Changeset 288132 in webkit

Timestamp:

Jan 18, 2022 11:33:30 AM (6 months ago)

Author:

Patrick Griffis

Message:

CSP: Improve handling of multiple policies
​https://bugs.webkit.org/show_bug.cgi?id=235199

Reviewed by Kate Cheney.

LayoutTests/imported/w3c:

Add new test expectations with more passes.

• web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms-expected.txt:
• web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt:
• web-platform-tests/content-security-policy/style-src/style-src-error-event-fires-expected.txt:
• web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event-expected.txt:
• web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms-expected.txt: Added.

Source/WebCore:

This fixes many issues with multiple CSP policies.

To quote the spec for script-src:

Their behavior will be blocked unless every policy allows inline script, either implicitly by not

specifying a script-src (or default-src) directive, or explicitly, by specifying "unsafe-inline",
a nonce-source or a hash-source that matches the inline block.

The previous structure was many distinct calls to check if there was a nonce in any policy, then if there
was a hash in any policy, etc, rather than actually checking the policies as a whole to know if they
allow or block a behavior. This lead to various issues where polices were not properly respected and where
reports were inaccurate.

The allScriptPoliciesAllow() function did try to consider all policies but was not very flexible and had buggy
behavior like for each policy it would call findHashOfContentInPolicies() meaning hashes from other policies
incorrectly applied to the current policy, plus general inefficiency of hashing the same content many
times over.

The new behavior relies more on passing all required information in a single function call to verify all
policies in a single pass.

• bindings/js/CachedScriptFetcher.cpp:

(WebCore::CachedScriptFetcher::requestScriptWithCache const):

• dom/InlineStyleSheetOwner.cpp:

(WebCore::InlineStyleSheetOwner::createSheet):

• dom/ScriptElement.cpp:

(WebCore::ScriptElement::requestModuleScript):
(WebCore::ScriptElement::executeClassicScript):

• dom/StyledElement.cpp:

(WebCore::StyledElement::styleAttributeChanged):

• html/HTMLLinkElement.cpp:

(WebCore::HTMLLinkElement::process):

• loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):

• loader/ResourceLoaderOptions.h:
• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):

• page/csp/ContentSecurityPolicy.cpp:

(WebCore::parseSubResourceIntegrityIntoDigests):
(WebCore::generateHashesForContent):
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
(WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
(WebCore::ContentSecurityPolicy::allowInlineScript const):
(WebCore::ContentSecurityPolicy::allowInlineStyle const):
(WebCore::ContentSecurityPolicy::allowScriptFromSource const):
(WebCore::ContentSecurityPolicy::allowStyleFromSource const):
(WebCore::ContentSecurityPolicy::allScriptPoliciesAllow const): Deleted.
(WebCore::ContentSecurityPolicy::findHashOfContentInPolicies const): Deleted.
(WebCore::ContentSecurityPolicy::checkHashAndReportViolation const): Deleted.

• page/csp/ContentSecurityPolicy.h:
• page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForInlineJavascriptURL const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForInlineEventHandlers const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript const): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle const): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForParserInsertedScript const): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptAttribute const): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash const): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash const): Deleted.

• page/csp/ContentSecurityPolicyDirectiveList.h:

LayoutTests:

Update test expectations, Some newly passing tests are no longer skipped and some have new reports.

