Bug 1227813 - CSP: Ignore unsafe-inline within style-src if hash or nonce specified. r=kmckinley

2024-10-12 12:55:46 +00:00 · 2016-03-11 15:35:39 -08:00 · 2016-03-11 15:35:39 -08:00 · 5e6ba24562
commit 5e6ba24562
parent d96e884f80
2 changed files with 9 additions and 8 deletions
--- a/dom/locales/en-US/chrome/security/csp.properties
+++ b/dom/locales/en-US/chrome/security/csp.properties
@ -35,10 +35,10 @@ ignoringDuplicateSrc = Ignoring duplicate source %1$S
 # LOCALIZATION NOTE (ignoringSrcFromMetaCSP):
 # %1$S defines the ignored src
 ignoringSrcFromMetaCSP = Ignoring source '%1$S' (Not supported when delivered via meta element).
-# LOCALIZATION NOTE (ignoringSrcWithinScriptSrc):
+# LOCALIZATION NOTE (ignoringSrcWithinScriptStyleSrc):
 # %1$S is the ignored src
-# script-src is a directive name and should not be localized
-ignoringSrcWithinScriptSrc = Ignoring "%1$S" within script-src: nonce-source or hash-source specified
+# script-src and style-src are directive names and should not be localized
+ignoringSrcWithinScriptStyleSrc = Ignoring "%1$S" within script-src or style-src: nonce-source or hash-source specified
 # LOCALIZATION NOTE (reportURInotHttpsOrHttp2):
 # %1$S is the ETLD of the report URI that is not HTTP or HTTPS
 reportURInotHttpsOrHttp2 = The report URI (%1$S) should be an HTTP or HTTPS URI.
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@ -122,7 +122,7 @@ nsCSPParser::nsCSPParser(cspTokens& aTokens,
                         nsIURI* aSelfURI,
                         nsCSPContext* aCSPContext,
                         bool aDeliveredViaMetaTag)
- : mCurChar(nullptr)
+ : mCurChar(nullptr)
 , mEndChar(nullptr)
 , mHasHashOrNonce(false)
 , mUnsafeInlineKeywordSrc(nullptr)
@ -1089,15 +1089,16 @@ nsCSPParser::directive()
    srcs.AppendElement(keyword);
  }

-  // if a hash or nonce is specified within script-src, then
-  // unsafe-inline should be ignored, see:
+  // Ignore unsafe-inline within script-src or style-src if nonce
+  // or hash is specified, see:
  // http://www.w3.org/TR/CSP2/#directive-script-src
-  if (cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) &&
+  if ((cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) ||
+       cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE)) &&
      mHasHashOrNonce && mUnsafeInlineKeywordSrc) {
    mUnsafeInlineKeywordSrc->invalidate();
    // log to the console that unsafe-inline will be ignored
    const char16_t* params[] = { MOZ_UTF16("'unsafe-inline'") };
-    logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringSrcWithinScriptSrc",
+    logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringSrcWithinScriptStyleSrc",
                             params, ArrayLength(params));
  }