Source/core/frame/SubresourceIntegrity.cpp - Issue 1166003004: SRI fail open on ineligible resources.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/core/frame/SubresourceIntegrity.cpp

Issue 1166003004: SRI fail open on ineligible resources. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Remove a bunch of -expected.txt files Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-unknown-hash-allowed-expected.txt ('k') | Source/core/frame/SubresourceIntegrityTest.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: Source/core/frame/SubresourceIntegrity.cpp

diff --git a/Source/core/frame/SubresourceIntegrity.cpp b/Source/core/frame/SubresourceIntegrity.cpp

index 49916bb5494d2cf5ef601fa5de29f3a6ad773edc..481456e62b589b226772c9fe8ba6dbd0a5b1e876 100644

--- a/Source/core/frame/SubresourceIntegrity.cpp

+++ b/Source/core/frame/SubresourceIntegrity.cpp

@@ -114,14 +114,16 @@ bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, con

return true;

if (!resource.isEligibleForIntegrityCheck(document.securityOrigin())) {

- logErrorToConsole("Subresource Integrity: The resource '" + resourceUrl.elidedString() + "' has an integrity attribute, but the resource requires CORS to be enabled to check the integrity, and it is not. The resource has been blocked.", document);

- return false;

+ logErrorToConsole("Subresource Integrity: The resource '" + resourceUrl.elidedString() + "' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has not been blocked, but no integrity check occurred.", document);

+ return true;

}

WTF::Vector<IntegrityMetadata> metadataList;

IntegrityParseResult integrityParseResult = parseIntegrityAttribute(attribute, metadataList, document);

+ // On failed parsing, there's no need to log an error here, as

+ // parseIntegrityAttribute() will output an appropriate console message.

if (integrityParseResult != IntegrityParseValidResult)

- return false;

+ return true;

StringUTF8Adaptor normalizedSource(source, StringUTF8Adaptor::Normalize, WTF::EntitiesForUnencodables);