Bug 1439330 - Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb
authorvinoth <cegvinoth@gmail.com>
Mon, 07 May 2018 14:59:51 -0400
changeset 417134 6419ce7979bdb0de0b4b7bf194976b703912cb4b
parent 417133 3b491d808696692d2f48fb7ff333e579a8312583
child 417135 c12ef7d20d6c7de6aaa0072c33e8153d98e59bd9
push id33961
push userrgurzau@mozilla.com
push dateMon, 07 May 2018 22:08:28 +0000
treeherdermozilla-central@59005ba3cd3e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1439330
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1439330 - Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D859
dom/security/nsCSPUtils.cpp
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_eval.html.ini
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.ini
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -842,19 +842,22 @@ nsCSPKeywordSrc::allows(enum CSPKeyword 
   if (mInvalidated) {
     // only 'self' and 'unsafe-inline' are keywords that can be ignored. Please note that
     // the parser already translates 'self' into a uri (see assertion in constructor).
     MOZ_ASSERT(mKeyword == CSP_UNSAFE_INLINE,
                "should only invalidate unsafe-inline");
     return false;
   }
   // either the keyword allows the load or the policy contains 'strict-dynamic', in which
-  // case we have to make sure the script is not parser created before allowing the load.
+  // case we have to make sure the script is not parser created before allowing the load
+  // and also eval should be blocked even if 'strict-dynamic' is present. Should be
+  // allowed only if 'unsafe-eval' is present.
   return ((mKeyword == aKeyword) ||
-          ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated));
+          ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated &&
+            aKeyword != CSP_UNSAFE_EVAL));
 }
 
 bool
 nsCSPKeywordSrc::visit(nsCSPSrcVisitor* aVisitor) const
 {
   return aVisitor->visitKeywordSrc(*this);
 }
 
deleted file mode 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_eval.html.ini
+++ /dev/null
@@ -1,4 +0,0 @@
-[script-src-strict_dynamic_eval.html]
-  [Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`.]
-    expected: FAIL
-
deleted file mode 100644
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_new_function.html.ini
+++ /dev/null
@@ -1,4 +0,0 @@
-[script-src-strict_dynamic_new_function.html]
-  [Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'.]
-    expected: FAIL
-