Log Message
CSP: Drop 'script-nonce' directive. https://bugs.webkit.org/show_bug.cgi?id=134926
Reviewed by Darin Adler. Source/WebCore: This patch drops the outdated 'script-nonce' Content Security Policy directive. It was removed from the spec, and replaced in CSP2 with a new 'script-src' syntax. We should implement that instead. Until then, removing the outdated syntax will ensure that no one ends up relying on it in WebKit's implementation. This should have limited web-visible impact, as the feature is behind the CSP_NEXT flag, which is not enabled by default. * dom/ScriptElement.cpp: (WebCore::ScriptElement::requestScript): (WebCore::ScriptElement::executeScript): * page/ContentSecurityPolicy.cpp: (WebCore::CSPDirectiveList::allowJavaScriptURLs): (WebCore::CSPDirectiveList::allowInlineEventHandlers): (WebCore::CSPDirectiveList::addDirective): (WebCore::NonceDirective::NonceDirective): Deleted. (WebCore::NonceDirective::allows): Deleted. (WebCore::NonceDirective::parse): Deleted. (WebCore::CSPDirectiveList::checkNonce): Deleted. (WebCore::CSPDirectiveList::checkNonceAndReportViolation): Deleted. (WebCore::CSPDirectiveList::allowScriptNonce): Deleted. (WebCore::isAllowedByAllWithNonce): Deleted. (WebCore::ContentSecurityPolicy::allowScriptNonce): Deleted. (WebCore::ContentSecurityPolicy::reportInvalidNonce): Deleted. * page/ContentSecurityPolicy.h: LayoutTests: Dropping the nonce tests, as we're removing the functionality. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Removed. * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Removed.
Modified Paths
- trunk/LayoutTests/ChangeLog
- trunk/Source/WebCore/ChangeLog
- trunk/Source/WebCore/dom/ScriptElement.cpp
- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
- trunk/Source/WebCore/page/ContentSecurityPolicy.h
Removed Paths
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt
- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html
Diff
Modified: trunk/LayoutTests/ChangeLog (171149 => 171150)
--- trunk/LayoutTests/ChangeLog 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/ChangeLog 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,3 +1,23 @@
+2014-07-16 Mike West <[email protected]>
+
+ CSP: Drop 'script-nonce' directive.
+ https://bugs.webkit.org/show_bug.cgi?id=134926
+
+ Reviewed by Darin Adler.
+
+ Dropping the nonce tests, as we're removing the functionality.
+
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Removed.
+
2014-07-16 Jer Noble <[email protected]>
[MSE] REGRESSION(r171033): ASSERT in WebCore::MediaSource::onReadyStateChange()
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,2 +0,0 @@
-ALERT: PASS (1/1)
-This tests the effect of a valid script-nonce value. It passes if no console warning is visible, and the alert() is executed.
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
- <meta http-equiv="X-WebKit-CSP" content="script-nonce noncynonce;">
- <script nonce="noncynonce">
- if (window.testRunner)
- testRunner.dumpAsText();
- </script>
- <script nonce="noncynonce">
- alert('PASS (1/1)');
- </script>
- </head>
- <body>
- <p>
- This tests the effect of a valid script-nonce value. It passes if
- no console warning is visible, and the alert() is executed.
- </p>
- </body>
-</html>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,9 +0,0 @@
-ALERT: PASS (1/2)
-ALERT: PASS (2/2)
-CONSOLE MESSAGE: line 13: Refused to execute script because it violates the following Content Security Policy directive: "script-nonce noncynonce".
-
-CONSOLE MESSAGE: line 16: Refused to execute script because it violates the following Content Security Policy directive: "script-nonce noncynonce".
-
-CONSOLE MESSAGE: line 19: Refused to execute script because it violates the following Content Security Policy directive: "script-nonce noncynonce".
-
-This tests the effect of a valid script-nonce value. It passes if three console warnings are visible, and the two PASS alerts are executed.
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,30 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
- <meta http-equiv="X-WebKit-CSP" content="script-nonce noncynonce;">
- <script nonce="noncynonce">
- if (window.testRunner)
- testRunner.dumpAsText();
- alert('PASS (1/2)');
- </script>
- <script nonce=" noncynonce ">
- alert('PASS (2/2)');
- </script>
- <script nonce="noncynonce noncynonce">
- alert('FAIL (1/3)');
- </script>
- <script>
- alert('FAIL (2/3)');
- </script>
- <script nonce="noncynonceno?">
- alert('FAIL (3/3)');
- </script>
- </head>
- <body>
- <p>
- This tests the effect of a valid script-nonce value. It passes if
- three console warnings are visible, and the two PASS alerts are
- executed.
