Google Git
Sign in
chromium / chromium / src / dcde4983fb48841fc16fcd8a2e166bc02020fd8e
commitdcde4983fb48841fc16fcd8a2e166bc02020fd8e[log] [tgz]
authorHiroshige Hayashizaki <hiroshige@chromium.org>Thu Aug 01 23:44:57 2019
committerCommit Bot <commit-bot@chromium.org>Thu Aug 01 23:44:57 2019
tree23b6cc60f88f30188f6f07c5dabb657dea874597
parent8e23c3ab0a41a79a3e0d1d51a28c12c518f59ba9 [diff]
[CSP] Check inline script CSP in prepare-a-script

This CL moves the inline script CSP check from
PendingScript::ExecuteScriptBlock() (#execute-the-script-block)
to ScriptLoader::PrepareScript() (#prepare-a-script)
as spec'ed.

This CL removes Script::InlineSourceTextForCSP()
which is no longer used.

Behavior changes (the new behavior is spec-conformant and thus
this CL adds WPT tests):

- Previously <script>'s error events were fired
  when inline script CSP check fails,
  while after this CL the events are no longer fired.
  Test: scripthash-basic-blocked-error-event.html
  (Moved from layout test with expectation changes)

  This CL makes Chromium's behavior align with Firefox and Safari.

- If the nonce attribute is changed or the CSP list is updated
  after prepare-a-script before evaluation,
  previously the new nonce/CSP were used for CSP,
  while after this CL the old nonce/CSP
  (at the time of prepare-a-script) is used.
  Test: scriptnonce-changed-*.html

  This CL makes Chromium's behavior align with Firefox.
  (Safari's behavior is different from any other browsers)

This CL also adds scripthash-changed-*.html (just for symmetry
with scriptnonce-changed.html), which pass only on Chromium.

Bug: 964537
Change-Id: I8673956101d9d13708c452db23258f125cb3d256
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1618262
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#683391}
18 files changed
tree: 23b6cc60f88f30188f6f07c5dabb657dea874597
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. cloud_print/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. jingle/
  31. media/
  32. mojo/
  33. native_client_sdk/
  34. net/
  35. pdf/
  36. ppapi/
  37. printing/
  38. remoting/
  39. rlz/
  40. sandbox/
  41. services/
  42. skia/
  43. sql/
  44. storage/
  45. styleguide/
  46. testing/
  47. third_party/
  48. tools/
  49. ui/
  50. url/
  51. .clang-format
  52. .eslintrc.js
  53. .git-blame-ignore-revs
  54. .gitattributes
  55. .gitignore
  56. .gn
  57. .vpython
  58. AUTHORS
  59. BUILD.gn
  60. CODE_OF_CONDUCT.md
  61. codereview.settings
  62. DEPS
  63. ENG_REVIEW_OWNERS
  64. LICENSE
  65. LICENSE.chromium_os
  66. OWNERS
  67. PRESUBMIT.py
  68. PRESUBMIT_test.py
  69. PRESUBMIT_test_mocks.py
  70. README.md
  71. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .