Take script URLs into account when applying script content settings.

chrome/renderer/content_settings_observer.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/renderer/content_settings_observer.h"
 
 #include "chrome/common/render_messages.h"
 #include "chrome/common/url_constants.h"
 #include "content/public/renderer/navigation_state.h"
 #include "content/public/renderer/render_view.h"
@@ skipping 49 matching lines @@
 }
 
 }  // namespace
 
 ContentSettings ContentSettingsObserver::default_settings_;
 
 ContentSettingsObserver::ContentSettingsObserver(
     content::RenderView* render_view)
     : content::RenderViewObserver(render_view),
       content::RenderViewObserverTracker<ContentSettingsObserver>(render_view),
+      content_setting_rules_(NULL),
       plugins_temporarily_allowed_(false) {
   ClearBlockedContentSettings();
 }
 
 ContentSettingsObserver::~ContentSettingsObserver() {
 }
 
 void ContentSettingsObserver::SetContentSettings(
     const ContentSettings& settings) {
   current_content_settings_ = settings;
 }
 
 void ContentSettingsObserver::SetDefaultContentSettings(
     const ContentSettings& settings) {
   default_settings_ = settings;
 }
 
-void ContentSettingsObserver::SetImageSettingRules(
-    const ContentSettingsForOneType* image_setting_rules) {
-  image_setting_rules_ = image_setting_rules;
+void ContentSettingsObserver::SetContentSettingRules(
+    const ContentSettingsForOneType* content_setting_rules) {
+  content_setting_rules_ = content_setting_rules;
 }
 
 ContentSetting ContentSettingsObserver::GetContentSetting(
     ContentSettingsType type) {
   // Don't call this for plug-ins.
   DCHECK_NE(CONTENT_SETTINGS_TYPE_PLUGINS, type);
   return current_content_settings_.settings[type];
 }
 
 void ContentSettingsObserver::DidBlockContentType(
@@ skipping 25 matching lines @@
 }
 
 void ContentSettingsObserver::DidCommitProvisionalLoad(
     WebFrame* frame, bool is_new_navigation) {
   if (frame->parent())
     return; // Not a top-level navigation.
 
   NavigationState* state = NavigationState::FromDataSource(frame->dataSource());
   if (!state->was_within_same_page()) {
     // Clear "block" flags for the new page. This needs to happen before any of
-    // allowScripts(), allowImage(), allowPlugins() is called for the new page
-    // so that these functions can correctly detect that a piece of content
-    // flipped from "not blocked" to "blocked".
+    // |AllowScript()|, |AllowScriptFromSource()|, |AllowImage()|, or
+    // |AllowPlugins()| is called for the new page so that these functions can
+    // correctly detect that a piece of content flipped from "not blocked" to
+    // "blocked".
     ClearBlockedContentSettings();
     plugins_temporarily_allowed_ = false;
   }
 
   GURL url = frame->document().url();
 
   if (frame->document().securityOrigin().toString() == "null" &&
       !url.SchemeIs(chrome::kFileScheme)) {
     // The Frame has a unique security origin. Instead of granting the frame
     // privileges based on it's URL, we fall back to the default content
@@ skipping 63 matching lines @@
 
 bool ContentSettingsObserver::AllowImage(WebFrame* frame,
                                          bool enabled_per_settings,
                                          const WebURL& image_url) {
   if (IsWhitelistedForContentSettings(frame))
     return true;
 
   bool allow = enabled_per_settings;
   const GURL& primary_url = GetOriginOrURL(frame);
   GURL secondary_url(image_url);
-  if (image_setting_rules_ &&
+  if (content_setting_rules_ &&
       enabled_per_settings) {
+    const ContentSettingsForOneType& image_setting_rules =
+        content_setting_rules_[CONTENT_SETTINGS_TYPE_IMAGES];
     ContentSettingsForOneType::const_iterator it;
-    for (it = image_setting_rules_->begin();
-         it != image_setting_rules_->end(); ++it) {
+    for (it = image_setting_rules.begin();
+         it != image_setting_rules.end(); ++it) {
       if (it->primary_pattern.Matches(primary_url) &&
           it->secondary_pattern.Matches(secondary_url)) {
         allow = (it->setting != CONTENT_SETTING_BLOCK);
         break;
       }
     }
   }
 
   if (!allow)
     DidBlockContentType(CONTENT_SETTINGS_TYPE_IMAGES, std::string());
@@ skipping 16 matching lines @@
 }
 
 bool ContentSettingsObserver::AllowPlugins(WebFrame* frame,
                                            bool enabled_per_settings) {
   return enabled_per_settings;
 }
 
 bool ContentSettingsObserver::AllowScript(WebFrame* frame,
                                           bool enabled_per_settings) {
   if (enabled_per_settings &&
       AllowContentType(CONTENT_SETTINGS_TYPE_JAVASCRIPT)) {

[jochen (gone - plz use gerrit), 2011/11/02 09:25:05]

can you also update this to take frame->top and frame into account?

[Bernhard Bauer, 2011/11/02 09:57:14]

How are they going to interact?

[jochen (gone - plz use gerrit), 2011/11/02 10:40:48]

allowScripts checks whether a given security origin is allowed to execute
scripts, ...FromSource controls whether a script is loaded from the network

[marja, 2011/11/02 14:46:35]

Using the top document's security origin as primary URL and the document's
security origin as secondary URL, right?

[jochen (gone - plz use gerrit), 2011/11/02 19:19:00]

right

[marja, 2011/11/02 22:16:01]

Done, in that case.

     return true;
   }
 
   if (IsWhitelistedForContentSettings(frame))
     return true;
 
   return false;  // Other protocols fall through here.
 }
 
+bool ContentSettingsObserver::AllowScriptFromSource(
+    WebFrame* frame,
+    bool enabled_per_settings,
+    const WebKit::WebURL& script_url) {
+  if (!enabled_per_settings)
+    return false;
+  if (IsWhitelistedForContentSettings(frame))
+    return true;
+
+  if (content_setting_rules_) {
+    const ContentSettingsForOneType& script_setting_rules =
+        content_setting_rules_[CONTENT_SETTINGS_TYPE_JAVASCRIPT];
+    const GURL& primary_url = GetOriginOrURL(frame);
+    GURL secondary_url(script_url);
+    ContentSettingsForOneType::const_iterator it;
+    for (it = script_setting_rules.begin();
+         it != script_setting_rules.end(); ++it) {
+      if (it->primary_pattern.Matches(primary_url) &&
+          it->secondary_pattern.Matches(secondary_url)) {
+        return (it->setting != CONTENT_SETTING_BLOCK);
+      }
+    }
+  }
+  return true;
+}
+
 bool ContentSettingsObserver::AllowStorage(WebFrame* frame, bool local) {
   if (frame->document().securityOrigin().isEmpty() ||
       frame->top()->document().securityOrigin().isEmpty())
     return false; // Uninitialized document.
   bool result = false;
 
   StoragePermissionsKey key(
       GURL(frame->document().securityOrigin().toString()), local);
   std::map<StoragePermissionsKey, bool>::const_iterator permissions =
       cached_storage_permissions_.find(key);
@@ skipping 32 matching lines @@
   // CONTENT_SETTING_ASK is only valid for cookies.
   return current_content_settings_.settings[settings_type] !=
       CONTENT_SETTING_BLOCK;
 }
 
 void ContentSettingsObserver::ClearBlockedContentSettings() {
   for (size_t i = 0; i < arraysize(content_blocked_); ++i)
     content_blocked_[i] = false;
   cached_storage_permissions_.clear();
 }