- </p>
- </body>
-</html>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,39 +0,0 @@
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
-
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
-
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
-
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: 'nonces have no spaces'.
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce nonces have no spaces".
-
-None of these scripts should execute, as all the nonces are invalid.
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame3-->-->'
---------
-PASS
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,17 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script src=''></script>
-<script>
-var tests = [
- ['no', 'script-src 127.0.0.1:8000; script-nonce;', 'resources/script.js', ''],
- ['no', 'script-src 127.0.0.1:8000; script-nonce ;', 'resources/script.js', ''],
- ['no', 'script-src 127.0.0.1:8000; script-nonce ;', 'resources/script.js', ''],
- ['no', 'script-src 127.0.0.1:8000; script-nonce nonces have no spaces;', 'resources/script.js', ''],
-];
-</script>
-</head>
-<body _onload_="testExperimentalPolicy()">
- <p>
- None of these scripts should execute, as all the nonces are invalid.
- </p>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,27 +0,0 @@
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce nonce".
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce notnonce".
-
-None of these scripts should execute even though there are parse errors in the policy.
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame3-->-->'
---------
-PASS
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,17 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script src=''></script>
-<script>
-var tests = [
- ['yes', 'script-src 127.0.0.1:8000', 'resources/script.js', 'nonce'],
- ['yes', 'script-src 127.0.0.1:8000; script-nonce nonce', 'resources/script.js', 'nonce'],
- ['no', 'script-src 127.0.0.1:8000; script-nonce nonce', 'resources/script.js', 'notnonce'],
- ['no', 'script-src 127.0.0.1:8000; script-nonce notnonce', 'resources/script.js', 'nonce'],
-];
-</script>
-</head>
-<body _onload_="testExperimentalPolicy()">
- <p>
- None of these scripts should execute even though there are parse errors in the policy.
- </p>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,18 +0,0 @@
-All of these scripts should execute, as all the nonces are valid.
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html (171149 => 171150)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,16 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script src=''></script>
-<script>
-var tests = [
- ['yes', 'script-src 127.0.0.1:8000; script-nonce 1/1;', 'resources/script.js', '1/1'],
- ['yes', 'script-src 127.0.0.1:8000; script-nonce {};', 'resources/script.js', '{}'],
- ['yes', 'script-src 127.0.0.1:8000; script-nonce /\\;', 'resources/script.js', '/\\'],
-];
-</script>
-</head>
-<body _onload_="testExperimentalPolicy()">
- <p>
- All of these scripts should execute, as all the nonces are valid.
- </p>
Modified: trunk/Source/WebCore/ChangeLog (171149 => 171150)
--- trunk/Source/WebCore/ChangeLog 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/Source/WebCore/ChangeLog 2014-07-16 20:31:06 UTC (rev 171150)
@@ -1,3 +1,39 @@
+2014-07-16 Mike West <[email protected]>
+
+ CSP: Drop 'script-nonce' directive.
+ https://bugs.webkit.org/show_bug.cgi?id=134926
+
+ Reviewed by Darin Adler.
+
+ This patch drops the outdated 'script-nonce' Content Security
+ Policy directive. It was removed from the spec, and replaced in
+ CSP2 with a new 'script-src' syntax. We should implement that
+ instead.
+
+ Until then, removing the outdated syntax will ensure that no one
+ ends up relying on it in WebKit's implementation.
+
+ This should have limited web-visible impact, as the feature is
+ behind the CSP_NEXT flag, which is not enabled by default.
+
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestScript):
+ (WebCore::ScriptElement::executeScript):
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+ (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+ (WebCore::CSPDirectiveList::addDirective):
+ (WebCore::NonceDirective::NonceDirective): Deleted.
+ (WebCore::NonceDirective::allows): Deleted.
+ (WebCore::NonceDirective::parse): Deleted.
+ (WebCore::CSPDirectiveList::checkNonce): Deleted.
+ (WebCore::CSPDirectiveList::checkNonceAndReportViolation): Deleted.
+ (WebCore::CSPDirectiveList::allowScriptNonce): Deleted.
+ (WebCore::isAllowedByAllWithNonce): Deleted.
+ (WebCore::ContentSecurityPolicy::allowScriptNonce): Deleted.
+ (WebCore::ContentSecurityPolicy::reportInvalidNonce): Deleted.
