<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[171150] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/171150">171150</a></dd>
<dt>Author</dt> <dd>mkwst@chromium.org</dd>
<dt>Date</dt> <dd>2014-07-16 13:31:06 -0700 (Wed, 16 Jul 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Drop 'script-nonce' directive.
https://bugs.webkit.org/show_bug.cgi?id=134926
Reviewed by Darin Adler.
Source/WebCore:
This patch drops the outdated 'script-nonce' Content Security
Policy directive. It was removed from the spec, and replaced in
CSP2 with a new 'script-src' syntax. We should implement that
instead.
Until then, removing the outdated syntax will ensure that no one
ends up relying on it in WebKit's implementation.
This should have limited web-visible impact, as the feature is
behind the CSP_NEXT flag, which is not enabled by default.
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestScript):
(WebCore::ScriptElement::executeScript):
* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::addDirective):
(WebCore::NonceDirective::NonceDirective): Deleted.
(WebCore::NonceDirective::allows): Deleted.
(WebCore::NonceDirective::parse): Deleted.
(WebCore::CSPDirectiveList::checkNonce): Deleted.
(WebCore::CSPDirectiveList::checkNonceAndReportViolation): Deleted.
(WebCore::CSPDirectiveList::allowScriptNonce): Deleted.
(WebCore::isAllowedByAllWithNonce): Deleted.
(WebCore::ContentSecurityPolicy::allowScriptNonce): Deleted.
(WebCore::ContentSecurityPolicy::reportInvalidNonce): Deleted.
* page/ContentSecurityPolicy.h:
LayoutTests:
Dropping the nonce tests, as we're removing the functionality.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Removed.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomScriptElementcpp">trunk/Source/WebCore/dom/ScriptElement.cpp</a></li>
<li><a href="#trunkSourceWebCorepageContentSecurityPolicycpp">trunk/Source/WebCore/page/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepageContentSecurityPolicyh">trunk/Source/WebCore/page/ContentSecurityPolicy.h</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnonceexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnoncehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnoncescriptsrcblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnoncescriptsrcblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceseparatorsallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceseparatorsallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/ChangeLog        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2014-07-16 Mike West <mkwst@chromium.org>
+
+ CSP: Drop 'script-nonce' directive.
+ https://bugs.webkit.org/show_bug.cgi?id=134926
+
+ Reviewed by Darin Adler.
+
+ Dropping the nonce tests, as we're removing the functionality.
+
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Removed.
+
</ins><span class="cx"> 2014-07-16 Jer Noble <jer.noble@apple.com>
</span><span class="cx">
</span><span class="cx"> [MSE] REGRESSION(r171033): ASSERT in WebCore::MediaSource::onReadyStateChange()
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceallowedexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,2 +0,0 @@
</span><del>-ALERT: PASS (1/1)
-This tests the effect of a valid script-nonce value. It passes if no console warning is visible, and the alert() is executed.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceallowedhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,19 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
- <head>
- <meta http-equiv="X-WebKit-CSP" content="script-nonce noncynonce;">
- <script nonce="noncynonce">
- if (window.testRunner)
- testRunner.dumpAsText();
- </script>
- <script nonce="noncynonce">
- alert('PASS (1/1)');
- </script>
- </head>
- <body>
- <p>
- This tests the effect of a valid script-nonce value. It passes if
- no console warning is visible, and the alert() is executed.
- </p>
- </body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,9 +0,0 @@
</span><del>-ALERT: PASS (1/2)
-ALERT: PASS (2/2)
-CONSOLE MESSAGE: line 13: Refused to execute script because it violates the following Content Security Policy directive: "script-nonce noncynonce".
-
-CONSOLE MESSAGE: line 16: Refused to execute script because it violates the following Content Security Policy directive: "script-nonce noncynonce".
-
-CONSOLE MESSAGE: line 19: Refused to execute script because it violates the following Content Security Policy directive: "script-nonce noncynonce".
