Chromium Code Reviews Chromium Code Reviews
Issue
353873003:
Clean up usage of CSP functions (Closed)
DescriptionClean up usage of CSP functions
I was very confused by the ScriptLoader code which called
CSP::allowScriptNonce and the corresponding variable
which was called isValidScriptNonce. I searched around
for nonce functions and found that they only checked
the nonce (not all policies) and I originally thought
this was an error! However after further investigation
I found that allowScriptNonce actually checks all active
CSPs and returns true only if they all pass, thus making
the following line (which disables further CSP checks
on the load) OK.
I renamed these allowScriptNonce and allowStyleNonce
functions to have a 'With' in their name and added
a comment in the header explaining their behavior.
While making this change, I also reduced the verbosity
of several repeated uses of the string ContentSecurityPolicy.
I think most blink hackers would be able to look up that CSP
refers to ContentSecurityPolicy.
I removed several redundant calls to Document::contentSecurityPolicy
(again just caused the lines to be needlessly verbose).
Finally I made ScriptLoader::executeScript use the preferred
early-return pattern instead of a long indented block
for the !frame case. I suspect that the !frame check
can actually be moved much earlier in the function
or even turned into an ASSERT.
This is still my long yack-shave to actually make the
preloader correct so I can fix the bugs which my
patch to make the HTML parser yield more agressively
(and thus not starve the preloader) possible to land:
https://codereview.chromium.org/258013009/
BUG=356292
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=177065
Patch Set 1 #Patch Set 2 : Fixed null crash #Patch Set 3 : Fix compile #Patch Set 4 : Fix to apply #
Messages
Total messages: 25 (0 generated)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
