Merge remote-tracking branch 'origin/5.212' into dev

Change-Id: I9e64176fe95183acf5e093aa081b0a498795bdb2
author: Liang Qi <liang.qi@qt.io> 2018-01-13 21:26:34 +0100
committer: Liang Qi <liang.qi@qt.io> 2018-01-13 21:26:34 +0100
commit: beaeeb99881184fd368c121fcbb1a31c78b794a3 (patch)
tree: 0e078499d8fe3e8627e3612537e61f2dd1029625 /Source/WebCore/dom/ScriptElement.cpp
parent: f7697030f444b5e16331c6d0a99712736b9ff026 (diff)
parent: 79143ccfc158ec4fffc49eee600d600edb342b16 (diff)
download: qtwebkit-beaeeb99881184fd368c121fcbb1a31c78b794a3.tar.gz
1 files changed, 9 insertions, 3 deletions
diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp
index 521028195..f9c70e326 100644
--- a/Source/WebCore/dom/ScriptElement.cpp
+++ b/Source/WebCore/dom/ScriptElement.cpp
@@ -258,8 +258,9 @@ bool ScriptElement::requestScript(const String& sourceUrl)
 
     ASSERT(!m_cachedScript);
     if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
+        bool hasKnownNonce = m_element.document().contentSecurityPolicy()->allowScriptWithNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.isInUserAgentShadowTree());
         ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
-        options.setContentSecurityPolicyImposition(m_element.isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck);
+        options.setContentSecurityPolicyImposition(hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck);
 
         CachedResourceRequest request(ResourceRequest(m_element.document().completeURL(sourceUrl)), options);
 
@@ -293,8 +294,13 @@ void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)
     if (sourceCode.isEmpty())
         return;
 
-    if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber, m_element.isInUserAgentShadowTree()))
-        return;
+    if (!m_isExternalScript) {
+        ASSERT(m_element.document().contentSecurityPolicy());
+        const ContentSecurityPolicy& contentSecurityPolicy = *m_element.document().contentSecurityPolicy();
+        bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.isInUserAgentShadowTree());
+        if (!contentSecurityPolicy.allowInlineScript(m_element.document().url(), m_startLineNumber, sourceCode.source().toStringWithoutCopying(), hasKnownNonce))
+            return;
+    }
 
 #if ENABLE(NOSNIFF)
     if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowedByNosniff()) {
author	Liang Qi <liang.qi@qt.io>	2018-01-13 21:26:34 +0100
committer	Liang Qi <liang.qi@qt.io>	2018-01-13 21:26:34 +0100
commit	beaeeb99881184fd368c121fcbb1a31c78b794a3 (patch)
tree	0e078499d8fe3e8627e3612537e61f2dd1029625 /Source/WebCore/dom/ScriptElement.cpp
parent	f7697030f444b5e16331c6d0a99712736b9ff026 (diff)
parent	79143ccfc158ec4fffc49eee600d600edb342b16 (diff)
download	qtwebkit-beaeeb99881184fd368c121fcbb1a31c78b794a3.tar.gz