-
-This tests the effect of a valid script-nonce value. It passes if three console warnings are visible, and the two PASS alerts are executed.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceblockedhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,30 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
- <head>
- <meta http-equiv="X-WebKit-CSP" content="script-nonce noncynonce;">
- <script nonce="noncynonce">
- if (window.testRunner)
- testRunner.dumpAsText();
- alert('PASS (1/2)');
- </script>
- <script nonce=" noncynonce ">
- alert('PASS (2/2)');
- </script>
- <script nonce="noncynonce noncynonce">
- alert('FAIL (1/3)');
- </script>
- <script>
- alert('FAIL (2/3)');
- </script>
- <script nonce="noncynonceno?">
- alert('FAIL (3/3)');
- </script>
- </head>
- <body>
- <p>
- This tests the effect of a valid script-nonce value. It passes if
- three console warnings are visible, and the two PASS alerts are
- executed.
- </p>
- </body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnonceexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,39 +0,0 @@
</span><del>-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
-
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
-
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
-
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: 'nonces have no spaces'.
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce nonces have no spaces".
-
-None of these scripts should execute, as all the nonces are invalid.
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame3-->-->'
---------
-PASS
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnoncehtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,17 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
-<script src='../resources/multiple-iframe-test.js'></script>
-<script>
-var tests = [
- ['no', 'script-src 127.0.0.1:8000; script-nonce;', 'resources/script.js', ''],
- ['no', 'script-src 127.0.0.1:8000; script-nonce ;', 'resources/script.js', ''],
- ['no', 'script-src 127.0.0.1:8000; script-nonce ;', 'resources/script.js', ''],
- ['no', 'script-src 127.0.0.1:8000; script-nonce nonces have no spaces;', 'resources/script.js', ''],
-];
-</script>
-</head>
-<body onload="testExperimentalPolicy()">
- <p>
- None of these scripts should execute, as all the nonces are invalid.
- </p>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnoncescriptsrcblockedexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,27 +0,0 @@
</span><del>-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce nonce".
-
-CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce notnonce".
-
-None of these scripts should execute even though there are parse errors in the policy.
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame3-->-->'
---------
-PASS
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnoncescriptsrcblockedhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,17 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
-<script src='../resources/multiple-iframe-test.js'></script>
-<script>
-var tests = [
- ['yes', 'script-src 127.0.0.1:8000', 'resources/script.js', 'nonce'],
- ['yes', 'script-src 127.0.0.1:8000; script-nonce nonce', 'resources/script.js', 'nonce'],
- ['no', 'script-src 127.0.0.1:8000; script-nonce nonce', 'resources/script.js', 'notnonce'],
- ['no', 'script-src 127.0.0.1:8000; script-nonce notnonce', 'resources/script.js', 'nonce'],
-];
-</script>
-</head>
-<body onload="testExperimentalPolicy()">
- <p>
- None of these scripts should execute even though there are parse errors in the policy.
- </p>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceseparatorsallowedexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,18 +0,0 @@
</span><del>-All of these scripts should execute, as all the nonces are valid.
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceseparatorsallowedhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,16 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
-<script src='../resources/multiple-iframe-test.js'></script>
-<script>
-var tests = [
- ['yes', 'script-src 127.0.0.1:8000; script-nonce 1/1;', 'resources/script.js', '1/1'],
- ['yes', 'script-src 127.0.0.1:8000; script-nonce {};', 'resources/script.js', '{}'],
- ['yes', 'script-src 127.0.0.1:8000; script-nonce /\\;', 'resources/script.js', '/\\'],
-];
-</script>
-</head>
-<body onload="testExperimentalPolicy()">
- <p>
- All of these scripts should execute, as all the nonces are valid.
- </p>
</del></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/Source/WebCore/ChangeLog        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -1,3 +1,39 @@
</span><ins>+2014-07-16 Mike West <mkwst@chromium.org>
+
+ CSP: Drop 'script-nonce' directive.
+ https://bugs.webkit.org/show_bug.cgi?id=134926
+
+ Reviewed by Darin Adler.
+
+ This patch drops the outdated 'script-nonce' Content Security
+ Policy directive. It was removed from the spec, and replaced in
+ CSP2 with a new 'script-src' syntax. We should implement that
+ instead.
+
+ Until then, removing the outdated syntax will ensure that no one
+ ends up relying on it in WebKit's implementation.
+
+ This should have limited web-visible impact, as the feature is
+ behind the CSP_NEXT flag, which is not enabled by default.
+
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestScript):
+ (WebCore::ScriptElement::executeScript):
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+ (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+ (WebCore::CSPDirectiveList::addDirective):
+ (WebCore::NonceDirective::NonceDirective): Deleted.
