| Index: Source/core/frame/csp/CSPSourceList.cpp
|
| diff --git a/Source/core/frame/csp/CSPSourceList.cpp b/Source/core/frame/csp/CSPSourceList.cpp
|
| index cd515dd3d9822b9ae465934ca503be61d10455a7..e682d3ff4aebafcf66ea844be4cde94fb1ab7079 100644
|
| --- a/Source/core/frame/csp/CSPSourceList.cpp
|
| +++ b/Source/core/frame/csp/CSPSourceList.cpp
|
| @@ -260,18 +260,20 @@ bool CSPSourceList::parseSource(const UChar* begin, const UChar* end, String& sc
|
| //
|
| bool CSPSourceList::parseNonce(const UChar* begin, const UChar* end, String& nonce)
|
| {
|
| - DEFINE_STATIC_LOCAL(const String, noncePrefix, ("'nonce-"));
|
| + size_t nonceLength = end - begin;
|
| + const char* prefix = "'nonce-";
|
|
|
| - if (!equalIgnoringCase(noncePrefix.characters8(), begin, noncePrefix.length()))
|
| + if (nonceLength <= strlen(prefix) || !equalIgnoringCase(prefix, begin, strlen(prefix)))
|
| return true;
|
|
|
| - const UChar* position = begin + noncePrefix.length();
|
| + const UChar* position = begin + strlen(prefix);
|
| const UChar* nonceBegin = position;
|
|
|
| + ASSERT(position < end);
|
| skipWhile<UChar, isNonceCharacter>(position, end);
|
| ASSERT(nonceBegin <= position);
|
|
|
| - if ((position + 1) != end || *position != '\'' || !(position - nonceBegin))
|
| + if (position + 1 != end || *position != '\'' || position == nonceBegin)
|
| return false;
|
|
|
| nonce = String(nonceBegin, position - nonceBegin);
|
|
|
Chromium Code Reviews
Issue 705663003:
CSP: Harden nonce parsing. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master