<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197944] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197944">197944</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-10 10:30:38 -0800 (Thu, 10 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Implement support for script and style nonces
https://bugs.webkit.org/show_bug.cgi?id=116508
<rdar://problem/24963980>
Reviewed by Brent Fulgham.
Source/WebCore:
Add support for script-src and style-src nonces as per sections Nonce usage for script elements
and Nonce usage for style elements of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
* dom/InlineStyleSheetOwner.cpp:
(WebCore::InlineStyleSheetOwner::createSheet): Check if the nonce for an HTML style element matches a known nonce.
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestScript): Check if the nonce for an HTML script element for an external JavaScript
script matches a known nonce. If it does then skip subsequent checks of the Content Security Policy when loading
the script.
(WebCore::ScriptElement::executeScript): Check if the nonce for an HTML script element for an inline JavaScript
script matches a known nonce.
* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::process): Check if the nonce for an HTML link element matches a known nonce. If it does
then skip subsequent checks of the Content Security Policy when loading the stylesheet.
* html/HTMLScriptElement.idl: Unconditionally expose attribute nonce.
* html/HTMLStyleElement.idl: Ditto.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::isAllowedByAllWithNonce):
(WebCore::ContentSecurityPolicy::allowScriptWithNonce): Check if the nonce attribute value of a script element
matches a known nonce. This function delegates the check to ContentSecurityPolicyDirectiveList::allowScriptWithNonce().
(WebCore::ContentSecurityPolicy::allowStyleWithNonce): Check if the nonce attribute value of a style/link element
matches a known nonce. This function delegates the check to ContentSecurityPolicyDirectiveList::allowStyleWithNonce().
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::checkNonce): Checks if the directive allows the specified nonce.
(WebCore::ContentSecurityPolicyDirectiveList::allowScriptWithNonce): Check if the specified nonce is in
the source list of the script-src directive (if specified) or the source list of the default-src directive (if specified).
(WebCore::ContentSecurityPolicyDirectiveList::allowStyleWithNonce): Check if the specified nonce is in
the source list of the style-src directive (if specified) or the source list of the default-src directive (if specified).
* page/csp/ContentSecurityPolicyDirectiveList.h:
* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::matches): Returns whether the specified nonce is in the HashSet of
nonces for the directive.
(WebCore::ContentSecurityPolicySourceList::parse): Modified to call ContentSecurityPolicySourceList::parseNonceSource()
to parse a nonce source expression.
(WebCore::isBase64Character): Moved function to be above function ContentSecurityPolicySourceList::parseNonceSource()
so that it can referenced from both ContentSecurityPolicySourceList::parseNonceSource() and ContentSecurityPolicySourceList::parseHashSource().
(WebCore::isNonceCharacter): Added. Matches Blink's definition of a valid nonce character. This definition differs
from the definition in the Content Security Policy Level 3 spec., <https://w3c.github.io/webappsec-csp/> (29 February 2016).
(WebCore::ContentSecurityPolicySourceList::parseNonceSource): Parses a source expression for a nonce value.
* page/csp/ContentSecurityPolicySourceList.h:
(WebCore::ContentSecurityPolicySourceList::allowInline): We only allow inline scripts/stylesheets if
'unsafe-inline' was specified in the source list and the source list does not contain any hash sources
or nonce sources.
* page/csp/ContentSecurityPolicySourceListDirective.cpp:
(WebCore::ContentSecurityPolicySourceListDirective::allows): Checks if the specified nonce is in the source list.
* page/csp/ContentSecurityPolicySourceListDirective.h:
LayoutTests:
Update expected results due to differences between Blink and WebKit violation message formats.
Additionally mark script- and style- nonce tests as PASS in LayoutTests/TestExpectations so
that we run them.
* TestExpectations:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash.html:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Also update result
to reflect that we consider "'n-" an invalid source expression (as expected).