• TestExpectations:
• http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-in-enforced-policy-and-not-in-report-only-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-multiple-policies-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scripthash-in-enforced-policy-and-not-in-report-only-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy2-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-in-enforced-policy-and-not-in-report-only-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-multiple-policies-expected.txt:
• http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
• http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt:
• http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/window-open-javascript-url-with-target-blocked-expected.txt:
• platform/glib/TestExpectations:
• platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-in-enforced-policy-and-not-in-report-only-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-multiple-policies-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-in-enforced-policy-and-not-in-report-only-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-in-enforced-policy-and-not-in-report-only-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-multiple-policies-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-with-target-blocked-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt (modified) (2 diffs)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms-expected.txt (added)
• LayoutTests/platform/glib/TestExpectations (modified) (1 diff)
• LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/CachedScriptFetcher.cpp (modified) (1 diff)
• Source/WebCore/dom/InlineStyleSheetOwner.cpp (modified) (1 diff)
• Source/WebCore/dom/ScriptElement.cpp (modified) (2 diffs)
• Source/WebCore/dom/StyledElement.cpp (modified) (1 diff)
• Source/WebCore/html/HTMLLinkElement.cpp (modified) (1 diff)
• Source/WebCore/loader/DocumentThreadableLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/ResourceLoaderOptions.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (11 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicy.h (modified) (4 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2022-01-18  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Improve handling of multiple policies
+        https://bugs.webkit.org/show_bug.cgi?id=235199
+
+        Reviewed by Kate Cheney.
+
+        Update test expectations, Some newly passing tests are no longer skipped and some have new reports.
+
+        * TestExpectations:
+        * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-in-enforced-policy-and-not-in-report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-multiple-policies-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-in-enforced-policy-and-not-in-report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-in-enforced-policy-and-not-in-report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-multiple-policies-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/window-open-javascript-url-with-target-blocked-expected.txt:
+        * platform/glib/TestExpectations:
+        * platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt:
+
 2022-01-18  Sepand Parhami  <sparhami@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -968 +968 @@
 # FIXME: Skip Content Security Policy tests that are dumping the render tree instead of text:
 imported/w3c/web-platform-tests/content-security-policy/svg/scripted.svg [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/svg/including.sub.svg [ Skip ]
 
@@ -1012 +1011 @@
 imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html [ Skip ]
 imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html [ Skip ]
 
 # Content Security Policy: Embedded Enforcement is not supported
 imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement
-
-# Skip some Content Security Policy script-dynamic tests as we do not fully support the feature
-imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html [ Skip ]
 
 # Skip Content Security Policy shared workers tests as we do not support shared workers

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-in-enforced-policy-and-not-in-report-only-expected.txt

@@ -2 +2 @@
 CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-multiple-policies-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-in-enforced-policy-and-not-in-report-only-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The Content Security Policy 'script-src 'none'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
 CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 PASS did execute script.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 PASS did execute script.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 PASS did execute script.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 PASS did execute script.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
-CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy2-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: The Content Security Policy 'script-src 'nonce-dummy' 'nonce-dump-as-text'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
-CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 PASS did execute script.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 PASS did execute script.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-in-enforced-policy-and-not-in-report-only-expected.txt

@@ -2 +2 @@
 CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-multiple-policies-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt

@@ -2 +2 @@
 CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
 CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 This test passes if it doesn't alert fail.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to load javascript:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt

@@ -2 +2 @@
 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
 CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-with-target-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2022-01-18  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Improve handling of multiple policies
+        https://bugs.webkit.org/show_bug.cgi?id=235199
+
+        Reviewed by Kate Cheney.
+
+        Add new test expectations with more passes.
+
+        * web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms-expected.txt:
+        * web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt:
+        * web-platform-tests/content-security-policy/style-src/style-src-error-event-fires-expected.txt:
+        * web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event-expected.txt:
+        * web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms-expected.txt: Added.
+
 2022-01-17  Sergio Villar Senin  <svillar@igalia.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-multiple-policies-one-using-hashing-algorithms-expected.txt

@@ -1 @@
-layer at (0,0) size 1280x960
-  RenderView at (0,0) size 1280x960
-layer at (0,0) size 1280x8
-  RenderBlock {HTML} at (0,0) size 1280x8
-    RenderBody {BODY} at (8,8) size 1264x0
+
+PASS Test that script executes if allowed by proper hash values
+

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted-expected.txt

@@ -1 +1 @@
 Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive.
 
-
-Harness Error (TIMEOUT), message = null
 
 PASS Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.
@@ -12 +10 @@
 PASS Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.
 PASS Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.
-TIMEOUT Script injected via `innerHTML` is not allowed with `strict-dynamic`. Test timed out
-TIMEOUT Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`. Test timed out
+FAIL Script injected via `innerHTML` is not allowed with `strict-dynamic`. assert_equals: expected "script-src-attr" but got "script-src"
+FAIL Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`. assert_equals: expected "script-src-attr" but got "script-src"
 

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-error-event-fires-expected.txt

