RESOLVED FIXED 91353
Invalid `script-nonce` directives should block script execution. 
https://bugs.webkit.org/show_bug.cgi?id=91353
Summary Invalid `script-nonce` directives should block script execution.
Mike West
Reported 2012-07-15 18:45:54 PDT
Fail loudly and securely when given a script-nonce that doesn't match the grammar (for example: `script-nonce;`, `script-nonce ;`, or `script-nonce this is a nonce;`.
Attachments
Patch (11.27 KB, patch)
2012-07-16 08:21 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Patch (10.95 KB, patch)
2012-07-16 09:40 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
I swear I removed that... (10.82 KB, patch)
2012-07-16 09:53 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2012-07-16 08:21:00 PDT
Created attachment 152539 [details] Patch
Mike West
Comment 2 2012-07-16 08:21:51 PDT
I should have just done this when you first suggested it, Adam. :)
Adam Barth
Comment 3 2012-07-16 08:45:46 PDT
Comment on attachment 152539 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=152539&action=review > Source/WebCore/page/ContentSecurityPolicy.cpp:616 > + , m_scriptNonce(String()) No need for this line. String() is the default constructor. :) > Source/WebCore/page/ContentSecurityPolicy.cpp:947 > + m_scriptNonce = emptyString(); We can't use emptyString() because this code runs in workers too. Let's just use "". > Source/WebCore/page/ContentSecurityPolicy.cpp:959 > + m_scriptNonce = emptyString(); ditto > LayoutTests/ChangeLog:8 > + Additional information of the change such as approach, rationale. Please add per-function descriptions below (OOPS!). This line will prevent the patch from landing.
Mike West
Comment 4 2012-07-16 09:40:08 PDT
Created attachment 152550 [details] Patch
Mike West
Comment 5 2012-07-16 09:46:31 PDT
Thanks Adam!
Adam Barth
Comment 6 2012-07-16 09:47:16 PDT
Comment on attachment 152550 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=152550&action=review > LayoutTests/ChangeLog:8 > + Additional information of the change such as approach, rationale. Please add per-function descriptions below (OOPS!). This line will still prevent the patch from being landed.
Mike West
Comment 7 2012-07-16 09:53:32 PDT
Created attachment 152556 [details] I swear I removed that...
WebKit Review Bot
Comment 8 2012-07-16 11:16:53 PDT
Comment on attachment 152556 [details] I swear I removed that... Clearing flags on attachment: 152556 Committed r122741: <http://trac.webkit.org/changeset/122741>
WebKit Review Bot
Comment 9 2012-07-16 11:16:58 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.