Index: third_party/WebKit/Source/core/dom/ScriptLoader.cpp |
diff --git a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp |
index 7b3915aaac0eec2ae7e42d89ecbea6a1915a3734..ad91f9dc9d92335c7aeb0b8ea2deba54d71818dc 100644 |
--- a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp |
+++ b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp |
@@ -347,10 +347,8 @@ bool ScriptLoader::fetchScript(const String& sourceUrl, |
crossOrigin); |
request.setCharset(scriptCharset()); |
- if (ContentSecurityPolicy::isNonceableElement(m_element.get())) { |
- request.setContentSecurityPolicyNonce( |
- m_element->fastGetAttribute(HTMLNames::nonceAttr)); |
- } |
+ if (ContentSecurityPolicy::isNonceableElement(m_element.get())) |
+ request.setContentSecurityPolicyNonce(client()->nonce()); |
request.setParserDisposition(isParserInserted() ? ParserInserted |
: NotParserInserted); |
@@ -465,8 +463,8 @@ bool ScriptLoader::doExecuteScript(const ScriptSourceCode& sourceCode) { |
AtomicString nonce = |
ContentSecurityPolicy::isNonceableElement(m_element.get()) |
- ? m_element->fastGetAttribute(HTMLNames::nonceAttr) |
- : AtomicString(); |
+ ? client()->nonce() |
+ : nullAtom; |
if (!m_isExternalScript && |
(!shouldBypassMainWorldCSP && |
!csp->allowInlineScript(m_element, elementDocument->url(), nonce, |
@@ -552,6 +550,10 @@ bool ScriptLoader::doExecuteScript(const ScriptSourceCode& sourceCode) { |
contextDocument->popCurrentScript(); |
} |
+ // "Number used _once_", so, clear it out after execution. |
+ if (RuntimeEnabledFeatures::hideNonceContentAttributeEnabled()) |
+ client()->clearNonce(); |
+ |
return true; |
} |