+ (WebCore::NonceDirective::allows): Deleted.
+ (WebCore::NonceDirective::parse): Deleted.
+ (WebCore::CSPDirectiveList::checkNonce): Deleted.
+ (WebCore::CSPDirectiveList::checkNonceAndReportViolation): Deleted.
+ (WebCore::CSPDirectiveList::allowScriptNonce): Deleted.
+ (WebCore::isAllowedByAllWithNonce): Deleted.
+ (WebCore::ContentSecurityPolicy::allowScriptNonce): Deleted.
+ (WebCore::ContentSecurityPolicy::reportInvalidNonce): Deleted.
+ * page/ContentSecurityPolicy.h:
+
</ins><span class="cx"> 2014-07-16 Jer Noble <jer.noble@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION(r171069) 75% repro crash in WebCore::AudioHardwareListenerMac::processIsRunningChanged()
</span></span></pre></div>
<a id="trunkSourceWebCoredomScriptElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ScriptElement.cpp        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -247,8 +247,6 @@
</span><span class="cx"> return false;
</span><span class="cx"> if (!m_element.inDocument() || &m_element.document() != &originalDocument.get())
</span><span class="cx"> return false;
</span><del>- if (!m_element.document().contentSecurityPolicy()->allowScriptNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.document().url(), m_startLineNumber, m_element.document().completeURL(sourceUrl)))
- return false;
</del><span class="cx">
</span><span class="cx"> ASSERT(!m_cachedScript);
</span><span class="cx"> if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
</span><span class="lines">@@ -282,9 +280,6 @@
</span><span class="cx"> if (sourceCode.isEmpty())
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- if (!m_element.document().contentSecurityPolicy()->allowScriptNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.document().url(), m_startLineNumber))
- return;
-
</del><span class="cx"> if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber))
</span><span class="cx"> return;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepageContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -67,11 +67,6 @@
</span><span class="cx"> return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool isNonceCharacter(UChar c)
-{
- return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';'
-}
-
</del><span class="cx"> bool isSourceCharacter(UChar c)
</span><span class="cx"> {
</span><span class="cx"> return !isASCIISpace(c);
</span><span class="lines">@@ -124,7 +119,6 @@
</span><span class="cx"> static const char baseURI[] = "base-uri";
</span><span class="cx"> static const char formAction[] = "form-action";
</span><span class="cx"> static const char pluginTypes[] = "plugin-types";
</span><del>-static const char scriptNonce[] = "script-nonce";
</del><span class="cx"> #if ENABLE(CSP_NEXT)
</span><span class="cx"> static const char reflectedXSS[] = "reflected-xss";
</span><span class="cx"> #endif
</span><span class="lines">@@ -146,7 +140,6 @@
</span><span class="cx"> || equalIgnoringCase(name, baseURI)
</span><span class="cx"> || equalIgnoringCase(name, formAction)
</span><span class="cx"> || equalIgnoringCase(name, pluginTypes)
</span><del>- || equalIgnoringCase(name, scriptNonce)
</del><span class="cx"> || equalIgnoringCase(name, reflectedXSS)
</span><span class="cx"> #endif
</span><span class="cx"> );
</span><span class="lines">@@ -664,51 +657,6 @@
</span><span class="cx"> ContentSecurityPolicy* m_policy;
</span><span class="cx"> };
</span><span class="cx">
</span><del>-class NonceDirective : public CSPDirective {
-public:
- NonceDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
- : CSPDirective(name, value, policy)
- {
- parse(value);
- }
-
- bool allows(const String& nonce) const
- {
- return (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptNonce);
- }
-
-private:
- void parse(const String& value)
- {
- String nonce;
- auto characters = StringView(value).upconvertedCharacters();
- const UChar* position = characters;
- const UChar* end = position + value.length();
-
- skipWhile<isASCIISpace>(position, end);
- const UChar* nonceBegin = position;
- if (position == end) {
- policy()->reportInvalidNonce(String());
- m_scriptNonce = "";
- return;
- }
- skipWhile<isNonceCharacter>(position, end);
- if (nonceBegin < position)
- nonce = String(nonceBegin, position - nonceBegin);
-
- // Trim off trailing whitespace: If we're not at the end of the string, log
- // an error.
