diff options
Diffstat (limited to 'Source/WebCore/dom')
-rw-r--r-- | Source/WebCore/dom/InlineStyleSheetOwner.cpp | 6 | ||||
-rw-r--r-- | Source/WebCore/dom/ScriptElement.cpp | 12 | ||||
-rw-r--r-- | Source/WebCore/dom/StyledElement.cpp | 2 |
3 files changed, 15 insertions, 5 deletions
diff --git a/Source/WebCore/dom/InlineStyleSheetOwner.cpp b/Source/WebCore/dom/InlineStyleSheetOwner.cpp index 83574842c..a487f6041 100644 --- a/Source/WebCore/dom/InlineStyleSheetOwner.cpp +++ b/Source/WebCore/dom/InlineStyleSheetOwner.cpp @@ -137,7 +137,11 @@ void InlineStyleSheetOwner::createSheet(Element& element, const String& text) if (!isValidCSSContentType(element, m_contentType)) return; - if (!document.contentSecurityPolicy()->allowInlineStyle(document.url(), m_startTextPosition.m_line, element.isInUserAgentShadowTree())) + + ASSERT(document.contentSecurityPolicy()); + const ContentSecurityPolicy& contentSecurityPolicy = *document.contentSecurityPolicy(); + bool hasKnownNonce = contentSecurityPolicy.allowStyleWithNonce(element.fastGetAttribute(HTMLNames::nonceAttr), element.isInUserAgentShadowTree()); + if (!contentSecurityPolicy.allowInlineStyle(document.url(), m_startTextPosition.m_line, text, hasKnownNonce)) return; RefPtr<MediaQuerySet> mediaQueries; diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp index 521028195..f9c70e326 100644 --- a/Source/WebCore/dom/ScriptElement.cpp +++ b/Source/WebCore/dom/ScriptElement.cpp @@ -258,8 +258,9 @@ bool ScriptElement::requestScript(const String& sourceUrl) ASSERT(!m_cachedScript); if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { + bool hasKnownNonce = m_element.document().contentSecurityPolicy()->allowScriptWithNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.isInUserAgentShadowTree()); ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions(); - options.setContentSecurityPolicyImposition(m_element.isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck); + options.setContentSecurityPolicyImposition(hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck); CachedResourceRequest request(ResourceRequest(m_element.document().completeURL(sourceUrl)), options); @@ -293,8 +294,13 @@ void ScriptElement::executeScript(const ScriptSourceCode& sourceCode) if (sourceCode.isEmpty()) return; - if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber, m_element.isInUserAgentShadowTree())) - return; + if (!m_isExternalScript) { + ASSERT(m_element.document().contentSecurityPolicy()); + const ContentSecurityPolicy& contentSecurityPolicy = *m_element.document().contentSecurityPolicy(); + bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.isInUserAgentShadowTree()); + if (!contentSecurityPolicy.allowInlineScript(m_element.document().url(), m_startLineNumber, sourceCode.source().toStringWithoutCopying(), hasKnownNonce)) + return; + } #if ENABLE(NOSNIFF) if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowedByNosniff()) { diff --git a/Source/WebCore/dom/StyledElement.cpp b/Source/WebCore/dom/StyledElement.cpp index e5d06633d..e7c328a44 100644 --- a/Source/WebCore/dom/StyledElement.cpp +++ b/Source/WebCore/dom/StyledElement.cpp @@ -202,7 +202,7 @@ void StyledElement::styleAttributeChanged(const AtomicString& newStyleString, At if (PropertySetCSSStyleDeclaration* cssomWrapper = inlineStyleCSSOMWrapper()) cssomWrapper->clearParentElement(); ensureUniqueElementData().m_inlineStyle = nullptr; - } else if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url(), startLineNumber, isInUserAgentShadowTree())) + } else if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url(), startLineNumber, String(), isInUserAgentShadowTree())) setInlineStyleFromString(newStyleString); elementData()->setStyleAttributeIsDirty(false); |