@@ -5 +5 @@
 Harness Error (TIMEOUT), message = null
 
-NOTRUN Test error event fires on stylesheet link
+PASS Test error event fires on stylesheet link
 NOTRUN Test error event fires on inline style
 Lorem ipsum

trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event-expected.txt

@@ -3 +3 @@
 Harness Error (TIMEOUT), message = null
 
-FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src 'nonce-nonceynonce'" but got "style-src-elem"
+PASS Should fire a securitypolicyviolation event
 NOTRUN Test that paragraph remains unmodified and error events received.
 Lorem ipsum

trunk/LayoutTests/platform/glib/TestExpectations

@@ -1440 +1440 @@
 
 # Failing since deferred async loading enabled until document is loaded enabled.
-webkit.org/b/208104 imported/w3c/web-platform-tests/content-security-policy/script-src/scripthash-changed-2.html [ Failure ]
-webkit.org/b/208104 imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-changed-2.html [ Failure ]
 webkit.org/b/208104 imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/execution-timing/085.html [ Failure Pass ]
 

trunk/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt

@@ -3 +3 @@
 frame "<!--frame1-->" - didCommitLoadForFrame
 CONSOLE MESSAGE: [Report Only] Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
-CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php was not allowed to run insecure content from http://127.0.0.1:8000/security/mixedContent/resources/style.css.
+CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.py was not allowed to run insecure content from http://127.0.0.1:8000/security/mixedContent/resources/style.css.
 
-frame "<!--frame1-->" - willPerformClientRedirectToURL: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-report.py?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
+frame "<!--frame1-->" - willPerformClientRedirectToURL: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-report.py?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.py
 frame "<!--frame1-->" - didFinishDocumentLoadForFrame
 main frame - didHandleOnloadEventsForFrame
-frame "<!--frame1-->" - didFinishLoadForFrame
 frame "<!--frame1-->" - didStartProvisionalLoadForFrame
 frame "<!--frame1-->" - didCancelClientRedirectForFrame
@@ -26 +25 @@
 CONTENT_TYPE: application/csp-report
 HTTP_HOST: 127.0.0.1:8443
-HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
+HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.py
 REQUEST_METHOD: POST
-REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.py
 === POST DATA ===
-{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html","violated-directive":"block-all-mixed-content","effective-directive":"block-all-mixed-content","original-policy":"block-all-mixed-content; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","blocked-uri":"http://127.0.0.1:8000","status-code":0}}
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.py","referrer":"http://127.0.0.1:8000/","violated-directive":"block-all-mixed-content","effective-directive":"block-all-mixed-content","original-policy":"block-all-mixed-content; report-uri ../../resources/save-report.py?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.py","blocked-uri":"http://127.0.0.1:8000","status-code":0}}

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-01-18  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Improve handling of multiple policies
+        https://bugs.webkit.org/show_bug.cgi?id=235199
+
+        Reviewed by Kate Cheney.
+
+        This fixes many issues with multiple CSP policies.
+
+        To quote the spec for script-src:
+
+        > Their behavior will be blocked unless every policy allows inline script, either implicitly by not
+          specifying a script-src (or default-src) directive, or explicitly, by specifying "unsafe-inline",
+          a nonce-source or a hash-source that matches the inline block.
+
+        The previous structure was many distinct calls to check if there was a nonce in any policy, then if there
+        was a hash in any policy, etc, rather than actually checking the policies as a whole to know if they
+        allow or block a behavior. This lead to various issues where polices were not properly respected and where
+        reports were inaccurate.
+
+        The allScriptPoliciesAllow() function did try to consider all policies but was not very flexible and had buggy
+        behavior like for each policy it would call findHashOfContentInPolicies() meaning hashes from other policies
+        incorrectly applied to the current policy, plus general inefficiency of hashing the same content many
+        times over.
+
+        The new behavior relies more on passing all required information in a single function call to verify all
+        policies in a single pass.
+
+        * bindings/js/CachedScriptFetcher.cpp:
+        (WebCore::CachedScriptFetcher::requestScriptWithCache const):
+        * dom/InlineStyleSheetOwner.cpp:
+        (WebCore::InlineStyleSheetOwner::createSheet):
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::requestModuleScript):
+        (WebCore::ScriptElement::executeClassicScript):
+        * dom/StyledElement.cpp:
+        (WebCore::StyledElement::styleAttributeChanged):
+        * html/HTMLLinkElement.cpp:
+        (WebCore::HTMLLinkElement::process):
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+        * loader/ResourceLoaderOptions.h:
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::parseSubResourceIntegrityIntoDigests):
+        (WebCore::generateHashesForContent):
+        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
+        (WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
+        (WebCore::ContentSecurityPolicy::allowInlineScript const):
+        (WebCore::ContentSecurityPolicy::allowInlineStyle const):
+        (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+        (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+        (WebCore::ContentSecurityPolicy::allScriptPoliciesAllow const): Deleted.
+        (WebCore::ContentSecurityPolicy::findHashOfContentInPolicies const): Deleted.
+        (WebCore::ContentSecurityPolicy::checkHashAndReportViolation const): Deleted.
+        * page/csp/ContentSecurityPolicy.h:
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement const):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForInlineJavascriptURL const):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForInlineEventHandlers const):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement const):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute const):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle const):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript const): Deleted.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle const): Deleted.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForParserInsertedScript const): Deleted.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptAttribute const): Deleted.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash const): Deleted.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash const): Deleted.
+        * page/csp/ContentSecurityPolicyDirectiveList.h:
+
 2022-01-18  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Source/WebCore/bindings/js/CachedScriptFetcher.cpp

