Ignore:
Timestamp:
Dec 10, 2021, 11:00:44 AM (3 years ago)
Author:
Patrick Griffis
Message:

LayoutTests/imported/w3c:
CSP: Implement protections against nonce-hijacking
https://bugs.webkit.org/show_bug.cgi?id=233087

Reviewed by Brent Fulgham.

Update expectations.

  • web-platform-tests/content-security-policy/script-src/nonce-enforce-blocked-expected.txt:

Source/WebCore:
CSP: Prevent nonce-hijacking
https://bugs.webkit.org/show_bug.cgi?id=233087

Reviewed by Brent Fulgham.

Implement protections against nonce-hijacking as described in this spec:

https://www.w3.org/TR/CSP3/#security-nonce-hijacking

  • dom/Element.cpp:

(WebCore::Element::isNonceable const):
(WebCore::Element::nonce const):

  • dom/Element.h:

(WebCore::Element::hasDuplicateAttribute const):
(WebCore::Element::setHasDuplicateAttribute):

  • html/parser/AtomHTMLToken.h:

(WebCore::AtomHTMLToken::hasDuplicateAttribute const):
(WebCore::AtomHTMLToken::initializeAttributes):

  • html/parser/HTMLConstructionSite.cpp:

(WebCore::setAttributes):
(WebCore::HTMLConstructionSite::insertCustomElement):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/dom/Element.cpp

    r286776 r286860  
    7575#include "HTMLOptionElement.h"
    7676#include "HTMLParserIdioms.h"
     77#include "HTMLScriptElement.h"
    7778#include "HTMLSelectElement.h"
    7879#include "HTMLTemplateElement.h"
     
    110111#include "SVGNames.h"
    111112#include "SVGSVGElement.h"
     113#include "SVGScriptElement.h"
    112114#include "ScriptDisallowedScope.h"
    113115#include "ScrollIntoViewOptions.h"
     
    319321}
    320322
     323bool Element::isNonceable() const
     324{
     325    // https://www.w3.org/TR/CSP3/#is-element-nonceable
     326    if (elementRareData()->nonce().isNull())
     327        return false;
     328
     329    if (hasDuplicateAttribute())
     330        return false;
     331
     332    if (hasAttributes()
     333        && (is<HTMLScriptElement>(*this) || is<SVGScriptElement>(*this))) {
     334        static const char scriptString[] = "<script";
     335        static const char styleString[] = "<style";
     336
     337        for (const auto& attribute : attributesIterator()) {
     338            auto name = attribute.localName().convertToASCIILowercase();
     339            auto value = attribute.value().convertToASCIILowercase();
     340            if (name.contains(scriptString)
     341                || name.contains(styleString)
     342                || value.contains(scriptString)
     343                || value.contains(styleString))
     344                return false;
     345        }
     346    }
     347
     348    return true;
     349}
     350
    321351const AtomString& Element::nonce() const
    322352{
    323     return hasRareData() ? elementRareData()->nonce() : emptyAtom();
     353    if (hasRareData() && isNonceable())
     354        return elementRareData()->nonce();
     355
     356    return emptyAtom();
    324357}
    325358
Note: See TracChangeset for help on using the changeset viewer.