Fix whitelisting of JavaScript-uris by CSP hash.

1 files changed, 13 insertions, 2 deletions

diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index 65be02809..56a119e1a 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType,
   for (uint32_t i = 0; i < mPolicies.Length(); i++) {
     bool allowed =
       mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) ||
-      mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) ||
-      mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+      mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated);
+      
+    // If the inlined script or style is allowed by either unsafe-inline or the
+    // nonce, go ahead and shortcut this loop.
+    if (allowed) {
+      continue;
+    }
+    
+    // Check if the csp-hash matches against the hash of the script.
+    // If we don't have any content to check, block the script.
+    if (!aContent.IsEmpty()) {
+      allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+    }
 
     if (!allowed) {
       // policy is violoated: deny the load unless policy is report only and