Import WebKit commit a8b574fb3cd509a2d3f2a1568ad0a66d1bf0f6e8

Change-Id: I66add69e6d08b74111ec8e7e4401e4d813501206 Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
author: Konstantin Tokarev <annulen@yandex.ru> 2018-01-11 05:56:18 +0300
committer: Liang Qi <liang.qi@qt.io> 2018-01-11 10:25:26 +0000
commit: 79143ccfc158ec4fffc49eee600d600edb342b16 (patch)
tree: 0e078499d8fe3e8627e3612537e61f2dd1029625 /Source/WebCore/dom/ScriptElement.cpp
parent: cb895f50d5c08976c0f5ecbb82e6bd19d9ea090d (diff)
download: qtwebkit-79143ccfc158ec4fffc49eee600d600edb342b16.tar.gz
1 files changed, 9 insertions, 3 deletions
diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp
index 521028195..f9c70e326 100644
--- a/Source/WebCore/dom/ScriptElement.cpp
+++ b/Source/WebCore/dom/ScriptElement.cpp
@@ -258,8 +258,9 @@ bool ScriptElement::requestScript(const String& sourceUrl)
 
     ASSERT(!m_cachedScript);
     if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
+        bool hasKnownNonce = m_element.document().contentSecurityPolicy()->allowScriptWithNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.isInUserAgentShadowTree());
         ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
-        options.setContentSecurityPolicyImposition(m_element.isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck);
+        options.setContentSecurityPolicyImposition(hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck);
 
         CachedResourceRequest request(ResourceRequest(m_element.document().completeURL(sourceUrl)), options);
 
@@ -293,8 +294,13 @@ void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)
     if (sourceCode.isEmpty())
         return;
 
-    if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber, m_element.isInUserAgentShadowTree()))
-        return;
+    if (!m_isExternalScript) {
+        ASSERT(m_element.document().contentSecurityPolicy());
+        const ContentSecurityPolicy& contentSecurityPolicy = *m_element.document().contentSecurityPolicy();
+        bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.isInUserAgentShadowTree());
+        if (!contentSecurityPolicy.allowInlineScript(m_element.document().url(), m_startLineNumber, sourceCode.source().toStringWithoutCopying(), hasKnownNonce))
+            return;
+    }
 
 #if ENABLE(NOSNIFF)
     if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowedByNosniff()) {
author	Konstantin Tokarev <annulen@yandex.ru>	2018-01-11 05:56:18 +0300
committer	Liang Qi <liang.qi@qt.io>	2018-01-11 10:25:26 +0000
commit	79143ccfc158ec4fffc49eee600d600edb342b16 (patch)
tree	0e078499d8fe3e8627e3612537e61f2dd1029625 /Source/WebCore/dom/ScriptElement.cpp
parent	cb895f50d5c08976c0f5ecbb82e6bd19d9ea090d (diff)
download	qtwebkit-79143ccfc158ec4fffc49eee600d600edb342b16.tar.gz