Bug 1439330 - Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D859

dom/security/nsCSPUtils.cpp

@@ -847,9 +847,12 @@ nsCSPKeywordSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce,
     return false;
   }
   // either the keyword allows the load or the policy contains 'strict-dynamic', in which
-  // case we have to make sure the script is not parser created before allowing the load.
+  // case we have to make sure the script is not parser created before allowing the load
+  // and also eval should be blocked even if 'strict-dynamic' is present. Should be
+  // allowed only if 'unsafe-eval' is present.
   return ((mKeyword == aKeyword) ||
-          ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated));
+          ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated &&
+            aKeyword != CSP_UNSAFE_EVAL));
 }
 
 bool

testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_eval.html.ini

@@ -1,4 +0,0 @@
-[script-src-strict_dynamic_eval.html]
-  [Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`.]
-    expected: FAIL
-

testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.ini

@@ -1,4 +0,0 @@
-[script-src-strict_dynamic_new_function.html]
-  [Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'.]
-    expected: FAIL
-