Ignore unknown options to subresource integrity

Source/core/frame/SubresourceIntegrity.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "core/frame/SubresourceIntegrity.h"
 
 #include "core/HTMLNames.h"
 #include "core/dom/Document.h"
 #include "core/dom/Element.h"
@@ skipping 17 matching lines @@
 namespace blink {
 
 // FIXME: This should probably use common functions with ContentSecurityPolicy.
 static bool isIntegrityCharacter(UChar c)
 {
     // Check if it's a base64 encoded value. We're pretty loose here, as there's
     // not much risk in it, and it'll make it simpler for developers.
     return isASCIIAlphanumeric(c) || c == '_' || c == '-' || c == '+' || c == '/' || c == '=';
 }
 
-static bool isTypeCharacter(UChar c)
+static bool isValueCharacter(UChar c)
 {
-    return isASCIIAlphanumeric(c) || c == '+' || c == '.' || c == '-';
+    // VCHAR per https://tools.ietf.org/html/rfc5234#appendix-B.1
+    return c >= 0x21 && c <= 0x7e;
 }
 
 static void logErrorToConsole(const String& message, Document& document)
 {
     document.addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message));
 }
 
 static bool DigestsEqual(const DigestValue& digest1, const DigestValue& digest2)
 {
     if (digest1.size() != digest2.size())
         return false;
 
     for (size_t i = 0; i < digest1.size(); i++) {
         if (digest1[i] != digest2[i])
             return false;
     }
 
     return true;
 }
 
 static String digestToString(const DigestValue& digest)
 {
     // We always output base64url encoded data, even though we use base64 internally.
     return base64URLEncode(reinterpret_cast<const char*>(digest.data()), digest.size(), Base64DoNotInsertLFs);
 }
 
-bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, const String& source, const KURL& resourceUrl, const String& resourceType, const Resource& resource)
+bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, const String& source, const KURL& resourceUrl, const Resource& resource)
 {
     if (!RuntimeEnabledFeatures::subresourceIntegrityEnabled())
         return true;
 
     if (!element.fastHasAttribute(HTMLNames::integrityAttr))
         return true;
 
     Document& document = element.document();
 
     if (!resource.isEligibleForIntegrityCheck(document.securityOrigin())) {
@@ skipping 17 matching lines @@
         digest.clear();
         bool digestSuccess = computeDigest(metadata.algorithm, normalizedSource.data(), normalizedSource.length(), digest);
 
         if (digestSuccess) {
             Vector<char> hashVector;
             base64Decode(metadata.digest, hashVector);
             DigestValue convertedHashVector;
             convertedHashVector.append(reinterpret_cast<uint8_t*>(hashVector.data()), hashVector.size());
 
             if (DigestsEqual(digest, convertedHashVector)) {
-                String& type = metadata.type;
-                if (!type.isEmpty() && !equalIgnoringCase(type, resourceType))
-                    UseCounter::count(document, UseCounter::SRIElementWithNonMatchingIntegrityType);
-                else
-                    return true;
+                UseCounter::count(document, UseCounter::SRIElementWithMatchingIntegrityAttribute);
+                return true;
             }
         }
     }
 
     if (computeDigest(HashAlgorithmSha256, normalizedSource.data(), normalizedSource.length(), digest)) {
         // This message exposes the digest of the resource to the console.
         // Because this is only to the console, that's okay for now, but we
         // need to be very careful not to expose this in exceptions or
         // JavaScript, otherwise it risks exposing information about the
         // resource cross-origin.
-        logErrorToConsole("Failed to find a valid digest with matching content-type in the 'integrity' attribute for resource '" + resourceUrl.elidedString() + "' with computed SHA-256 integrity '" + digestToString(digest) + "'. The resource has been blocked.", document);
+        logErrorToConsole("Failed to find a valid digest in the 'integrity' attribute for resource '" + resourceUrl.elidedString() + "' with computed SHA-256 integrity '" + digestToString(digest) + "'. The resource has been blocked.", document);
     } else {
         logErrorToConsole("There was an error computing an integrity value for resource '" + resourceUrl.elidedString() + "'. The resource has been blocked.", document);
     }
     UseCounter::count(document, UseCounter::SRIElementWithNonMatchingIntegrityAttribute);
     return false;
 }
 
 // Before:
 //
 // [algorithm]-[hash]
@@ skipping 65 matching lines @@
     if (position == begin || (position != end && *position != '?')) {
         digest = emptyString();
         return false;
     }
 
