Bug 1439330 - Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb
☠☠ backed out by eb408f77a028 ☠ ☠
authorvinoth <cegvinoth@gmail.com>
Sat, 28 Apr 2018 09:53:25 -0400
changeset 472263 f9abb3479fdd7127f6e9be4c1638f88ef47240d0
parent 472262 3565b2cec52c2f5f89a990452c02e847d5a03084
child 472264 254e0c58f80fd65ad00bcd3b4dfd324a05d93e67
push id1728
push userjlund@mozilla.com
push dateMon, 18 Jun 2018 21:12:27 +0000
treeherdermozilla-release@c296fde26f5f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1439330
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1439330 - Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D859
dom/security/nsCSPUtils.cpp
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -842,19 +842,22 @@ nsCSPKeywordSrc::allows(enum CSPKeyword 
   if (mInvalidated) {
     // only 'self' and 'unsafe-inline' are keywords that can be ignored. Please note that
     // the parser already translates 'self' into a uri (see assertion in constructor).
     MOZ_ASSERT(mKeyword == CSP_UNSAFE_INLINE,
                "should only invalidate unsafe-inline");
     return false;
   }
   // either the keyword allows the load or the policy contains 'strict-dynamic', in which
-  // case we have to make sure the script is not parser created before allowing the load.
+  // case we have to make sure the script is not parser created before allowing the load
+  // and also eval should be blocked even if 'strict-dynamic' is present. Should be
+  // allowed only if 'unsafe-eval' is present.
   return ((mKeyword == aKeyword) ||
-          ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated));
+          ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated &&
+            aKeyword != CSP_UNSAFE_EVAL));
 }
 
 bool
 nsCSPKeywordSrc::visit(nsCSPSrcVisitor* aVisitor) const
 {
   return aVisitor->visitKeywordSrc(*this);
 }