@@ -59 +59 @@
     options.integrity = WTFMove(integrity);
     options.referrerPolicy = m_referrerPolicy;
+    options.nonce = m_nonce;
 
     auto request = createPotentialAccessControlRequest(sourceURL, WTFMove(options), document, crossOriginMode);

trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp

@@ -171 +171 @@
     ASSERT(document.contentSecurityPolicy());
     const ContentSecurityPolicy& contentSecurityPolicy = *document.contentSecurityPolicy();
-    bool hasKnownNonce = contentSecurityPolicy.allowStyleWithNonce(element.nonce(), element.isInUserAgentShadowTree());
-    if (!contentSecurityPolicy.allowInlineStyle(document.url().string(), m_startTextPosition.m_line, text, CheckUnsafeHashes::No, element, hasKnownNonce))
+    if (!contentSecurityPolicy.allowInlineStyle(document.url().string(), m_startTextPosition.m_line, text, CheckUnsafeHashes::No, element, element.nonce(), element.isInUserAgentShadowTree()))
         return;
 

trunk/Source/WebCore/dom/ScriptElement.cpp

@@ -384 +384 @@
         return false;
 
-    bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(nonce, m_element.isInUserAgentShadowTree());
-    if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), m_element, hasKnownNonce))
+    if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), m_element, nonce, m_element.isInUserAgentShadowTree()))
         return false;
 
@@ -408 +407 @@
             return;
 
-        bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(m_element.nonce(), m_element.isInUserAgentShadowTree());
-        if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), m_element, hasKnownNonce))
+        if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), m_element, m_element.nonce(), m_element.isInUserAgentShadowTree()))
             return;
     }

trunk/Source/WebCore/dom/StyledElement.cpp

@@ -207 +207 @@
         startLineNumber = document().scriptableDocumentParser()->textPosition().m_line;
 
-    if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url().string(), startLineNumber, newStyleString.string(), CheckUnsafeHashes::Yes, *this, isInUserAgentShadowTree()))
+    if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url().string(), startLineNumber, newStyleString.string(), CheckUnsafeHashes::Yes, *this, nonce(), isInUserAgentShadowTree()))
         setInlineStyleFromString(newStyleString);
 

trunk/Source/WebCore/html/HTMLLinkElement.cpp

@@ -322 +322 @@
 
         ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
+        options.nonce = attributeWithoutSynchronization(HTMLNames::nonceAttr);
         options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
-        if (document().contentSecurityPolicy()->allowStyleWithNonce(attributeWithoutSynchronization(HTMLNames::nonceAttr)))
+        if (document().contentSecurityPolicy()->allowStyleWithNonce(options.nonce))
             options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
         options.integrity = m_integrityMetadataForPendingSheetRequest;

trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

@@ -687 +687 @@
         return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived, preRedirectURL);
     case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
-        return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived, preRedirectURL, m_options.integrity);
+        return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived, preRedirectURL, m_options.integrity, m_options.nonce);
     }
     ASSERT_NOT_REACHED();

trunk/Source/WebCore/loader/ResourceLoaderOptions.h

@@ -207 +207 @@
     uint8_t maxRedirectCount { 20 };
     FetchIdentifier navigationPreloadIdentifier;
+    String nonce;
 
     SendCallbackPolicy sendLoadCallbacks : bitWidthOfSendCallbackPolicy;

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -502 +502 @@
 #endif
     case CachedResource::Type::Script:
-        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, redirectResponseReceived, preRedirectURL, options.integrity))
+        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, redirectResponseReceived, preRedirectURL, options.integrity, options.nonce))
             return false;
         break;
     case CachedResource::Type::CSSStyleSheet:
-        if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, redirectResponseReceived, preRedirectURL))
+        if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, redirectResponseReceived, preRedirectURL, options.nonce))
             return false;
         break;

