From 5e6ba2456278b7b06efea5521547323e58ed5088 Mon Sep 17 00:00:00 2001 From: Christoph Kerschbaumer Date: Fri, 11 Mar 2016 15:35:39 -0800 Subject: [PATCH] Bug 1227813 - CSP: Ignore unsafe-inline within style-src if hash or nonce specified. r=kmckinley --- dom/locales/en-US/chrome/security/csp.properties | 6 +++--- dom/security/nsCSPParser.cpp | 11 ++++++----- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/dom/locales/en-US/chrome/security/csp.properties b/dom/locales/en-US/chrome/security/csp.properties index 8040cb026434..b09a157c3773 100644 --- a/dom/locales/en-US/chrome/security/csp.properties +++ b/dom/locales/en-US/chrome/security/csp.properties @@ -35,10 +35,10 @@ ignoringDuplicateSrc = Ignoring duplicate source %1$S # LOCALIZATION NOTE (ignoringSrcFromMetaCSP): # %1$S defines the ignored src ignoringSrcFromMetaCSP = Ignoring source '%1$S' (Not supported when delivered via meta element). -# LOCALIZATION NOTE (ignoringSrcWithinScriptSrc): +# LOCALIZATION NOTE (ignoringSrcWithinScriptStyleSrc): # %1$S is the ignored src -# script-src is a directive name and should not be localized -ignoringSrcWithinScriptSrc = Ignoring "%1$S" within script-src: nonce-source or hash-source specified +# script-src and style-src are directive names and should not be localized +ignoringSrcWithinScriptStyleSrc = Ignoring "%1$S" within script-src or style-src: nonce-source or hash-source specified # LOCALIZATION NOTE (reportURInotHttpsOrHttp2): # %1$S is the ETLD of the report URI that is not HTTP or HTTPS reportURInotHttpsOrHttp2 = The report URI (%1$S) should be an HTTP or HTTPS URI. diff --git a/dom/security/nsCSPParser.cpp b/dom/security/nsCSPParser.cpp index e606dd94b5e9..1695e226317d 100644 --- a/dom/security/nsCSPParser.cpp +++ b/dom/security/nsCSPParser.cpp @@ -122,7 +122,7 @@ nsCSPParser::nsCSPParser(cspTokens& aTokens, nsIURI* aSelfURI, nsCSPContext* aCSPContext, bool aDeliveredViaMetaTag) - : mCurChar(nullptr) + : mCurChar(nullptr) , mEndChar(nullptr) , mHasHashOrNonce(false) , mUnsafeInlineKeywordSrc(nullptr) @@ -1089,15 +1089,16 @@ nsCSPParser::directive() srcs.AppendElement(keyword); } - // if a hash or nonce is specified within script-src, then - // unsafe-inline should be ignored, see: + // Ignore unsafe-inline within script-src or style-src if nonce + // or hash is specified, see: // http://www.w3.org/TR/CSP2/#directive-script-src - if (cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) && + if ((cspDir->equals(nsIContentSecurityPolicy::SCRIPT_SRC_DIRECTIVE) || + cspDir->equals(nsIContentSecurityPolicy::STYLE_SRC_DIRECTIVE)) && mHasHashOrNonce && mUnsafeInlineKeywordSrc) { mUnsafeInlineKeywordSrc->invalidate(); // log to the console that unsafe-inline will be ignored const char16_t* params[] = { MOZ_UTF16("'unsafe-inline'") }; - logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringSrcWithinScriptSrc", + logWarningErrorToConsole(nsIScriptError::warningFlag, "ignoringSrcWithinScriptStyleSrc", params, ArrayLength(params)); }