Changeset 287756 in webkit
- Timestamp:
- Jan 7, 2022 10:04:56 AM (6 months ago)
- Location:
- trunk
- Files:
-
- 2 added
- 5 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script-expected.txt (added)
-
LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html (added)
-
Source/WebCore/ChangeLog (modified) (1 diff)
-
Source/WebCore/dom/ScriptElement.cpp (modified) (3 diffs)
-
Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (2 diffs)
-
Source/WebCore/page/csp/ContentSecurityPolicy.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r287753 r287756 1 2022-01-07 Kate Cheney <katherine_cheney@apple.com> 2 3 Implement CSP strict-dynamic for module scripts 4 https://bugs.webkit.org/show_bug.cgi?id=234934 5 <rdar://problem/83728374> 6 7 Reviewed by Brent Fulgham. 8 9 * http/tests/security/contentSecurityPolicy/strict-dynamic-module-script-expected.txt: Added. 10 * http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html: Added. 11 1 12 2022-01-07 Aditya Keerthi <akeerthi@apple.com> 2 13 -
trunk/Source/WebCore/ChangeLog
r287753 r287756 1 2022-01-07 Kate Cheney <katherine_cheney@apple.com> 2 3 Implement CSP strict-dynamic for module scripts 4 https://bugs.webkit.org/show_bug.cgi?id=234934 5 <rdar://problem/83728374> 6 7 Reviewed by Brent Fulgham. 8 9 Test: http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html 10 11 This also adds the contextLine value instead of using the default 12 OrdinalNumber::beforeFirst() value. 13 14 * dom/ScriptElement.cpp: 15 (WebCore::ScriptElement::requestClassicScript): 16 (WebCore::ScriptElement::requestModuleScript): 17 (WebCore::ScriptElement::executeClassicScript): 18 * page/csp/ContentSecurityPolicy.cpp: 19 (WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const): 20 * page/csp/ContentSecurityPolicy.h: 21 1 22 2022-01-07 Aditya Keerthi <akeerthi@apple.com> 2 23 -
trunk/Source/WebCore/dom/ScriptElement.cpp
r286136 r287756 305 305 306 306 const auto& contentSecurityPolicy = *m_element.document().contentSecurityPolicy(); 307 if (!contentSecurityPolicy.allowNonParserInsertedScripts(scriptURL, m_ element.nonce(), String(), m_parserInserted))307 if (!contentSecurityPolicy.allowNonParserInsertedScripts(scriptURL, m_startLineNumber, m_element.nonce(), String(), m_parserInserted)) 308 308 return false; 309 309 … … 377 377 ASSERT(m_element.document().contentSecurityPolicy()); 378 378 const auto& contentSecurityPolicy = *m_element.document().contentSecurityPolicy(); 379 if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_startLineNumber, m_element.nonce(), sourceCode.source(), m_parserInserted)) 380 return false; 381 379 382 bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(nonce, m_element.isInUserAgentShadowTree()); 380 383 if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), m_element, hasKnownNonce)) … … 398 401 ASSERT(m_element.document().contentSecurityPolicy()); 399 402 const ContentSecurityPolicy& contentSecurityPolicy = *m_element.document().contentSecurityPolicy(); 400 if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_ element.nonce(), sourceCode.source(), m_parserInserted))403 if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_startLineNumber, m_element.nonce(), sourceCode.source(), m_parserInserted)) 401 404 return; 402 405 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r287303 r287756 460 460 } 461 461 462 bool ContentSecurityPolicy::allowNonParserInsertedScripts(const URL& url, const String& nonce, const StringView& scriptContent, ParserInserted parserInserted) const462 bool ContentSecurityPolicy::allowNonParserInsertedScripts(const URL& url, const OrdinalNumber& contextLine, const String& nonce, const StringView& scriptContent, ParserInserted parserInserted) const 463 463 { 464 464 if (!shouldPerformEarlyCSPCheck()) … … 466 466 467 467 auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) { 468 TextPosition sourcePosition( OrdinalNumber::beforeFirst(), OrdinalNumber());468 TextPosition sourcePosition(contextLine, OrdinalNumber()); 469 469 String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, url, "Refused to load"); 470 470 reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url.string(), consoleMessage, String(), scriptContent, sourcePosition); -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h
r287303 r287756 102 102 bool allowInlineEventHandlers(const String& contextURL, const OrdinalNumber& contextLine, const String& code, Element*, bool overrideContentSecurityPolicy = false) const; 103 103 bool allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element&, bool overrideContentSecurityPolicy = false) const; 104 bool allowNonParserInsertedScripts(const URL&, const String&, const StringView&, ParserInserted) const;104 bool allowNonParserInsertedScripts(const URL&, const OrdinalNumber&, const String&, const StringView&, ParserInserted) const; 105 105 bool allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes, Element&, bool overrideContentSecurityPolicy = false) const; 106 106
Note: See TracChangeset
for help on using the changeset viewer.
