Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-29 07:42:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1198422 - CSP: Allow nonce to load if default-src is not specified in second policy (r=dveditz)

Browse Source
This commit is contained in:
Christoph Kerschbaumer 2015-08-25 16:11:04 -07:00
parent dbad1f30f8
commit 0500c010b8
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
dom/security/nsCSPUtils.cpp
View File

@ -609,6 +609,11 @@ nsCSPKeywordSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce)
void
nsCSPKeywordSrc::toString(nsAString& outStr) const
{
if (mInvalidated) {
MOZ_ASSERT(mKeyword == CSP_UNSAFE_INLINE,
"can only ignore 'unsafe-inline' within toString()");
return;
}
outStr.AppendASCII(CSP_EnumToKeyword(mKeyword));
}
@ -616,8 +621,8 @@ void
nsCSPKeywordSrc::invalidate()
{
mInvalidated = true;
NS_ASSERTION(mInvalidated == CSP_UNSAFE_INLINE,
"invalidate 'unsafe-inline' only within script-src");
MOZ_ASSERT(mKeyword == CSP_UNSAFE_INLINE,
"invalidate 'unsafe-inline' only within script-src");
}
/* ===== nsCSPNonceSrc ==================== */
@ -1046,8 +1051,13 @@ nsCSPPolicy::allows(nsContentPolicyType aContentType,
}
}
// Only match {nonce,hash}-source on specific directives (not default-src)
// {nonce,hash}-source should not consult default-src:
// * return false if default-src is specified
// * but allow the load if default-src is *not* specified (Bug 1198422)
if (aKeyword == CSP_NONCE || aKeyword == CSP_HASH) {
if (!defaultDir) {
return true;
}
return false;
}