Bug 1439330 - Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D859
This commit is contained in:
vinoth 2018-05-07 14:59:51 -04:00
Родитель e6040e95d1
Коммит ea1f6cdedb
3 изменённых файлов: 5 добавлений и 10 удалений

Просмотреть файл

@ -847,9 +847,12 @@ nsCSPKeywordSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce,
return false;
}
// either the keyword allows the load or the policy contains 'strict-dynamic', in which
// case we have to make sure the script is not parser created before allowing the load.
// case we have to make sure the script is not parser created before allowing the load
// and also eval should be blocked even if 'strict-dynamic' is present. Should be
// allowed only if 'unsafe-eval' is present.
return ((mKeyword == aKeyword) ||
((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated));
((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated &&
aKeyword != CSP_UNSAFE_EVAL));
}
bool

Просмотреть файл

@ -1,4 +0,0 @@
[script-src-strict_dynamic_eval.html]
[Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`.]
expected: FAIL

Просмотреть файл

@ -1,4 +0,0 @@
[script-src-strict_dynamic_new_function.html]
[Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'.]
expected: FAIL