Implementation of script hashes for CSP.

Source/core/dom/ScriptLoader.cpp

Index: Source/core/dom/ScriptLoader.cpp
diff --git a/Source/core/dom/ScriptLoader.cpp b/Source/core/dom/ScriptLoader.cpp
index cfefea53954aafc27b1b0424aef16358fdbecc4d..1ca71f723c55a2f3323e6db1ef00901e88f8ee58 100644
--- a/Source/core/dom/ScriptLoader.cpp
+++ b/Source/core/dom/ScriptLoader.cpp
@@ -308,7 +308,7 @@ void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)
 
     Frame* frame = contextDocument->frame();
 
-    bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()->shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
+    bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()->shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)) || elementDocument->contentSecurityPolicy()->allowScriptHash(sourceCode.source());

[Mike West, 2013/10/16 14:53:02]

This is getting pretty ugly. I shouldn't have added the nonce bits here in the
first place, but adding hash really makes it visibly wrong. Ideally, we'd
refactor this in a separate CL so that the
'shouldBypassMainWorldContentSecurityPolicy' variable did what it said.

[jww, 2013/10/16 21:49:21]

I'm a little confused about what you'd like to see here. How about I break up
all of these calls into separate booleans and we can just || them all together.
That should make it quite a bit more readable, yes? I suppose the only problem
is short circuiting extraneous checks, but that's what compilers are for, I
suppose :-)

 
     if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url(), m_startLineNumber)))
         return;