Fail loudly and securely when given a script-nonce that doesn't match the grammar (for example: `script-nonce;`, `script-nonce ;`, or `script-nonce this is a nonce;`.
Created attachment 152539 [details] Patch
I should have just done this when you first suggested it, Adam. :)
Comment on attachment 152539 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=152539&action=review > Source/WebCore/page/ContentSecurityPolicy.cpp:616 > + , m_scriptNonce(String()) No need for this line. String() is the default constructor. :) > Source/WebCore/page/ContentSecurityPolicy.cpp:947 > + m_scriptNonce = emptyString(); We can't use emptyString() because this code runs in workers too. Let's just use "". > Source/WebCore/page/ContentSecurityPolicy.cpp:959 > + m_scriptNonce = emptyString(); ditto > LayoutTests/ChangeLog:8 > + Additional information of the change such as approach, rationale. Please add per-function descriptions below (OOPS!). This line will prevent the patch from landing.
Created attachment 152550 [details] Patch
Thanks Adam!
Comment on attachment 152550 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=152550&action=review > LayoutTests/ChangeLog:8 > + Additional information of the change such as approach, rationale. Please add per-function descriptions below (OOPS!). This line will still prevent the patch from being landed.
Created attachment 152556 [details] I swear I removed that...
Comment on attachment 152556 [details] I swear I removed that... Clearing flags on attachment: 152556 Committed r122741: <http://trac.webkit.org/changeset/122741>
All reviewed patches have been landed. Closing bug.