зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1439330 - Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D859
This commit is contained in:
Родитель
e6040e95d1
Коммит
ea1f6cdedb
|
@ -847,9 +847,12 @@ nsCSPKeywordSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce,
|
|||
return false;
|
||||
}
|
||||
// either the keyword allows the load or the policy contains 'strict-dynamic', in which
|
||||
// case we have to make sure the script is not parser created before allowing the load.
|
||||
// case we have to make sure the script is not parser created before allowing the load
|
||||
// and also eval should be blocked even if 'strict-dynamic' is present. Should be
|
||||
// allowed only if 'unsafe-eval' is present.
|
||||
return ((mKeyword == aKeyword) ||
|
||||
((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated));
|
||||
((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated &&
|
||||
aKeyword != CSP_UNSAFE_EVAL));
|
||||
}
|
||||
|
||||
bool
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-strict_dynamic_eval.html]
|
||||
[Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[script-src-strict_dynamic_new_function.html]
|
||||
[Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'.]
|
||||
expected: FAIL
|
||||
|
Загрузка…
Ссылка в новой задаче