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -335 +335 @@
 }
 
-bool ContentSecurityPolicy::allScriptPoliciesAllow(ViolatedDirectiveCallback&& callback, const URL& url, const String& nonce, const StringView& scriptContent, ParserInserted parserInserted) const
-{
-    bool isAllowed = true;
-    for (auto& policy : m_policies) {
-        auto violatedDirectiveForNonParserInsertedScript = policy.get()->violatedDirectiveForParserInsertedScript(parserInserted);
-        auto violatedDirectiveForScriptNonce = policy.get()->violatedDirectiveForScriptNonce(nonce);
-        auto violatedDirectiveForScriptSrc = policy.get()->violatedDirectiveForScript(url, false, { });
-        auto [foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies] = findHashOfContentInPolicies(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, scriptContent, m_hashAlgorithmsForInlineScripts);
-
-        if (violatedDirectiveForNonParserInsertedScript && violatedDirectiveForScriptNonce && violatedDirectiveForScriptSrc && !foundHashInEnforcedPolicies) {
-            if (!violatedDirectiveForNonParserInsertedScript->directiveList().isReportOnly()
-                || !violatedDirectiveForScriptNonce->directiveList().isReportOnly()
-                || !violatedDirectiveForScriptSrc->directiveList().isReportOnly()
-                || foundHashInReportOnlyPolicies)
-                isAllowed = false;
-
-            callback(*violatedDirectiveForScriptSrc);
+static Vector<ResourceCryptographicDigest> parseSubResourceIntegrityIntoDigests(const String& subResourceIntegrity)
+{
+    auto encodedDigests = parseIntegrityMetadata(subResourceIntegrity);
+    Vector<ResourceCryptographicDigest> decodedDigests;
+
+    if (!encodedDigests.has_value())
+        return { };
+
+    for (const auto& encodedDigest : encodedDigests.value()) {
+        auto decodedDigest = decodeEncodedResourceCryptographicDigest(encodedDigest);
+        if (decodedDigest.has_value())
+            decodedDigests.append(decodedDigest.value());
         }
-    }
-    return isAllowed;
-}
-
-template<typename Predicate>
-ContentSecurityPolicy::HashInEnforcedAndReportOnlyPoliciesPair ContentSecurityPolicy::findHashOfContentInPolicies(const Predicate& predicate, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm> algorithms) const
-{
-    if (algorithms.isEmpty() || content.isEmpty())
-        return { false, false };
-
+
+    return decodedDigests;
+}
+
+static Vector<ContentSecurityPolicyHash> generateHashesForContent(const StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm> algorithms)
+{
     CString utf8Content = content.utf8(StrictConversionReplacingUnpairedSurrogatesWithFFFD);
-    bool foundHashInEnforcedPolicies = false;
-    bool foundHashInReportOnlyPolicies = false;
     Vector<ContentSecurityPolicyHash> hashes;
     for (auto algorithm : algorithms) {
@@ -371 +360 @@
         hashes.append(hash);
     }
-    if (!foundHashInEnforcedPolicies && allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::Enforce, predicate, hashes))
-        foundHashInEnforcedPolicies = true;
-    if (!foundHashInReportOnlyPolicies && allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::ReportOnly, predicate, hashes))
-        foundHashInReportOnlyPolicies = true;
-
-    return { foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies };
-}
-
-template<typename ViolatedDirective, typename HashSearchPolicy>
-bool ContentSecurityPolicy::checkHashAndReportViolation(const String& source, const ViolatedDirective& violatedDirective, const HashSearchPolicy& searchPolicy, OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithms, ContentSecurityPolicy::ViolatedDirectiveCallback&& callback) const
-{
-    auto [foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies] = findHashOfContentInPolicies(searchPolicy, source, hashAlgorithms);
-    if (foundHashInEnforcedPolicies && foundHashInReportOnlyPolicies)
-        return true;
-
-    if (!foundHashInReportOnlyPolicies)
-        allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::ReportOnly, std::forward<ViolatedDirectiveCallback>(callback), violatedDirective);
-
-    return foundHashInEnforcedPolicies || allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::Enforce, WTFMove(callback), violatedDirective);
+
+    return hashes;
 }
 
@@ -398 +370 @@
     bool didNotifyInspector = false;
     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
-        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
+        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash or 'unsafe-inline'");
         // FIXME (rdar://83332874) implement scriptSrcElem properly.
         reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()));
@@ -407 +379 @@
     };
 