* http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceandscripthashexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceandscripthashhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnoncebasicblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceignoreunsafeinlineexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnonceexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylenonceallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylenonceblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomInlineStyleSheetOwnercpp">trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp</a></li>
<li><a href="#trunkSourceWebCoredomScriptElementcpp">trunk/Source/WebCore/dom/ScriptElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLLinkElementcpp">trunk/Source/WebCore/html/HTMLLinkElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLScriptElementidl">trunk/Source/WebCore/html/HTMLScriptElement.idl</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLStyleElementidl">trunk/Source/WebCore/html/HTMLStyleElement.idl</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectivecpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectiveh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/ChangeLog 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2016-03-10 Daniel Bates <dabates@apple.com>
+
+ CSP: Implement support for script and style nonces
+ https://bugs.webkit.org/show_bug.cgi?id=116508
+ <rdar://problem/24963980>
+
+ Reviewed by Brent Fulgham.
+
+ Update expected results due to differences between Blink and WebKit violation message formats.
+
+ Additionally mark script- and style- nonce tests as PASS in LayoutTests/TestExpectations so
+ that we run them.
+
+ * TestExpectations:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash.html:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Also update result
+ to reflect that we consider "'n-" an invalid source expression (as expected).
+ * http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt:
+
</ins><span class="cx"> 2016-03-10 David Kilzer <ddkilzer@apple.com>
</span><span class="cx">
</span><span class="cx"> [iOS] DumpRenderTree crashes when accessing window.testRunner.inspectorTestStubURL
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/TestExpectations 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -826,6 +826,13 @@
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/scripthash-malformed.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html [ Pass ]
</span><ins>+http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/scriptnonce-redirect.html [ Pass ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-basics.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html [ Pass ]
</span><span class="lines">@@ -834,6 +841,8 @@
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html [ Pass ]
</span><ins>+http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked.html [ Pass ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-affects-child.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-mismatched-data.html [ Pass ]
</span><span class="lines">@@ -860,6 +869,8 @@
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-error-event.html
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html
</span><ins>+webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylenonce-basic-blocked-error-event.html
+webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylenonce-svg-style-basic-blocked-error-event.html
</ins><span class="cx"> webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child.html [ Failure ]
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ]
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceandscripthashexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash-expected.txt 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,8 +1,8 @@
</span><span class="cx"> ALERT: PASS (1/3)
</span><span class="cx"> ALERT: PASS (2/3)
</span><span class="cx"> ALERT: PASS (3/3)
</span><del>-CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha1-MfuEFRkC2LmR31AMy9KW2ZLDegA=' 'sha1-p70t5PXyndLfjKNjbyBBOL1gFiM=' 'nonce-nonceynonce'". Either the 'unsafe-inline' keyword, a hash ('sha256-F/kEIJZjYE56JaY4cy4cLGI8z6Rhynnwq6tihG4C9Ts='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-n8xN1Y8E6rPXuE8Iv++3Y3Smm6W4OGH6gqfZV7H8F1E=' 'nonce-nonceynonce'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 19: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha1-MfuEFRkC2LmR31AMy9KW2ZLDegA=' 'sha1-p70t5PXyndLfjKNjbyBBOL1gFiM=' 'nonce-nonceynonce'". Either the 'unsafe-inline' keyword, a hash ('sha256-F26f0zRiJdDsn6iotp9pJMVvkqJpYZG+RG1eMpdaKZA='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 19: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-n8xN1Y8E6rPXuE8Iv++3Y3Smm6W4OGH6gqfZV7H8F1E=' 'nonce-nonceynonce'".
</ins><span class="cx">
</span><span class="cx"> This tests the combined use of script hash and script nonce. It passes if two console warnings are visible and the three alerts show PASS.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceandscripthashhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash.html (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash.html 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-and-scripthash.html 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-MfuEFRkC2LmR31AMy9KW2ZLDegA=' 'sha1-p70t5PXyndLfjKNjbyBBOL1gFiM=' 'nonce-nonceynonce'">
</del><ins>+ <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-n8xN1Y8E6rPXuE8Iv++3Y3Smm6W4OGH6gqfZV7H8F1E=' 'nonce-nonceynonce'">
</ins><span class="cx"> <script nonce="nonceynonce">
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnoncebasicblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-basic-blocked-expected.txt 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,9 +1,9 @@
</span><span class="cx"> ALERT: PASS (1/2)
</span><span class="cx"> ALERT: PASS (2/2)
</span><del>-CONSOLE MESSAGE: line 13: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'". Either the 'unsafe-inline' keyword, a hash ('sha256-1RpMm8CnZ3w3FNN+LbHHalT1URf5MlDZCUee2MAF0/U='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 13: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'". Either the 'unsafe-inline' keyword, a hash ('sha256-aA5X7j5nr6U308mrny9CeIP0WyoPjaNn/0piYZqVL7I='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 16: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 19: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'". Either the 'unsafe-inline' keyword, a hash ('sha256-DnnF++Kbf/s2EyTBk12Rw2Ouq//L7GY5pcHSc6IZe6U='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 19: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce'".