- skipWhile<isASCIISpace>(position, end);
- if (position < end) {
- policy()->reportInvalidNonce(value);
- m_scriptNonce = "";
- } else
- m_scriptNonce = nonce;
- }
-
- String m_scriptNonce;
-};
-
</del><span class="cx"> class MediaListDirective : public CSPDirective {
</span><span class="cx"> public:
</span><span class="cx"> MediaListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
</span><span class="lines">@@ -821,7 +769,6 @@
</span><span class="cx"> bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowEval(JSC::ExecState*, ContentSecurityPolicy::ReportingStatus) const;
</span><del>- bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL&) const;
</del><span class="cx"> bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx">
</span><span class="cx"> bool allowScriptFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="lines">@@ -846,7 +793,6 @@
</span><span class="cx">
</span><span class="cx"> bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
</span><span class="cx"> void parseReportURI(const String& name, const String& value);
</span><del>- void parseScriptNonce(const String& name, const String& value);
</del><span class="cx"> void parsePluginTypes(const String& name, const String& value);
</span><span class="cx"> void parseReflectedXSS(const String& name, const String& value);
</span><span class="cx"> void addDirective(const String& name, const String& value);
</span><span class="lines">@@ -860,7 +806,6 @@
</span><span class="cx">
</span><span class="cx"> bool checkEval(SourceListDirective*) const;
</span><span class="cx"> bool checkInline(SourceListDirective*) const;
</span><del>- bool checkNonce(NonceDirective*, const String&) const;
</del><span class="cx"> bool checkSource(SourceListDirective*, const URL&) const;
</span><span class="cx"> bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
</span><span class="cx">
</span><span class="lines">@@ -868,7 +813,6 @@
</span><span class="cx">
</span><span class="cx"> bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = 0) const;
</span><span class="cx"> bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
</span><del>- bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
</del><span class="cx">
</span><span class="cx"> bool checkSourceAndReportViolation(SourceListDirective*, const URL&, const String& effectiveDirective) const;
</span><span class="cx"> bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
</span><span class="lines">@@ -885,7 +829,6 @@
</span><span class="cx"> ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition;
</span><span class="cx">
</span><span class="cx"> std::unique_ptr<MediaListDirective> m_pluginTypes;
</span><del>- std::unique_ptr<NonceDirective> m_scriptNonce;
</del><span class="cx"> std::unique_ptr<SourceListDirective> m_baseURI;
</span><span class="cx"> std::unique_ptr<SourceListDirective> m_connectSrc;
</span><span class="cx"> std::unique_ptr<SourceListDirective> m_defaultSrc;
</span><span class="lines">@@ -945,11 +888,6 @@
</span><span class="cx"> return !directive || directive->allowInline();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool CSPDirectiveList::checkNonce(NonceDirective* directive, const String& nonce) const
-{
- return !directive || directive->allows(nonce);
-}
-
</del><span class="cx"> bool CSPDirectiveList::checkSource(SourceListDirective* directive, const URL& url) const
</span><span class="cx"> {
</span><span class="cx"> return !directive || directive->allows(url);
</span><span class="lines">@@ -986,14 +924,6 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool CSPDirectiveList::checkNonceAndReportViolation(NonceDirective* directive, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
-{
- if (checkNonce(directive, nonce))
- return true;
- reportViolation(directive->text(), scriptNonce, consoleMessage + "\"" + directive->text() + "\".\n", URL(), contextURL, contextLine);
- return denyIfEnforcingPolicy();
-}
-
</del><span class="cx"> bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* directive, const String& type, const String& typeAttribute, const String& consoleMessage) const
</span><span class="cx"> {
</span><span class="cx"> if (checkMediaType(directive, type, typeAttribute))
</span><span class="lines">@@ -1064,25 +994,17 @@
</span><span class="cx"> bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: ")));
</span><del>- if (reportingStatus == ContentSecurityPolicy::SendReport) {
- return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
- && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
- } else {
- return (checkInline(operativeDirective(m_scriptSrc.get()))
- && checkNonce(m_scriptNonce.get(), String()));
- }
</del><ins>+ return reportingStatus == ContentSecurityPolicy::SendReport ?
+ checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
+ : checkInline(operativeDirective(m_scriptSrc.get()));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: ")));
</span><del>- if (reportingStatus == ContentSecurityPolicy::SendReport) {
- return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
- && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
- } else {
- return (checkInline(operativeDirective(m_scriptSrc.get()))
- && checkNonce(m_scriptNonce.get(), String()));
- }
</del><ins>+ return reportingStatus == ContentSecurityPolicy::SendReport ?
+ checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
+ : checkInline(operativeDirective(m_scriptSrc.get()));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="lines">@@ -1109,14 +1031,6 @@
</span><span class="cx"> checkEval(operativeDirective(m_scriptSrc.get()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool CSPDirectiveList::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url) const
-{
- DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute script because it violates the following Content Security Policy directive: ")));
- if (url.isEmpty())
- return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, consoleMessage, contextURL, contextLine);
- return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, "Refused to load '" + url.stringCenterEllipsizedToLength() + "' because it violates the following Content Security Policy directive: ", contextURL, contextLine);
-}
-
</del><span class="cx"> bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> return reportingStatus == ContentSecurityPolicy::SendReport ?
</span><span class="lines">@@ -1415,8 +1329,6 @@
</span><span class="cx"> setCSPDirective<SourceListDirective>(name, value, m_formAction);
</span><span class="cx"> else if (equalIgnoringCase(name, pluginTypes))
</span><span class="cx"> setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
</span><del>- else if (equalIgnoringCase(name, scriptNonce))
- setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
</del><span class="cx"> else if (equalIgnoringCase(name, reflectedXSS))
</span><span class="cx"> parseReflectedXSS(name, value);
</span><span class="cx"> else
</span><span class="lines">@@ -1516,16 +1428,6 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-template<bool (CSPDirectiveList::*allowed)(const String&, const String&, const WTF::OrdinalNumber&, const URL&) const>
-bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url)
-{
- for (size_t i = 0; i < policies.size(); ++i) {
- if (!(policies[i].get()->*allowed)(nonce, contextURL, contextLine, url))
- return false;
- }
- return true;
-}
-
</del><span class="cx"> template<bool (CSPDirectiveList::*allowFromURL)(const URL&, ContentSecurityPolicy::ReportingStatus) const>
</span><span class="cx"> bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
</span><span class="cx"> {
</span><span class="lines">@@ -1575,11 +1477,6 @@
</span><span class="cx"> return String();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url) const
-{
- return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_policies, nonce, contextURL, contextLine, url);
-}
-
</del><span class="cx"> bool ContentSecurityPolicy::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> for (size_t i = 0; i < m_policies.size(); ++i) {
</span><span class="lines">@@ -1845,12 +1742,6 @@
</span><span class="cx"> logToConsole(message);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const
-{
- String message = makeString("Ignoring invalid Content Security Policy script nonce: '", nonce, "'.\n");
- logToConsole(message);
-}
-
</del><span class="cx"> void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
</span><span class="cx"> {
</span><span class="cx"> String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains an invalid source: '", source, "'. It will be ignored.");
</span></span></pre></div>
<a id="trunkSourceWebCorepageContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (171149 => 171150)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/ContentSecurityPolicy.h        2014-07-16 19:10:22 UTC (rev 171149)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h        2014-07-16 20:31:06 UTC (rev 171150)
</span><span class="lines">@@ -89,7 +89,6 @@
</span><span class="cx"> bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
</span><span class="cx"> bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
</span><span class="cx"> bool allowEval(JSC::ExecState* = 0, ReportingStatus = SendReport) const;
</span><del>- bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& = URL()) const;
</del><span class="cx"> bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ReportingStatus = SendReport) const;
</span><span class="cx">
</span><span class="cx"> bool allowScriptFromSource(const URL&, ReportingStatus = SendReport) const;
</span><span class="lines">@@ -114,7 +113,6 @@
</span><span class="cx"> void reportDuplicateDirective(const String&) const;
</span><span class="cx"> void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
</span><span class="cx"> void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
</span><del>- void reportInvalidNonce(const String&) const;
</del><span class="cx"> void reportInvalidPluginTypes(const String&) const;
</span><span class="cx"> void reportInvalidSandboxFlags(const String&) const;
</span><span class="cx"> void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
</span></span></pre>
</div>
</div>
</body>
</html>