-    return checkHashAndReportViolation(source, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
+    auto contentHashes = generateHashesForContent(source, m_hashAlgorithmsForInlineScripts);
+    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForInlineJavascriptURL, contentHashes);
 }
 
@@ -424 +397 @@
     };
 
-    return checkHashAndReportViolation(source, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptAttribute, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
+    auto contentHashes = generateHashesForContent(source, m_hashAlgorithmsForInlineScripts);
+    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForInlineEventHandlers, contentHashes);
 }
 
@@ -472 +446 @@
     };
 
-    return allScriptPoliciesAllow(handleViolatedDirective, sourceURL, nonce, scriptContent, parserInserted);
-}
-
-bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element& element, bool overrideContentSecurityPolicy) const
+    auto contentHashes = generateHashesForContent(scriptContent, m_hashAlgorithmsForInlineScripts);
+    String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
+    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts, strippedNonce, contentHashes, sourceURL, parserInserted);
+}
+
+bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element& element, const String& nonce, bool overrideContentSecurityPolicy) const
 {
     if (overrideContentSecurityPolicy || shouldPerformEarlyCSPCheck())
@@ -488 +464 @@
         }
     };
-    // FIXME: We should not report that the inline script violated a policy when its hash matched a source
-    // expression in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>.
-    return checkHashAndReportViolation(scriptContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement, &ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
-}
-
-bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes shouldCheckUnsafeHashes, Element& element, bool overrideContentSecurityPolicy) const
+
+    auto contentHashes = generateHashesForContent(scriptContent, m_hashAlgorithmsForInlineScripts);
+    String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
+    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement, strippedNonce, contentHashes);
+}
+
+bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes shouldCheckUnsafeHashes, Element& element, const String& nonce, bool overrideContentSecurityPolicy) const
 {
     if (overrideContentSecurityPolicy)
@@ -505 +482 @@
     };
 
+    auto contentHashes = generateHashesForContent(styleContent, m_hashAlgorithmsForInlineStylesheets);
+    String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
+
     if (shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes)
-        return checkHashAndReportViolation(styleContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle, m_hashAlgorithmsForInlineStylesheets, handleViolatedDirective);
-
-    // FIXME: We should not report that the inline stylesheet violated a policy when its hash matched a source
-    // expression in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>.
-    return checkHashAndReportViolation(styleContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement, &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash, m_hashAlgorithmsForInlineStylesheets, handleViolatedDirective);
+        return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute, strippedNonce, contentHashes);
+
+    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement, strippedNonce, contentHashes);
 }
 
@@ -635 +613 @@
 }
 
-static Vector<ResourceCryptographicDigest> parseSubResourceIntegrityIntoDigests(const String& subResourceIntegrity)
-{
-    auto encodedDigests = parseIntegrityMetadata(subResourceIntegrity);
-    Vector<ResourceCryptographicDigest> decodedDigests;
-
-    if (!encodedDigests.has_value())
-        return { };
-
-    for (const auto& encodedDigest : encodedDigests.value()) {
-        auto decodedDigest = decodeEncodedResourceCryptographicDigest(encodedDigest);
-        if (decodedDigest.has_value())
-            decodedDigests.append(decodedDigest.value());
-    }
-
-    return decodedDigests;
-}
-
-bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL, const String& subResourceIntegrity) const
+bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL, const String& subResourceIntegrity, const String& nonce) const
 {
     if (shouldPerformEarlyCSPCheck())
@@ -668 +629 @@
 
     auto subResourceIntegrityDigests = parseSubResourceIntegrityIntoDigests(subResourceIntegrity);
-    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, url, redirectResponseReceived == RedirectResponseReceived::Yes, subResourceIntegrityDigests);
+    String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
+    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, url, redirectResponseReceived == RedirectResponseReceived::Yes, subResourceIntegrityDigests, strippedNonce);
 }
 
@@ -676 +638 @@
 }
 
-bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
-{
-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::styleSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle, preRedirectURL);
+bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL, const String& nonce) const
+{
+    if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
+        return true;
+    String sourceURL;
+    const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
+    TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
+    auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
+        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, blockedURL, "Refused to load");
+        reportViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+    };
+
+    String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
+    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle, url, redirectResponseReceived == RedirectResponseReceived::Yes, strippedNonce);
 }
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