+ * page/ContentSecurityPolicy.h:
+
2014-07-16 Jer Noble <[email protected]>
REGRESSION(r171069) 75% repro crash in WebCore::AudioHardwareListenerMac::processIsRunningChanged()
Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (171149 => 171150)
--- trunk/Source/WebCore/dom/ScriptElement.cpp 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2014-07-16 20:31:06 UTC (rev 171150)
@@ -247,8 +247,6 @@
return false;
if (!m_element.inDocument() || &m_element.document() != &originalDocument.get())
return false;
- if (!m_element.document().contentSecurityPolicy()->allowScriptNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.document().url(), m_startLineNumber, m_element.document().completeURL(sourceUrl)))
- return false;
ASSERT(!m_cachedScript);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
@@ -282,9 +280,6 @@
if (sourceCode.isEmpty())
return;
- if (!m_element.document().contentSecurityPolicy()->allowScriptNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.document().url(), m_startLineNumber))
- return;
-
if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber))
return;
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (171149 => 171150)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2014-07-16 20:31:06 UTC (rev 171150)
@@ -67,11 +67,6 @@
return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
}
-bool isNonceCharacter(UChar c)
-{
- return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';'
-}
-
bool isSourceCharacter(UChar c)
{
return !isASCIISpace(c);
@@ -124,7 +119,6 @@
static const char baseURI[] = "base-uri";
static const char formAction[] = "form-action";
static const char pluginTypes[] = "plugin-types";
-static const char scriptNonce[] = "script-nonce";
#if ENABLE(CSP_NEXT)
static const char reflectedXSS[] = "reflected-xss";
#endif
@@ -146,7 +140,6 @@
|| equalIgnoringCase(name, baseURI)
|| equalIgnoringCase(name, formAction)
|| equalIgnoringCase(name, pluginTypes)
- || equalIgnoringCase(name, scriptNonce)
|| equalIgnoringCase(name, reflectedXSS)
#endif
);
@@ -664,51 +657,6 @@
ContentSecurityPolicy* m_policy;
};
-class NonceDirective : public CSPDirective {
-public:
- NonceDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
- : CSPDirective(name, value, policy)
- {
- parse(value);
- }
-
- bool allows(const String& nonce) const
- {
- return (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptNonce);
- }
-
-private:
- void parse(const String& value)
- {
- String nonce;
- auto characters = StringView(value).upconvertedCharacters();
- const UChar* position = characters;
- const UChar* end = position + value.length();
-
- skipWhile<isASCIISpace>(position, end);
- const UChar* nonceBegin = position;
- if (position == end) {
- policy()->reportInvalidNonce(String());
- m_scriptNonce = "";
- return;
- }
- skipWhile<isNonceCharacter>(position, end);
- if (nonceBegin < position)
- nonce = String(nonceBegin, position - nonceBegin);
-
- // Trim off trailing whitespace: If we're not at the end of the string, log
- // an error.
- skipWhile<isASCIISpace>(position, end);
- if (position < end) {
- policy()->reportInvalidNonce(value);
- m_scriptNonce = "";
- } else
- m_scriptNonce = nonce;
- }
-
- String m_scriptNonce;
-};
-
class MediaListDirective : public CSPDirective {
public:
MediaListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
@@ -821,7 +769,6 @@
bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
bool allowEval(JSC::ExecState*, ContentSecurityPolicy::ReportingStatus) const;
- bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL&) const;
bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ContentSecurityPolicy::ReportingStatus) const;
bool allowScriptFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
@@ -846,7 +793,6 @@
bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
void parseReportURI(const String& name, const String& value);
- void parseScriptNonce(const String& name, const String& value);
void parsePluginTypes(const String& name, const String& value);
void parseReflectedXSS(const String& name, const String& value);
void addDirective(const String& name, const String& value);
@@ -860,7 +806,6 @@
bool checkEval(SourceListDirective*) const;
bool checkInline(SourceListDirective*) const;
- bool checkNonce(NonceDirective*, const String&) const;
bool checkSource(SourceListDirective*, const URL&) const;
bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
@@ -868,7 +813,6 @@
bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = 0) const;
bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
- bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
bool checkSourceAndReportViolation(SourceListDirective*, const URL&, const String& effectiveDirective) const;
bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
@@ -885,7 +829,6 @@
ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition;
std::unique_ptr<MediaListDirective> m_pluginTypes;
- std::unique_ptr<NonceDirective> m_scriptNonce;
std::unique_ptr<SourceListDirective> m_baseURI;
std::unique_ptr<SourceListDirective> m_connectSrc;
std::unique_ptr<SourceListDirective> m_defaultSrc;
@@ -945,11 +888,6 @@
return !directive || directive->allowInline();
}
-bool CSPDirectiveList::checkNonce(NonceDirective* directive, const String& nonce) const
-{
- return !directive || directive->allows(nonce);
-}
-
bool CSPDirectiveList::checkSource(SourceListDirective* directive, const URL& url) const
{
return !directive || directive->allows(url);
@@ -986,14 +924,6 @@
return true;
}
-bool CSPDirectiveList::checkNonceAndReportViolation(NonceDirective* directive, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
-{
- if (checkNonce(directive, nonce))
- return true;
- reportViolation(directive->text(), scriptNonce, consoleMessage + "\"" + directive->text() + "\".\n", URL(), contextURL, contextLine);
- return denyIfEnforcingPolicy();
-}
-
bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* directive, const String& type, const String& typeAttribute, const String& consoleMessage) const
{
if (checkMediaType(directive, type, typeAttribute))
@@ -1064,25 +994,17 @@
bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute _javascript_ URL because it violates the following Content Security Policy directive: ")));
- if (reportingStatus == ContentSecurityPolicy::SendReport) {
- return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
- && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
- } else {
- return (checkInline(operativeDirective(m_scriptSrc.get()))
- && checkNonce(m_scriptNonce.get(), String()));
- }
+ return reportingStatus == ContentSecurityPolicy::SendReport ?
+ checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
+ : checkInline(operativeDirective(m_scriptSrc.get()));
}
bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: ")));
- if (reportingStatus == ContentSecurityPolicy::SendReport) {
- return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
- && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
- } else {
- return (checkInline(operativeDirective(m_scriptSrc.get()))
- && checkNonce(m_scriptNonce.get(), String()));
- }
+ return reportingStatus == ContentSecurityPolicy::SendReport ?
+ checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
+ : checkInline(operativeDirective(m_scriptSrc.get()));
}
bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
@@ -1109,14 +1031,6 @@
checkEval(operativeDirective(m_scriptSrc.get()));
}
-bool CSPDirectiveList::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url) const
-{
- DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute script because it violates the following Content Security Policy directive: ")));
- if (url.isEmpty())
- return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, consoleMessage, contextURL, contextLine);
- return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, "Refused to load '" + url.stringCenterEllipsizedToLength() + "' because it violates the following Content Security Policy directive: ", contextURL, contextLine);
-}
-
bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
return reportingStatus == ContentSecurityPolicy::SendReport ?
@@ -1415,8 +1329,6 @@
setCSPDirective<SourceListDirective>(name, value, m_formAction);
else if (equalIgnoringCase(name, pluginTypes))
setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
- else if (equalIgnoringCase(name, scriptNonce))
- setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
else if (equalIgnoringCase(name, reflectedXSS))
parseReflectedXSS(name, value);
else
@@ -1516,16 +1428,6 @@
return true;
}
-template<bool (CSPDirectiveList::*allowed)(const String&, const String&, const WTF::OrdinalNumber&, const URL&) const>
-bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url)
-{
- for (size_t i = 0; i < policies.size(); ++i) {
- if (!(policies[i].get()->*allowed)(nonce, contextURL, contextLine, url))
- return false;
- }
- return true;
-}
-
template<bool (CSPDirectiveList::*allowFromURL)(const URL&, ContentSecurityPolicy::ReportingStatus) const>
bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
{
@@ -1575,11 +1477,6 @@
return String();
}
-bool ContentSecurityPolicy::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url) const
-{
- return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_policies, nonce, contextURL, contextLine, url);
-}
-
bool ContentSecurityPolicy::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
for (size_t i = 0; i < m_policies.size(); ++i) {
@@ -1845,12 +1742,6 @@
logToConsole(message);
}
-void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const
-{
- String message = makeString("Ignoring invalid Content Security Policy script nonce: '", nonce, "'.\n");
- logToConsole(message);
-}
-
void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
{
String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains an invalid source: '", source, "'. It will be ignored.");
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (171149 => 171150)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2014-07-16 20:31:06 UTC (rev 171150)
@@ -89,7 +89,6 @@
bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
bool allowEval(JSC::ExecState* = 0, ReportingStatus = SendReport) const;
- bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& = URL()) const;
bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ReportingStatus = SendReport) const;
bool allowScriptFromSource(const URL&, ReportingStatus = SendReport) const;
@@ -114,7 +113,6 @@
void reportDuplicateDirective(const String&) const;
void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
- void reportInvalidNonce(const String&) const;
void reportInvalidPluginTypes(const String&) const;
void reportInvalidSandboxFlags(const String&) const;
void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
_______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
