Source/core/dom/ScriptLoader.cpp - Issue 26481005: Implementation of script hashes for CSP.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/core/dom/ScriptLoader.cpp

Issue 26481005: Implementation of script hashes for CSP. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Added tests Created 7 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt ('k') | Source/core/frame/ContentSecurityPolicy.h » ('j') | Source/core/frame/ContentSecurityPolicy.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: Source/core/dom/ScriptLoader.cpp

diff --git a/Source/core/dom/ScriptLoader.cpp b/Source/core/dom/ScriptLoader.cpp

index cfefea53954aafc27b1b0424aef16358fdbecc4d..ba033e6fe33e553f23cff0eb1493f7a5b02534fa 100644

--- a/Source/core/dom/ScriptLoader.cpp

+++ b/Source/core/dom/ScriptLoader.cpp

@@ -308,7 +308,11 @@ void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)

Frame* frame = contextDocument->frame();

- bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()->shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));

+ bool frameContentSecurityPolicyBypass = frame && frame->script()->shouldBypassMainWorldContentSecurityPolicy();

+ bool allowScriptNonce = elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));

+ bool allowScriptHash = elementDocument->contentSecurityPolicy()->allowHash(sourceCode.source());

abarth-chromium 2013/10/17 02:28:09 We shouldn't call either of these functions if fra

jww 2013/10/18 22:58:04 I don't believe that's true. These functions don't

+ bool shouldBypassMainWorldContentSecurityPolicy = frameContentSecurityPolicyBypass || allowScriptNonce || allowScriptHash;

if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url(), m_startLineNumber)))

return;