Chromium Code Reviews Chromium Code Reviews
Issue 2801243002:
More tweaks to <script nonce> hiding. (Closed)
| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
| 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
| 4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
| 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights |
| 6 * reserved. | 6 * reserved. |
| 7 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 7 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
| 8 * | 8 * |
| 9 * This library is free software; you can redistribute it and/or | 9 * This library is free software; you can redistribute it and/or |
| 10 * modify it under the terms of the GNU Library General Public | 10 * modify it under the terms of the GNU Library General Public |
| (...skipping 501 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 512 // 21.6, "classic": "Fetch a classic script given ... CORS setting | 512 // 21.6, "classic": "Fetch a classic script given ... CORS setting |
| 513 // ... and encoding." | 513 // ... and encoding." |
| 514 if (cross_origin != kCrossOriginAttributeNotSet) | 514 if (cross_origin != kCrossOriginAttributeNotSet) |
| 515 request.SetCrossOriginAccessControl(element_document->GetSecurityOrigin(), | 515 request.SetCrossOriginAccessControl(element_document->GetSecurityOrigin(), |
| 516 cross_origin); | 516 cross_origin); |
| 517 | 517 |
| 518 request.SetCharset(encoding); | 518 request.SetCharset(encoding); |
| 519 | 519 |
| 520 // 17. "If the script element has a nonce attribute, | 520 // 17. "If the script element has a nonce attribute, |
| 521 // then let cryptographic nonce be that attribute's value. | 521 // then let cryptographic nonce be that attribute's value. |
| 522 // Otherwise, let cryptographic nonce be the empty string." | 522 // Otherwise, let cryptographic nonce be the empty string." |
|
kouhei (in TOK)
2017/04/11 12:24:18
Would you update the spec text here to match:
http
| |
| 523 if (element_->IsNonceableElement()) | 523 request.SetContentSecurityPolicyNonce(element_->GetNonceForElement()); |
| 524 request.SetContentSecurityPolicyNonce(element_->nonce()); | |
| 525 | 524 |
| 526 // 19. "Let parser state be "parser-inserted" | 525 // 19. "Let parser state be "parser-inserted" |
| 527 // if the script element has been flagged as "parser-inserted", | 526 // if the script element has been flagged as "parser-inserted", |
| 528 // and "not parser-inserted" otherwise." | 527 // and "not parser-inserted" otherwise." |
| 529 request.SetParserDisposition(IsParserInserted() ? kParserInserted | 528 request.SetParserDisposition(IsParserInserted() ? kParserInserted |
| 530 : kNotParserInserted); | 529 : kNotParserInserted); |
| 531 | 530 |
| 532 request.SetDefer(defer); | 531 request.SetDefer(defer); |
| 533 | 532 |
| 534 // 18. "If the script element has an integrity attribute, | 533 // 18. "If the script element has an integrity attribute, |
| (...skipping 124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 659 if (!frame) | 658 if (!frame) |
| 660 return true; | 659 return true; |
| 661 | 660 |
| 662 const ContentSecurityPolicy* csp = | 661 const ContentSecurityPolicy* csp = |
| 663 element_document->GetContentSecurityPolicy(); | 662 element_document->GetContentSecurityPolicy(); |
| 664 bool should_bypass_main_world_csp = | 663 bool should_bypass_main_world_csp = |
| 665 (frame->Script().ShouldBypassMainWorldCSP()) || | 664 (frame->Script().ShouldBypassMainWorldCSP()) || |
| 666 csp->AllowScriptWithHash(source_code.Source(), | 665 csp->AllowScriptWithHash(source_code.Source(), |
| 667 ContentSecurityPolicy::InlineType::kBlock); | 666 ContentSecurityPolicy::InlineType::kBlock); |
| 668 | 667 |
| 669 AtomicString nonce = | 668 const AtomicString& nonce = element_->GetNonceForElement(); |
| 670 element_->IsNonceableElement() ? element_->nonce() : g_null_atom; | |
| 671 if (!is_external_script_ && !should_bypass_main_world_csp && | 669 if (!is_external_script_ && !should_bypass_main_world_csp && |
| 672 !element_->AllowInlineScriptForCSP(nonce, start_line_number_, | 670 !element_->AllowInlineScriptForCSP(nonce, start_line_number_, |
| 673 source_code.Source())) { | 671 source_code.Source())) { |
| 674 return false; | 672 return false; |
| 675 } | 673 } |
| 676 | 674 |
| 677 if (is_external_script_) { | 675 if (is_external_script_) { |
| 678 ScriptResource* resource = source_code.GetResource(); | 676 ScriptResource* resource = source_code.GetResource(); |
| 679 CHECK_EQ(resource, resource_); | 677 CHECK_EQ(resource, resource_); |
| 680 CHECK(resource); | 678 CHECK(resource); |
| (...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 846 // then abort these steps at this point. The script is not executed. | 844 // then abort these steps at this point. The script is not executed. |
| 847 return DeprecatedEqualIgnoringCase(event_attribute, "onload") || | 845 return DeprecatedEqualIgnoringCase(event_attribute, "onload") || |
| 848 DeprecatedEqualIgnoringCase(event_attribute, "onload()"); | 846 DeprecatedEqualIgnoringCase(event_attribute, "onload()"); |
| 849 } | 847 } |
| 850 | 848 |
| 851 String ScriptLoader::ScriptContent() const { | 849 String ScriptLoader::ScriptContent() const { |
| 852 return element_->TextFromChildren(); | 850 return element_->TextFromChildren(); |
| 853 } | 851 } |
| 854 | 852 |
| 855 } // namespace blink | 853 } // namespace blink |
| OLD | NEW |