</ins><span class="cx">
</span><span class="cx"> This tests the effect of a valid script-nonce value. It passes if three console warnings are visible, and the two PASS alerts are executed.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceignoreunsafeinlineexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-ignore-unsafeinline-expected.txt 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> ALERT: PASS (1/2)
</span><span class="cx"> ALERT: PASS (2/2)
</span><del>-CONSOLE MESSAGE: line 15: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
</del><ins>+CONSOLE MESSAGE: line 15: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-noncynonce' 'nonce-noncy+/=nonce' 'unsafe-inline'".
</ins><span class="cx">
</span><span class="cx"> This tests that a valid nonce disables inline JavaScript, even if 'unsafe-inline' is present.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scriptnonceinvalidnonceexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,3 +1,4 @@
</span><ins>+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''n'. It will be ignored.
</ins><span class="cx"> CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'n".
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce'. It will be ignored.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylenonceallowedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-allowed-expected.txt 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-noncynonce' 'nonce-noncy+/=nonce'". Either the 'unsafe-inline' keyword, a hash ('sha256-SKwGvORdKBYTYiM4lxIkanDyKH8J0qJ5Ix8LGkKsbhw='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 1: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-noncynonce' 'nonce-noncy+/=nonce'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 11: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-noncynonce' 'nonce-noncy+/=nonce'". Either the 'unsafe-inline' keyword, a hash ('sha256-kv95ImKKneBhnSXrPlx5XNiVbPjFnuiudpQxG+M00io='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 11: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-noncynonce' 'nonce-noncy+/=nonce'".
</ins><span class="cx">
</span><span class="cx"> Style correctly whitelisted via a 'nonce-*' expression in 'style-src' should be applied to the page.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11stylenonceblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylenonce-blocked-expected.txt 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><del>-CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-SKwGvORdKBYTYiM4lxIkanDyKH8J0qJ5Ix8LGkKsbhw='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 1: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 6: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-cJwexfn/a5FXM2RqRmS0smWyEV/8Q3yAJM91YiT55c4='), or a nonce ('nonce-...') is required to enable inline execution.
</del><ins>+CONSOLE MESSAGE: line 6: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'".
</ins><span class="cx">
</span><span class="cx"> Style that does not match a 'nonce-*' expression in 'style-src' should not be applied to the page.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/ChangeLog 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -1,3 +1,59 @@
</span><ins>+2016-03-10 Daniel Bates <dabates@apple.com>
+
+ CSP: Implement support for script and style nonces
+ https://bugs.webkit.org/show_bug.cgi?id=116508
+ <rdar://problem/24963980>
+
+ Reviewed by Brent Fulgham.
+
+ Add support for script-src and style-src nonces as per sections Nonce usage for script elements
+ and Nonce usage for style elements of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ * dom/InlineStyleSheetOwner.cpp:
+ (WebCore::InlineStyleSheetOwner::createSheet): Check if the nonce for an HTML style element matches a known nonce.
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestScript): Check if the nonce for an HTML script element for an external JavaScript
+ script matches a known nonce. If it does then skip subsequent checks of the Content Security Policy when loading
+ the script.
+ (WebCore::ScriptElement::executeScript): Check if the nonce for an HTML script element for an inline JavaScript
+ script matches a known nonce.
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::process): Check if the nonce for an HTML link element matches a known nonce. If it does
+ then skip subsequent checks of the Content Security Policy when loading the stylesheet.
+ * html/HTMLScriptElement.idl: Unconditionally expose attribute nonce.
+ * html/HTMLStyleElement.idl: Ditto.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::isAllowedByAllWithNonce):
+ (WebCore::ContentSecurityPolicy::allowScriptWithNonce): Check if the nonce attribute value of a script element
+ matches a known nonce. This function delegates the check to ContentSecurityPolicyDirectiveList::allowScriptWithNonce().
