diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp index 54d43898a66e..0653e84ed357 100644 --- a/dom/security/nsCSPUtils.cpp +++ b/dom/security/nsCSPUtils.cpp @@ -847,9 +847,12 @@ nsCSPKeywordSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce, return false; } // either the keyword allows the load or the policy contains 'strict-dynamic', in which - // case we have to make sure the script is not parser created before allowing the load. + // case we have to make sure the script is not parser created before allowing the load + // and also eval should be blocked even if 'strict-dynamic' is present. Should be + // allowed only if 'unsafe-eval' is present. return ((mKeyword == aKeyword) || - ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated)); + ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated && + aKeyword != CSP_UNSAFE_EVAL)); } bool diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_eval.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_eval.html.ini deleted file mode 100644 index dd5ea8dc69da..000000000000 --- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_eval.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script-src-strict_dynamic_eval.html] - [Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`.] - expected: FAIL - diff --git a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.ini b/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.ini deleted file mode 100644 index b2f07f452af4..000000000000 --- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.ini +++ /dev/null @@ -1,4 +0,0 @@ -[script-src-strict_dynamic_new_function.html] - [Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'.] - expected: FAIL -