RandomHuman/Mypal
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix whitelisting of JavaScript-uris by CSP hash.

Browse Source
This commit is contained in:
Fedor 2019-09-20 13:14:30 +03:00
parent 34eb8aadc5
commit f8c19e8744
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
dom/security/nsCSPContext.cpp
View File

@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType,
for (uint32_t i = 0; i < mPolicies.Length(); i++) {
bool allowed =
mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) ||
mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) ||
mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated);
// If the inlined script or style is allowed by either unsafe-inline or the
// nonce, go ahead and shortcut this loop.
if (allowed) {
continue;
}
// Check if the csp-hash matches against the hash of the script.
// If we don't have any content to check, block the script.
if (!aContent.IsEmpty()) {
allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
}
if (!allowed) {
// policy is violoated: deny the load unless policy is report only and