+ (WebCore::ContentSecurityPolicy::allowStyleWithNonce): Check if the nonce attribute value of a style/link element
+ matches a known nonce. This function delegates the check to ContentSecurityPolicyDirectiveList::allowStyleWithNonce().
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::checkNonce): Checks if the directive allows the specified nonce.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowScriptWithNonce): Check if the specified nonce is in
+ the source list of the script-src directive (if specified) or the source list of the default-src directive (if specified).
+ (WebCore::ContentSecurityPolicyDirectiveList::allowStyleWithNonce): Check if the specified nonce is in
+ the source list of the style-src directive (if specified) or the source list of the default-src directive (if specified).
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::ContentSecurityPolicySourceList::matches): Returns whether the specified nonce is in the HashSet of
+ nonces for the directive.
+ (WebCore::ContentSecurityPolicySourceList::parse): Modified to call ContentSecurityPolicySourceList::parseNonceSource()
+ to parse a nonce source expression.
+ (WebCore::isBase64Character): Moved function to be above function ContentSecurityPolicySourceList::parseNonceSource()
+ so that it can referenced from both ContentSecurityPolicySourceList::parseNonceSource() and ContentSecurityPolicySourceList::parseHashSource().
+ (WebCore::isNonceCharacter): Added. Matches Blink's definition of a valid nonce character. This definition differs
+ from the definition in the Content Security Policy Level 3 spec., <https://w3c.github.io/webappsec-csp/> (29 February 2016).
+ (WebCore::ContentSecurityPolicySourceList::parseNonceSource): Parses a source expression for a nonce value.
+ * page/csp/ContentSecurityPolicySourceList.h:
+ (WebCore::ContentSecurityPolicySourceList::allowInline): We only allow inline scripts/stylesheets if
+ 'unsafe-inline' was specified in the source list and the source list does not contain any hash sources
+ or nonce sources.
+ * page/csp/ContentSecurityPolicySourceListDirective.cpp:
+ (WebCore::ContentSecurityPolicySourceListDirective::allows): Checks if the specified nonce is in the source list.
+ * page/csp/ContentSecurityPolicySourceListDirective.h:
+
</ins><span class="cx"> 2016-03-08 Sam Weinig <sam@webkit.org>
</span><span class="cx">
</span><span class="cx"> Add a baseURL parameter to _WKUserStyleSheet
</span></span></pre></div>
<a id="trunkSourceWebCoredomInlineStyleSheetOwnercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -135,7 +135,11 @@
</span><span class="cx">
</span><span class="cx"> if (!isValidCSSContentType(element, m_contentType))
</span><span class="cx"> return;
</span><del>- if (!document.contentSecurityPolicy()->allowInlineStyle(document.url(), m_startTextPosition.m_line, text, element.isInUserAgentShadowTree()))
</del><ins>+
+ ASSERT(document.contentSecurityPolicy());
+ const ContentSecurityPolicy& contentSecurityPolicy = *document.contentSecurityPolicy();
+ bool hasKnownNonce = contentSecurityPolicy.allowStyleWithNonce(element.fastGetAttribute(HTMLNames::nonceAttr), element.isInUserAgentShadowTree());
+ if (!contentSecurityPolicy.allowInlineStyle(document.url(), m_startTextPosition.m_line, text, hasKnownNonce))
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> RefPtr<MediaQuerySet> mediaQueries;
</span></span></pre></div>
<a id="trunkSourceWebCoredomScriptElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ScriptElement.cpp 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -258,8 +258,9 @@
</span><span class="cx">
</span><span class="cx"> ASSERT(!m_cachedScript);
</span><span class="cx"> if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
</span><ins>+ bool hasKnownNonce = m_element.document().contentSecurityPolicy()->allowScriptWithNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.isInUserAgentShadowTree());
</ins><span class="cx"> ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
</span><del>- options.setContentSecurityPolicyImposition(m_element.isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck);
</del><ins>+ options.setContentSecurityPolicyImposition(hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck);
</ins><span class="cx">
</span><span class="cx"> CachedResourceRequest request(ResourceRequest(m_element.document().completeURL(sourceUrl)), options);
</span><span class="cx">
</span><span class="lines">@@ -293,8 +294,13 @@
</span><span class="cx"> if (sourceCode.isEmpty())
