summaryrefslogtreecommitdiffstats
path: root/dom/security
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-09-05 18:42:49 +0200
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-09-05 18:42:49 +0200
commit6db06749e2037029adc96660aafa5339ed609e60 (patch)
tree0f3678a1ed688c2f430b1cae5859916790908ac6 /dom/security
parente3c13af9761895a19fb1f58abf920190aa739348 (diff)
downloadUXP-6db06749e2037029adc96660aafa5339ed609e60.tar
UXP-6db06749e2037029adc96660aafa5339ed609e60.tar.gz
UXP-6db06749e2037029adc96660aafa5339ed609e60.tar.lz
UXP-6db06749e2037029adc96660aafa5339ed609e60.tar.xz
UXP-6db06749e2037029adc96660aafa5339ed609e60.zip
Fix whitelisting of JavaScript-uris by CSP hash.
Diffstat (limited to 'dom/security')
-rw-r--r--dom/security/nsCSPContext.cpp15
1 files changed, 13 insertions, 2 deletions
diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index 65be02809..56a119e1a 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -513,8 +513,19 @@ nsCSPContext::GetAllowsInline(nsContentPolicyType aContentType,
for (uint32_t i = 0; i < mPolicies.Length(); i++) {
bool allowed =
mPolicies[i]->allows(aContentType, CSP_UNSAFE_INLINE, EmptyString(), aParserCreated) ||
- mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated) ||
- mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+ mPolicies[i]->allows(aContentType, CSP_NONCE, aNonce, aParserCreated);
+
+ // If the inlined script or style is allowed by either unsafe-inline or the
+ // nonce, go ahead and shortcut this loop.
+ if (allowed) {
+ continue;
+ }
+
+ // Check if the csp-hash matches against the hash of the script.
+ // If we don't have any content to check, block the script.
+ if (!aContent.IsEmpty()) {
+ allowed = mPolicies[i]->allows(aContentType, CSP_HASH, aContent, aParserCreated);
+ }
if (!allowed) {
// policy is violoated: deny the load unless policy is report only and