@@ -101 +101 @@
     bool allowJavaScriptURLs(const String& contextURL, const OrdinalNumber& contextLine, const String& code, bool overrideContentSecurityPolicy = false) const;
     bool allowInlineEventHandlers(const String& contextURL, const OrdinalNumber& contextLine, const String& code, Element*, bool overrideContentSecurityPolicy = false) const;
-    bool allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element&, bool overrideContentSecurityPolicy = false) const;
-    bool allowNonParserInsertedScripts(const URL& sourceURL, const URL& contextURL, const OrdinalNumber&, const String&, const StringView&, ParserInserted) const;
-    bool allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes, Element&, bool overrideContentSecurityPolicy = false) const;
+    bool allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element&, const String& nonce, bool overrideContentSecurityPolicy = false) const;
+    bool allowNonParserInsertedScripts(const URL& sourceURL, const URL& contextURL, const OrdinalNumber&, const String& nonce, const StringView&, ParserInserted) const;
+    bool allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes, Element&, const String&, bool overrideContentSecurityPolicy = false) const;
 
     bool allowEval(JSC::JSGlobalObject*, LogToConsole, StringView codeContent, bool overrideContentSecurityPolicy = false) const;
@@ -114 +114 @@
 
     enum class RedirectResponseReceived { No, Yes };
-    WEBCORE_EXPORT bool allowScriptFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL(), const String& = nullString()) const;
+    WEBCORE_EXPORT bool allowScriptFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL(), const String& = nullString(), const String& nonce = nullString()) const;
     bool allowImageFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
-    bool allowStyleFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
+    bool allowStyleFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL(), const String& nonce = nullString()) const;
     bool allowFontFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
 #if ENABLE(APPLICATION_MANIFEST)
@@ -215 +215 @@
     template<typename Predicate, typename... Args>
     bool allPoliciesAllow(ViolatedDirectiveCallback&&, Predicate&&, Args&&...) const WARN_UNUSED_RETURN;
-    bool allScriptPoliciesAllow(ViolatedDirectiveCallback&&, const URL&, const String&, const StringView&, ParserInserted) const;
     bool shouldPerformEarlyCSPCheck() const;
     
     using ResourcePredicate = const ContentSecurityPolicyDirective *(ContentSecurityPolicyDirectiveList::*)(const URL &, bool) const;
     bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate, const URL& preRedirectURL = URL()) const;
-
-    using HashInEnforcedAndReportOnlyPoliciesPair = std::pair<bool, bool>;
-    template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(const Predicate&, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
 
     void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*, StringView sourceContent) const;
@@ -229 +225 @@
     void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const StringView& sourceContent, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL(), Element* = nullptr) const;
     void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
-
-    template<typename ViolatedDirective, typename HashSearchPolicy> bool checkHashAndReportViolation(const String&, const ViolatedDirective&, const HashSearchPolicy&, OptionSet<ContentSecurityPolicyHashAlgorithm>, ContentSecurityPolicy::ViolatedDirectiveCallback&&) const;
 
     // We can never have both a script execution context and a ContentSecurityPolicyClient.