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber, sourceCode.source().toStringWithoutCopying(), m_element.isInUserAgentShadowTree()))
- return;
</del><ins>+ if (!m_isExternalScript) {
+ ASSERT(m_element.document().contentSecurityPolicy());
+ const ContentSecurityPolicy& contentSecurityPolicy = *m_element.document().contentSecurityPolicy();
+ bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.isInUserAgentShadowTree());
+ if (!contentSecurityPolicy.allowInlineScript(m_element.document().url(), m_startLineNumber, sourceCode.source().toStringWithoutCopying(), hasKnownNonce))
+ return;
+ }
</ins><span class="cx">
</span><span class="cx"> #if ENABLE(NOSNIFF)
</span><span class="cx"> if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowedByNosniff()) {
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLLinkElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLLinkElement.cpp (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLLinkElement.cpp 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/html/HTMLLinkElement.cpp 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "CachedResource.h"
</span><span class="cx"> #include "CachedResourceLoader.h"
</span><span class="cx"> #include "CachedResourceRequest.h"
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "Event.h"
</span><span class="cx"> #include "EventSender.h"
</span><span class="lines">@@ -245,6 +246,13 @@
</span><span class="cx"> priority = ResourceLoadPriority::VeryLow;
</span><span class="cx"> CachedResourceRequest request(ResourceRequest(document().completeURL(url)), charset, priority);
</span><span class="cx"> request.setInitiator(this);
</span><ins>+
+ if (document().contentSecurityPolicy()->allowStyleWithNonce(fastGetAttribute(HTMLNames::nonceAttr))) {
+ ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
+ options.setContentSecurityPolicyImposition(ContentSecurityPolicyImposition::SkipPolicyCheck);
+ request.setOptions(options);
+ }
+
</ins><span class="cx"> m_cachedSheet = document().cachedResourceLoader().requestCSSStyleSheet(request);
</span><span class="cx">
</span><span class="cx"> if (m_cachedSheet)
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLScriptElementidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLScriptElement.idl (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLScriptElement.idl 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/html/HTMLScriptElement.idl 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -29,5 +29,5 @@
</span><span class="cx"> [Reflect, URL] attribute DOMString src;
</span><span class="cx"> [Reflect] attribute DOMString type;
</span><span class="cx"> attribute DOMString? crossOrigin;
</span><del>- [Reflect, Conditional=CSP_NEXT] attribute DOMString nonce;
</del><ins>+ [Reflect] attribute DOMString nonce;
</ins><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLStyleElementidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLStyleElement.idl (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLStyleElement.idl 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/html/HTMLStyleElement.idl 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -25,5 +25,7 @@
</span><span class="cx">
</span><span class="cx"> // DOM Level 2 Style
</span><span class="cx"> readonly attribute StyleSheet sheet;
</span><ins>+
+ [Reflect] attribute DOMString nonce;
</ins><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -39,6 +39,7 @@
</span><span class="cx"> #include "FormData.h"
</span><span class="cx"> #include "FormDataList.h"
</span><span class="cx"> #include "Frame.h"
</span><ins>+#include "HTMLParserIdioms.h"
</ins><span class="cx"> #include "InspectorInstrumentation.h"
</span><span class="cx"> #include "JSMainThreadExecState.h"
</span><span class="cx"> #include "ParsingUtilities.h"
</span><span class="lines">@@ -186,6 +187,16 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const String& nonce) const>
+static bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce)
+{
+ for (auto& policy : policies) {
+ if (!(policy.get()->*allowed)(nonce))
+ return false;
+ }
+ return true;
+}
+
</ins><span class="cx"> static CryptoDigest::Algorithm toCryptoDigestAlgorithm(ContentSecurityPolicyHashAlgorithm algorithm)
</span><span class="cx"> {
</span><span class="cx"> switch (algorithm) {
</span><span class="lines">@@ -252,6 +263,30 @@
</span><span class="cx"> return UTF8Encoding();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicy::allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy) const
+{
+ if (overrideContentSecurityPolicy)
+ return true;
+ String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
+ if (strippedNonce.isEmpty())
