInstrumentation.h" | 49 #include "core/inspector/InspectorInstrumentation.h" |
49 #include "core/loader/DocumentLoader.h" | 50 #include "core/loader/DocumentLoader.h" |
50 #include "core/loader/FrameLoaderClient.h" | 51 #include "core/loader/FrameLoaderClient.h" |
51 #include "core/loader/PingLoader.h" | 52 #include "core/loader/PingLoader.h" |
52 #include "core/workers/WorkerGlobalScope.h" | 53 #include "core/workers/WorkerGlobalScope.h" |
53 #include "platform/RuntimeEnabledFeatures.h" | 54 #include "platform/RuntimeEnabledFeatures.h" |
54 #include "platform/json/JSONValues.h" | 55 #include "platform/json/JSONValues.h" |
55 #include "platform/network/ContentSecurityPolicyParsers.h" | 56 #include "platform/network/ContentSecurityPolicyParsers.h" |
56 #include "platform/network/ContentSecurityPolicyResponseHeaders.h" | 57 #include "platform/network/ContentSecurityPolicyResponseHeaders.h" |
(...skipping 11 matching lines...) Expand all Loading... |
68 #include "wtf/PtrUtil.h" | 69 #include "wtf/PtrUtil.h" |
69 #include "wtf/StringHasher.h" | 70 #include "wtf/StringHasher.h" |
70 #include "wtf/text/ParsingUtilities.h" | 71 #include "wtf/text/ParsingUtilities.h" |
71 #include "wtf/text/StringBuilder.h" | 72 #include "wtf/text/StringBuilder.h" |
72 #include "wtf/text/StringUTF8Adaptor.h" | 73 #include "wtf/text/StringUTF8Adaptor.h" |
73 #include <memory> | 74 #include <memory> |
74 | 75 |
75 namespace blink { | 76 namespace blink { |
76 | 77 |
77 bool ContentSecurityPolicy::isNonceableElement(const Element* element) { | 78 bool ContentSecurityPolicy::isNonceableElement(const Element* element) { |
78 if (!element->fastHasAttribute(HTMLNames::nonceAttr)) | 79 if (RuntimeEnabledFeatures::hideNonceContentAttributeEnabled() && |
| 80 isHTMLScriptElement(element)) { |
| 81 if (toHTMLScriptElement(element)->nonce().isNull()) |
| 82 return false; |
| 83 } else if (!element->fastHasAttribute(HTMLNames::nonceAttr)) { |
79 return false; | 84 return false; |
| 85 } |
80 | 86 |
81 bool nonceable = true; | 87 bool nonceable = true; |
82 | 88 |
83 // To prevent an attacker from hijacking an existing nonce via a dangling | 89 // To prevent an attacker from hijacking an existing nonce via a dangling |
84 // markup injection, we walk through the attributes of each nonced script | 90 // markup injection, we walk through the attributes of each nonced script |
85 // element: if their names or values contain "<script" or "<style", we won't | 91 // element: if their names or values contain "<script" or "<style", we won't |
86 // apply the nonce when loading script. | 92 // apply the nonce when loading script. |
87 // | 93 // |
88 // See http://blog.innerht.ml/csp-2015/#danglingmarkupinjection for an example | 94 // See http://blog.innerht.ml/csp-2015/#danglingmarkupinjection for an example |
89 // of the kind of attack this is aimed at mitigating. | 95 // of the kind of attack this is aimed at mitigating. |
(...skipping 1516 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1606 CSPDirectiveListVector otherVector; | 1612 CSPDirectiveListVector otherVector; |
1607 for (const auto& policy : other.m_policies) { | 1613 for (const auto& policy : other.m_policies) { |
1608 if (!policy->isReportOnly()) | 1614 if (!policy->isReportOnly()) |
1609 otherVector.push_back(policy); | 1615 otherVector.push_back(policy); |
1610 } | 1616 } |
1611 | 1617 |
1612 return m_policies[0]->subsumes(otherVector); | 1618 return m_policies[0]->subsumes(otherVector); |
1613 } | 1619 } |
1614 | 1620 |
1615 } // namespace blink | 1621 } // namespace blink |
OLD | NEW |