diff options
| author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-09-05 18:42:49 +0200 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-09-05 18:42:49 +0200 |
| commit | 6db06749e2037029adc96660aafa5339ed609e60 (patch) | |
| tree | 0f3678a1ed688c2f430b1cae5859916790908ac6 /dom/security | |
| parent | e3c13af9761895a19fb1f58abf920190aa739348 (diff) | |
| download | uxp-6db06749e2037029adc96660aafa5339ed609e60.tar.gz | |
Fix whitelisting of JavaScript-uris by CSP hash.
Diffstat (limited to 'dom/security')
| -rw-r--r-- | dom/security/nsCSPContext.cpp | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp index 65be02809f..56a119e1a8 100644 --- a/dom/security/nsCSPContext.cpp +++ b/dom/security/nsCSPContext.cpp @@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType, for (uint32_t i = 0; i < mPolicies.Length(); i++) { bool allowed = mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) || - mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) || - mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated); + mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated); + + // If the inlined script or style is allowed by either unsafe-inline or the + // nonce, go ahead and shortcut this loop. + if (allowed) { + continue; + } + + // Check if the csp-hash matches against the hash of the script. + // If we don't have any content to check, block the script. + if (!aContent.IsEmpty()) { + allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated); + } if (!allowed) { // policy is violoated: deny the load unless policy is report only and |