+ return false;
+ if (isAllowedByAllWithNonce<&ContentSecurityPolicyDirectiveList::allowScriptWithNonce>(m_policies, strippedNonce))
+ return true;
+ return false;
+}
+
+bool ContentSecurityPolicy::allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy) const
+{
+ if (overrideContentSecurityPolicy)
+ return true;
+ String strippedNonce = stripLeadingAndTrailingHTMLSpaces(nonce);
+ if (strippedNonce.isEmpty())
+ return false;
+ if (isAllowedByAllWithNonce<&ContentSecurityPolicyDirectiveList::allowStyleWithNonce>(m_policies, strippedNonce))
+ return true;
+ return false;
+}
+
</ins><span class="cx"> bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -86,7 +86,9 @@
</span><span class="cx"> };
</span><span class="cx"> bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><ins>+ bool allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
</ins><span class="cx"> bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><ins>+ bool allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
</ins><span class="cx"> bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowEval(JSC::ExecState* = nullptr, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -125,6 +125,11 @@
</span><span class="cx"> return !directive || directive->allows(hash);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static inline bool checkNonce(ContentSecurityPolicySourceListDirective* directive, const String& nonce)
+{
+ return !directive || directive->allows(nonce);
+}
+
</ins><span class="cx"> static inline bool checkMediaType(ContentSecurityPolicyMediaListDirective* directive, const String& type, const String& typeAttribute)
</span><span class="cx"> {
</span><span class="cx"> if (!directive)
</span><span class="lines">@@ -288,6 +293,11 @@
</span><span class="cx"> return checkHash(operativeDirective(m_scriptSrc.get()), hash);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicyDirectiveList::allowScriptWithNonce(const String& nonce) const
+{
+ return checkNonce(operativeDirective(m_scriptSrc.get()), nonce);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to apply inline style because it violates the following Content Security Policy directive: "));
</span><span class="lines">@@ -301,6 +311,11 @@
</span><span class="cx"> return checkHash(operativeDirective(m_styleSrc.get()), hash);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicyDirectiveList::allowStyleWithNonce(const String& nonce) const
+{
+ return checkNonce(operativeDirective(m_styleSrc.get()), nonce);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowEval(JSC::ExecState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to evaluate script because it violates the following Content Security Policy directive: "));
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -52,8 +52,10 @@
</span><span class="cx"> bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowInlineScriptWithHash(const ContentSecurityPolicyHash&) const;
</span><ins>+ bool allowScriptWithNonce(const String& nonce) const;
</ins><span class="cx"> bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowInlineStyleWithHash(const ContentSecurityPolicyHash&) const;
</span><ins>+ bool allowStyleWithNonce(const String& nonce) const;
</ins><span class="cx"> bool allowEval(JSC::ExecState*, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -132,6 +132,11 @@
</span><span class="cx"> return m_hashes.contains(hash);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicySourceList::matches(const String& nonce) const
+{
+ return m_nonces.contains(nonce);
+}
+
</ins><span class="cx"> // source-list = *WSP [ source *( 1*WSP source ) *WSP ]
</span><span class="cx"> // / *WSP "'none'" *WSP
</span><span class="cx"> //
</span><span class="lines">@@ -152,6 +157,9 @@
</span><span class="cx"> bool hostHasWildcard = false;
</span><span class="cx"> bool portHasWildcard = false;
</span><span class="cx">
</span><ins>+ if (parseNonceSource(beginSource, position))
+ continue;
+
</ins><span class="cx"> if (parseHashSource(beginSource, position))
</span><span class="cx"> continue;
</span><span class="cx">
</span><span class="lines">@@ -395,6 +403,35 @@
</span><span class="cx"> return ok;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+static bool isBase64Character(UChar c)
+{
+ return isASCIIAlphanumeric(c) || c == '+' || c == '/' || c == '-' || c == '_';
+}
+
+// Match Blink's behavior of allowing an equal sign to appear anywhere in the value of the nonce
+// even though this does not match the behavior of Content Security Policy Level 3 spec.,
+// <https://w3c.github.io/webappsec-csp/> (29 February 2016).
