Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(708)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/dom/ScriptLoader.cpp

Issue 26481005: Implementation of script hashes for CSP. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: More fixes from mkwst comments Created 7 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt ('k') | Source/core/frame/ContentSecurityPolicy.h » ('j') | Source/core/frame/ContentSecurityPolicy.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/dom/ScriptLoader.cpp
diff --git a/Source/core/dom/ScriptLoader.cpp b/Source/core/dom/ScriptLoader.cpp
index cfefea53954aafc27b1b0424aef16358fdbecc4d..8b5539f3740165843d91afc37bffe3145a9d4fcc 100644
--- a/Source/core/dom/ScriptLoader.cpp
+++ b/Source/core/dom/ScriptLoader.cpp
@@ -308,7 +308,11 @@ void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)
Frame* frame = contextDocument->frame();
- bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()->shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
+ bool frameContentSecurityPolicyBypass = frame && frame->script()->shouldBypassMainWorldContentSecurityPolicy();
+ bool allowScriptNonce = elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
+ bool allowScriptHash = elementDocument->contentSecurityPolicy()->allowScriptHash(sourceCode.source());
+
+ bool shouldBypassMainWorldContentSecurityPolicy = frameContentSecurityPolicyBypass || allowScriptNonce || allowScriptHash;
abarth-chromium 2013/10/22 17:46:49 This has the same problem of eagerly evaluating al
jww 2013/10/28 19:36:23 Done.
if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url(), m_startLineNumber)))
return;
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt ('k') | Source/core/frame/ContentSecurityPolicy.h » ('j') | Source/core/frame/ContentSecurityPolicy.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698