Changeset 125614 in webkit
- Timestamp:
- Aug 14, 2012 3:27:08 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r125613 r125614 1 2012-08-14 Mike West <mkwst@chromium.org> 2 3 Tighten up parsing the 'script-nonce' CSP directive value. 4 https://bugs.webkit.org/show_bug.cgi?id=93783 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Added. 10 1 11 2012-08-14 Adam Barth <abarth@webkit.org> 2 12 -
trunk/Source/WebCore/ChangeLog
r125613 r125614 1 2012-08-14 Mike West <mkwst@chromium.org> 2 3 Tighten up parsing the 'script-nonce' CSP directive value. 4 https://bugs.webkit.org/show_bug.cgi?id=93783 5 6 Reviewed by Adam Barth. 7 8 Currently we're accepting any non-whitespace character. This patch 9 limits the valid characters to VCHAR minus ',' and ';', and pulls the 10 validity check out into a named function for clarity. 11 12 Test: http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html 13 14 * page/ContentSecurityPolicy.cpp: 15 (WebCore::CSPDirectiveList::parseScriptNonce): 16 1 17 2012-08-14 Adam Barth <abarth@webkit.org> 2 18 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r125531 r125614 62 62 } 63 63 64 bool isNonceCharacter(UChar c) 65 { 66 return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';' 67 } 68 64 69 bool isSourceCharacter(UChar c) 65 70 { … … 999 1004 return; 1000 1005 } 1001 skipWhile<isNo tASCIISpace>(position, end);1006 skipWhile<isNonceCharacter>(position, end); 1002 1007 if (nonceBegin < position) 1003 1008 nonce = String(nonceBegin, position - nonceBegin);
Note: See TracChangeset
for help on using the changeset viewer.