     // We accept base64url encoding, but normalize to "normal" base64 internally:
     digest = normalizeToBase64(String(begin, position - begin));
     return true;
 }
 
-
-// Before:
-//
-// [algorithm]-[hash]     OR      [algorithm]-[hash]?[options]
-//                   ^                              ^         ^
-//        position/end                       position       end
-//
-// After (if successful: if the method returns false, we make no promises and the caller should exit early):
-//
-// [algorithm]-[hash]     OR      [algorithm]-[hash]?[options]
-//                   ^                                        ^
-//        position/end                             position/end
-bool SubresourceIntegrity::parseMimeType(const UChar*& position, const UChar* end, String& type)
-{
-    type = emptyString();
-
-    if (position == end)
-        return true;
-
-    if (!skipToken<UChar>(position, end, "?ct="))
-        return false;
-
-    const UChar* begin = position;
-    skipWhile<UChar, isASCIIAlpha>(position, end);
-    if (position == end)
-        return false;
-
-    if (!skipExactly<UChar>(position, end, '/'))
-        return false;
-
-    if (position == end)
-        return false;
-
-    skipWhile<UChar, isTypeCharacter>(position, end);
-    if (position != end)
-        return false;
-
-    type = String(begin, position - begin);
-    return true;
-}
-
 SubresourceIntegrity::IntegrityParseResult SubresourceIntegrity::parseIntegrityAttribute(const WTF::String& attribute, WTF::Vector<IntegrityMetadata>& metadataList, Document& document)
 {
     Vector<UChar> characters;
     attribute.stripWhiteSpace().appendTo(characters);
     const UChar* position = characters.data();
     const UChar* end = characters.end();
     const UChar* currentIntegrityEnd;
 
     metadataList.clear();
     bool error = false;
 
     // The integrity attribute takes the form:
     //    *WSP hash-with-options *( 1*WSP hash-with-options ) *WSP / *WSP
-    // To parse this, break on whitespace, parsing each algorithm/digest/mime
-    // type in order.
+    // To parse this, break on whitespace, parsing each algorithm/digest/option
+    // in order.
     while (position < end) {
         WTF::String digest;
         HashAlgorithm algorithm;
-        WTF::String type;
 
         skipWhile<UChar, isASCIISpace>(position, end);
         currentIntegrityEnd = position;
         skipUntil<UChar, isASCIISpace>(currentIntegrityEnd, end);
 
         // Algorithm parsing errors are non-fatal (the subresource should
         // still be loaded) because strong hash algorithms should be used
         // without fear of breaking older user agents that don't support
         // them.
         AlgorithmParseResult parseResult = parseAlgorithm(position, currentIntegrityEnd, algorithm);
@@ skipping 17 matching lines @@
         ASSERT(parseResult == AlgorithmValid);
 
         if (!parseDigest(position, currentIntegrityEnd, digest)) {
             logErrorToConsole("Error parsing 'integrity' attribute ('" + attribute + "'). The digest must be a valid, base64-encoded value.", document);
             error = true;
             skipUntil<UChar, isASCIISpace>(position, end);
             UseCounter::count(document, UseCounter::SRIElementWithUnparsableIntegrityAttribute);
             continue;
         }
 
-        if (!parseMimeType(position, currentIntegrityEnd, type)) {
-            logErrorToConsole("Error parsing 'integrity' attribute ('" + attribute + "'). The content type could not be parsed.", document);
-            error = true;
-            skipUntil<UChar, isASCIISpace>(position, end);
-            UseCounter::count(document, UseCounter::SRIElementWithUnparsableIntegrityAttribute);
-            continue;
+        // The spec defines a space in the syntax for options, separated by a
+        // '?' character followed by unbounded VCHARs, but no actual options
+        // have been defined yet. Thus, for forward compatibility, ignore any
+        // options specified.
+        if (skipExactly<UChar>(position, end, '?')) {
+            const UChar* begin = position;
+            skipWhile<UChar, isValueCharacter>(position, end);
+            if (begin != position)
+                logErrorToConsole("Ignoring unrecogized 'integrity' attribute option '" + String(begin, position - begin) + "'.", document);
         }
 
         IntegrityMetadata integrityMetadata = {
             digest,
-            algorithm,
-            type
+            algorithm
         };
         metadataList.append(integrityMetadata);
     }
 
     if (metadataList.size() == 0 && error)
         return IntegrityParseNoValidResult;
 
     return IntegrityParseValidResult;
 }
 
 } // namespace blink