Bug 91353 - Invalid `script-nonce` directives should block script execution.
Summary: Invalid `script-nonce` directives should block script execution.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mike West
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-15 18:45 PDT by Mike West
Modified: 2012-07-16 11:16 PDT (History)
2 users (show)

See Also:


Attachments
Patch (11.27 KB, patch)
2012-07-16 08:21 PDT, Mike West
no flags Details | Formatted Diff | Diff
Patch (10.95 KB, patch)
2012-07-16 09:40 PDT, Mike West
no flags Details | Formatted Diff | Diff
I swear I removed that... (10.82 KB, patch)
2012-07-16 09:53 PDT, Mike West
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2012-07-15 18:45:54 PDT
Fail loudly and securely when given a script-nonce that doesn't match the grammar (for example: `script-nonce;`, `script-nonce     ;`, or `script-nonce this is a nonce;`.
Comment 1 Mike West 2012-07-16 08:21:00 PDT
Created attachment 152539 [details]
Patch
Comment 2 Mike West 2012-07-16 08:21:51 PDT
I should have just done this when you first suggested it, Adam. :)
Comment 3 Adam Barth 2012-07-16 08:45:46 PDT
Comment on attachment 152539 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=152539&action=review

> Source/WebCore/page/ContentSecurityPolicy.cpp:616
> +    , m_scriptNonce(String())

No need for this line.  String() is the default constructor.  :)

> Source/WebCore/page/ContentSecurityPolicy.cpp:947
> +        m_scriptNonce = emptyString();

We can't use emptyString() because this code runs in workers too.  Let's just use "".

> Source/WebCore/page/ContentSecurityPolicy.cpp:959
> +        m_scriptNonce = emptyString();

ditto

> LayoutTests/ChangeLog:8
> +        Additional information of the change such as approach, rationale. Please add per-function descriptions below (OOPS!).

This line will prevent the patch from landing.
Comment 4 Mike West 2012-07-16 09:40:08 PDT
Created attachment 152550 [details]
Patch
Comment 5 Mike West 2012-07-16 09:46:31 PDT
Thanks Adam!
Comment 6 Adam Barth 2012-07-16 09:47:16 PDT
Comment on attachment 152550 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=152550&action=review

> LayoutTests/ChangeLog:8
> +        Additional information of the change such as approach, rationale. Please add per-function descriptions below (OOPS!).

This line will still prevent the patch from being landed.
Comment 7 Mike West 2012-07-16 09:53:32 PDT
Created attachment 152556 [details]
I swear I removed that...
Comment 8 WebKit Review Bot 2012-07-16 11:16:53 PDT
Comment on attachment 152556 [details]
I swear I removed that...

Clearing flags on attachment: 152556

Committed r122741: <http://trac.webkit.org/changeset/122741>
Comment 9 WebKit Review Bot 2012-07-16 11:16:58 PDT
All reviewed patches have been landed.  Closing bug.