Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(160)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 568583003: Allow CSP checkNonce and checkHash to pass with 'unsafe-inline' only. (Closed)

Created:
6 years, 3 months ago by jww
Modified:
6 years, 1 month ago
Reviewers:
Mike West
CC:
blink-reviews, mkwst+watchlist_chromium.org, devd
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Project:
blink
Visibility:
Public.

Description

Allow CSP checkNonce and checkHash to pass with 'unsafe-inline' only. There is a bug that a script will incorrectly not run when a nonce is specified if 'unsafe-inline' is also specified in the policy and there's a *second* policy that only specifies 'unsafe-inline'. This is due to a cascading failure where the initial isAllowedByAllWithNonce check fails because the second policy doesn't have a nonce, while the later allowInlineScript check fails because the first policy's nonce invalidates the 'unsafe-inline'. This CL allows allowScriptNonce (and allowScriptHash) to pass if 'unsafe-inline' is present (and no hash or nonce is present). This also adds tests to verify. BUG=413482 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=181939

Patch Set 1 #

Patch Set 2 : More tests #

Patch Set 3 : Rebase on ToT #

Patch Set 4 : Fixed broken tests #

Messages

Total messages: 15 (6 generated)
jww
6 years, 3 months ago (2014-09-12 00:48:36 UTC) #2
Mike West
Thanks for adding tests. LGTM.
6 years, 3 months ago (2014-09-12 06:28:36 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patchset/568583003/20001
6 years, 3 months ago (2014-09-12 06:28:54 UTC) #5
commit-bot: I haz the power
Exceeded time limit waiting for builds to trigger.
6 years, 3 months ago (2014-09-12 08:29:14 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patchset/568583003/20001
6 years, 3 months ago (2014-09-12 08:31:00 UTC) #9
commit-bot: I haz the power
Exceeded time limit waiting for builds to trigger.
6 years, 3 months ago (2014-09-12 10:31:23 UTC) #11
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patchset/568583003/60001
6 years, 3 months ago (2014-09-12 20:35:11 UTC) #13
commit-bot: I haz the power
Committed patchset #4 (id:60001) as 181939
6 years, 3 months ago (2014-09-12 22:09:36 UTC) #14
Mike West
6 years, 1 month ago (2014-11-05 12:15:36 UTC) #15
Message was sent while issue was closed. 
On 2014/09/12 22:09:36, I haz the power (commit-bot) wrote:
> Committed patchset #4 (id:60001) as 181939

Reverting this in https://codereview.chromium.org/704723003/, as it turns out to
interact badly with the CSP-bypassing logic in ScriptLoader.

Powered by Google App Engine
This is Rietveld 408576698