+static bool isNonceCharacter(UChar c)
+{
+ return isBase64Character(c) || c == '=';
+}
+
+// nonce-source = "'nonce-" nonce-value "'"
+// nonce-value = base64-value
+bool ContentSecurityPolicySourceList::parseNonceSource(const UChar* begin, const UChar* end)
+{
+ static NeverDestroyed<String> noncePrefix("'nonce-", String::ConstructFromLiteral);
+ if (!StringView(begin, end - begin).startsWithIgnoringASCIICase(noncePrefix.get()))
+ return false;
+ const UChar* position = begin + noncePrefix.get().length();
+ const UChar* beginNonceValue = position;
+ skipWhile<UChar, isNonceCharacter>(position, end);
+ if (position >= end || position == beginNonceValue || *position != '\'')
+ return false;
+ m_nonces.add(String(beginNonceValue, position - beginNonceValue));
+ return true;
+}
+
</ins><span class="cx"> static bool parseHashAlgorithmAdvancingPosition(const UChar*& position, size_t length, ContentSecurityPolicyHashAlgorithm& algorithm)
</span><span class="cx"> {
</span><span class="cx"> static struct {
</span><span class="lines">@@ -418,11 +455,6 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static bool isBase64Character(UChar c)
-{
- return isASCIIAlphanumeric(c) || c == '+' || c == '/' || c == '-' || c == '_';
-}
-
</del><span class="cx"> // hash-source = "'" hash-algorithm "-" base64-value "'"
</span><span class="cx"> // hash-algorithm = "sha256" / "sha384" / "sha512"
</span><span class="cx"> // base64-value = 1*( ALPHA / DIGIT / "+" / "/" / "-" / "_" )*2( "=" )
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #include "ContentSecurityPolicySource.h"
</span><span class="cx"> #include <wtf/HashSet.h>
</span><span class="cx"> #include <wtf/OptionSet.h>
</span><ins>+#include <wtf/text/StringHash.h>
</ins><span class="cx"> #include <wtf/text/WTFString.h>
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="lines">@@ -46,10 +47,11 @@
</span><span class="cx">
</span><span class="cx"> bool matches(const URL&);
</span><span class="cx"> bool matches(const ContentSecurityPolicyHash&) const;
</span><ins>+ bool matches(const String& nonce) const;
</ins><span class="cx">
</span><span class="cx"> OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsUsed() const { return m_hashAlgorithmsUsed; }
</span><span class="cx">
</span><del>- bool allowInline() const { return m_allowInline && m_hashes.isEmpty(); }
</del><ins>+ bool allowInline() const { return m_allowInline && m_hashes.isEmpty() && m_nonces.isEmpty(); }
</ins><span class="cx"> bool allowEval() const { return m_allowEval; }
</span><span class="cx"> bool allowSelf() const { return m_allowSelf; }
</span><span class="cx">
</span><span class="lines">@@ -62,12 +64,15 @@
</span><span class="cx"> bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
</span><span class="cx"> bool parsePath(const UChar* begin, const UChar* end, String& path);
</span><span class="cx">
</span><ins>+ bool parseNonceSource(const UChar* begin, const UChar* end);
+
</ins><span class="cx"> bool isProtocolAllowedByStar(const URL&) const;
</span><span class="cx">
</span><span class="cx"> bool parseHashSource(const UChar* begin, const UChar* end);
</span><span class="cx">
</span><span class="cx"> const ContentSecurityPolicy& m_policy;
</span><span class="cx"> Vector<ContentSecurityPolicySource> m_list;
</span><ins>+ HashSet<String> m_nonces;
</ins><span class="cx"> HashSet<ContentSecurityPolicyHash> m_hashes;
</span><span class="cx"> OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsUsed;
</span><span class="cx"> String m_directiveName;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectivecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -47,6 +47,11 @@
</span><span class="cx"> return m_sourceList.matches(url);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicySourceListDirective::allows(const String& nonce) const
+{
+ return m_sourceList.matches(nonce);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicySourceListDirective::allows(const ContentSecurityPolicyHash& hash) const
</span><span class="cx"> {
</span><span class="cx"> return m_sourceList.matches(hash);
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectiveh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (197943 => 197944)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2016-03-10 18:24:50 UTC (rev 197943)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2016-03-10 18:30:38 UTC (rev 197944)
</span><span class="lines">@@ -40,6 +40,7 @@
</span><span class="cx">
</span><span class="cx"> bool allows(const URL&);
</span><span class="cx"> bool allows(const ContentSecurityPolicyHash&) const;
</span><ins>+ bool allows(const String& nonce) const;
</ins><span class="cx"> bool allowInline() const { return m_sourceList.allowInline(); }
</span><span class="cx"> bool allowEval() const { return m_sourceList.allowEval(); }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>