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

@@ -191 +191 @@
 }
 
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript(const Vector<ContentSecurityPolicyHash>& hashes) const
-{
-    auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
-    if (checkUnsafeHashes(operativeDirective, hashes))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle(const Vector<ContentSecurityPolicyHash>& hashes) const
-{
-    auto* operativeDirective = this->operativeDirective(m_styleSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
-    if (checkUnsafeHashes(operativeDirective, hashes))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForParserInsertedScript(ParserInserted parserInserted) const
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement(const String& nonce, const Vector<ContentSecurityPolicyHash>& hashes) const
+{
+    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
+    if (checkHashes(operativeDirective, hashes)
+        || checkNonce(operativeDirective, nonce)
+        || checkInline(operativeDirective))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForInlineJavascriptURL(const Vector<ContentSecurityPolicyHash>& hashes) const
+{
+    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
+    if (checkUnsafeHashes(operativeDirective, hashes)
+        || checkInline(operativeDirective))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForInlineEventHandlers(const Vector<ContentSecurityPolicyHash>& hashes) const
+{
+    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcAttr.get(), ContentSecurityPolicyDirectiveNames::scriptSrcAttr);
+    if (checkUnsafeHashes(operativeDirective, hashes)
+        || checkInline(operativeDirective))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts(const String& nonce, const Vector<ContentSecurityPolicyHash>& hashes, const URL& url, ParserInserted parserInserted) const
 {
     auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
-    if (checkNonParserInsertedScripts(operativeDirective, parserInserted))
-        return nullptr;
-
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement() const
-{
-    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
-    if (checkInline(operativeDirective))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptAttribute() const
-{
-    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcAttr.get(), ContentSecurityPolicyDirectiveNames::scriptSrcAttr);
-    if (checkInline(operativeDirective))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement() const
+    if (checkHashes(operativeDirective, hashes)
+        || checkNonParserInsertedScripts(operativeDirective, parserInserted)
+        || checkNonce(operativeDirective, nonce)
+        || checkSource(operativeDirective, url))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement(const String& nonce, const Vector<ContentSecurityPolicyHash>& hashes) const
 {
     auto* operativeDirective = this->operativeDirectiveStyle(m_styleSrcElem.get(), ContentSecurityPolicyDirectiveNames::styleSrcElem);
-    if (checkInline(operativeDirective))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute() const
+    if (checkHashes(operativeDirective, hashes)
+        || checkNonce(operativeDirective, nonce)
+        || checkInline(operativeDirective))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute(const String& nonce, const Vector<ContentSecurityPolicyHash>& hashes) const
 {
     auto* operativeDirective = this->operativeDirectiveStyle(m_styleSrcAttr.get(), ContentSecurityPolicyDirectiveNames::styleSrcAttr);
-    if (checkInline(operativeDirective))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash(const Vector<ContentSecurityPolicyHash>& hashes) const
-{
-    auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
-    if (checkHashes(operativeDirective, hashes))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash(const Vector<ContentSecurityPolicyHash>& hashes) const
-{
-    auto* operativeDirective = this->operativeDirective(m_styleSrc.get(), ContentSecurityPolicyDirectiveNames::styleSrc);
-    if (checkHashes(operativeDirective, hashes))
+    if (checkUnsafeHashes(operativeDirective, hashes)
+        || checkNonce(operativeDirective, nonce)
+        || checkInline(operativeDirective))
         return nullptr;
     return operativeDirective;
@@ -388 +374 @@
 }
 
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>& subResourceIntegrityDigests) const
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>& subResourceIntegrityDigests, const String& nonce) const
 {
     auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
 
-    if (!operativeDirective || operativeDirective->containsAllHashes(subResourceIntegrityDigests))
-        return nullptr;
-
-    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url, bool didReceiveRedirectResponse) const
+    if (!operativeDirective
+        || operativeDirective->containsAllHashes(subResourceIntegrityDigests)
+        || checkNonce(operativeDirective, nonce)
+        || checkSource(operativeDirective, url, didReceiveRedirectResponse))
+        return nullptr;
+
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url, bool didReceiveRedirectResponse, const String& nonce) const
 {
     auto* operativeDirective = this->operativeDirective(m_styleSrc.get(), ContentSecurityPolicyDirectiveNames::styleSrcElem);
-    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
+    if (checkNonce(operativeDirective, nonce)
+        || checkSource(operativeDirective, url, didReceiveRedirectResponse))
         return nullptr;
     return operativeDirective;

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

@@ -47 +47 @@
 
     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeEval() const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForParserInsertedScript(ParserInserted) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineScriptElement() const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineScriptAttribute() const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyleElement() const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyleAttribute() const;
-
-    const ContentSecurityPolicyDirective* violatedDirectiveForScriptHash(const Vector<ContentSecurityPolicyHash>&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForStyleHash(const Vector<ContentSecurityPolicyHash>&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeHashScript(const Vector<ContentSecurityPolicyHash>&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeHashStyle(const Vector<ContentSecurityPolicyHash>&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForInlineJavascriptURL(const Vector<ContentSecurityPolicyHash>&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForInlineEventHandlers(const Vector<ContentSecurityPolicyHash>&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineScriptElement(const String&, const Vector<ContentSecurityPolicyHash>&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForNonParserInsertedScripts(const String&, const Vector<ContentSecurityPolicyHash>&, const URL&, ParserInserted) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyleElement(const String&, const Vector<ContentSecurityPolicyHash>&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyleAttribute(const String&, const Vector<ContentSecurityPolicyHash>&) const;
 
     const ContentSecurityPolicyDirective* violatedDirectiveForScriptNonce(const String&) const;
@@ -76 +72 @@
     const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
     const ContentSecurityPolicyDirective* violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&, bool didReceiveRedirectResponse) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>&, const String&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&, bool didReceiveRedirectResponse, const String&) const;
 
     const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }