mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-12 12:55:46 +00:00
Bug 1227813 - CSP: Ignore unsafe-inline within style-src if hash or nonce specified. r=kmckinley
This commit is contained in:
parent
d96e884f80
commit
5e6ba24562
@ -35,10 +35,10 @@ ignoringDuplicateSrc = Ignoring duplicate source %1$S
|
||||
# LOCALIZATION NOTE (ignoringSrcFromMetaCSP):
|
||||
# %1$S defines the ignored src
|
||||
ignoringSrcFromMetaCSP = Ignoring source '%1$S' (Not supported when delivered via meta element).
|
||||
# LOCALIZATION NOTE (ignoringSrcWithinScriptSrc):
|
||||
# LOCALIZATION NOTE (ignoringSrcWithinScriptStyleSrc):
|
||||
# %1$S is the ignored src
|
||||
# script-src is a directive name and should not be localized
|
||||
ignoringSrcWithinScriptSrc = Ignoring "%1$S" within script-src: nonce-source or hash-source specified
|
||||
# script-src and style-src are directive names and should not be localized
|
||||
ignoringSrcWithinScriptStyleSrc = Ignoring "%1$S" within script-src or style-src: nonce-source or hash-source specified
|
||||
# LOCALIZATION NOTE (reportURInotHttpsOrHttp2):
|
||||
# %1$S is the ETLD of the report URI that is not HTTP or HTTPS
|
||||
reportURInotHttpsOrHttp2 = The report URI (%1$S) should be an HTTP or HTTPS URI.
|
||||
|
@ -122,7 +122,7 @@ nsCSPParser::nsCSPParser(cspTokens& aTokens,
|
||||
nsIURI* aSelfURI,
|
||||
nsCSPContext* aCSPContext,
|
||||
bool aDeliveredViaMetaTag)
|
||||
: mCurChar(nullptr)
|
||||
: mCurChar(nullptr)
|
||||
, mEndChar(nullptr)
|
||||
, mHasHashOrNonce(false)
|
||||
, mUnsafeInlineKeywordSrc(nullptr)
|
||||
@ -1089,15 +1089,16 @@ nsCSPParser::directive()
|
||||
srcs.AppendElement(keyword);
|
||||
}
|
||||
|
||||
// if a hash or nonce is specified within script-src, then
|
||||
// unsafe-inline should be ignored, see:
|
||||
// Ignore unsafe-inline within script-src or style-src if nonce
|
||||
// or hash is specified, see:
|
||||
// http://www.w3.org/TR/CSP2/#directive-script-src
|
||||
if (cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) &&
|
||||
if ((cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) ||
|
||||
cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE)) &&
|
||||
mHasHashOrNonce && mUnsafeInlineKeywordSrc) {
|
||||
mUnsafeInlineKeywordSrc->invalidate();
|
||||
// log to the console that unsafe-inline will be ignored
|
||||
const char16_t* params[] = { MOZ_UTF16("'unsafe-inline'") };
|
||||
logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringSrcWithinScriptSrc",
|
||||
logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringSrcWithinScriptStyleSrc",
|
||||
params, ArrayLength(params));
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user