From 6db06749e2037029adc96660aafa5339ed609e60 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 5 Sep 2019 18:42:49 +0200 Subject: Fix whitelisting of JavaScript-uris by CSP hash. --- dom/security/nsCSPContext.cpp | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'dom/security') diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp index 65be02809..56a119e1a 100644 --- a/dom/security/nsCSPContext.cpp +++ b/dom/security/nsCSPContext.cpp @@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType, for (uint32_t i = 0; i < mPolicies.Length(); i++) { bool allowed = mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) || - mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) || - mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated); + mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated); + + // If the inlined script or style is allowed by either unsafe-inline or the + // nonce, go ahead and shortcut this loop. + if (allowed) { + continue; + } + + // Check if the csp-hash matches against the hash of the script. + // If we don't have any content to check, block the script. + if (!aContent.IsEmpty()) { + allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated); + } if (!allowed) { // policy is violoated: deny the load unless policy is report only and -- cgit v1.2.3