| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * (C) 1999-2003 Lars Knoll (knoll@kde.org) | 2 * (C) 1999-2003 Lars Knoll (knoll@kde.org) |
| 3 * Copyright (C) 2004, 2006, 2007, 2012 Apple Inc. All rights reserved. | 3 * Copyright (C) 2004, 2006, 2007, 2012 Apple Inc. All rights reserved. |
| 4 * | 4 * |
| 5 * This library is free software; you can redistribute it and/or | 5 * This library is free software; you can redistribute it and/or |
| 6 * modify it under the terms of the GNU Library General Public | 6 * modify it under the terms of the GNU Library General Public |
| 7 * License as published by the Free Software Foundation; either | 7 * License as published by the Free Software Foundation; either |
| 8 * version 2 of the License, or (at your option) any later version. | 8 * version 2 of the License, or (at your option) any later version. |
| 9 * | 9 * |
| 10 * This library is distributed in the hope that it will be useful, | 10 * This library is distributed in the hope that it will be useful, |
| (...skipping 263 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 274 return nullAtom; // No namespace. If an element/attribute has a namespac
e, we won't match it. | 274 return nullAtom; // No namespace. If an element/attribute has a namespac
e, we won't match it. |
| 275 if (prefix == starAtom) | 275 if (prefix == starAtom) |
| 276 return starAtom; // We'll match any namespace. | 276 return starAtom; // We'll match any namespace. |
| 277 return m_namespaces.get(prefix); | 277 return m_namespaces.get(prefix); |
| 278 } | 278 } |
| 279 | 279 |
| 280 void StyleSheetContents::parseAuthorStyleSheet(const CSSStyleSheetResource* cach
edStyleSheet, const SecurityOrigin* securityOrigin) | 280 void StyleSheetContents::parseAuthorStyleSheet(const CSSStyleSheetResource* cach
edStyleSheet, const SecurityOrigin* securityOrigin) |
| 281 { | 281 { |
| 282 TRACE_EVENT1("blink,devtools.timeline", "ParseAuthorStyleSheet", "data", Ins
pectorParseAuthorStyleSheetEvent::data(cachedStyleSheet)); | 282 TRACE_EVENT1("blink,devtools.timeline", "ParseAuthorStyleSheet", "data", Ins
pectorParseAuthorStyleSheetEvent::data(cachedStyleSheet)); |
| 283 | 283 |
| 284 bool hasValidMIMEType = false; | 284 bool isSameOriginRequest = securityOrigin && securityOrigin->canRequest(base
URL()); |
| 285 String sheetText = cachedStyleSheet->sheetText(&hasValidMIMEType); | 285 CSSStyleSheetResource::MIMETypeCheck mimeTypeCheck = isQuirksModeBehavior(m_
parserContext.mode()) && isSameOriginRequest ? CSSStyleSheetResource::MIMETypeCh
eck::Lax : CSSStyleSheetResource::MIMETypeCheck::Strict; |
| 286 String sheetText = cachedStyleSheet->sheetText(mimeTypeCheck); |
| 286 | 287 |
| 287 const ResourceResponse& response = cachedStyleSheet->response(); | 288 const ResourceResponse& response = cachedStyleSheet->response(); |
| 288 m_sourceMapURL = response.httpHeaderField("SourceMap"); | 289 m_sourceMapURL = response.httpHeaderField("SourceMap"); |
| 289 if (m_sourceMapURL.isEmpty()) { | 290 if (m_sourceMapURL.isEmpty()) { |
| 290 // Try to get deprecated header. | 291 // Try to get deprecated header. |
| 291 m_sourceMapURL = response.httpHeaderField("X-SourceMap"); | 292 m_sourceMapURL = response.httpHeaderField("X-SourceMap"); |
| 292 } | 293 } |
| 293 | 294 |
| 294 CSSParserContext context(parserContext(), UseCounter::getFrom(this)); | 295 CSSParserContext context(parserContext(), UseCounter::getFrom(this)); |
| 295 CSSParser::parseSheet(context, this, sheetText, nullptr); | 296 CSSParser::parseSheet(context, this, sheetText, nullptr); |
| 296 | |
| 297 // If we're loading a stylesheet cross-origin, and the MIME type is not stan
dard, require the CSS | |
| 298 // to at least start with a syntactically valid CSS rule. | |
| 299 // This prevents an attacker playing games by injecting CSS strings into HTM
L, XML, JSON, etc. etc. | |
| 300 if (!hasValidMIMEType && !hasSyntacticallyValidCSSHeader()) { | |
| 301 bool isCrossOriginCSS = !securityOrigin || !securityOrigin->canRequest(b
aseURL()); | |
| 302 if (isCrossOriginCSS) { | |
| 303 clearRules(); | |
| 304 return; | |
| 305 } | |
| 306 } | |
| 307 } | 297 } |
| 308 | 298 |
| 309 void StyleSheetContents::parseString(const String& sheetText) | 299 void StyleSheetContents::parseString(const String& sheetText) |
| 310 { | 300 { |
| 311 parseStringAtPosition(sheetText, TextPosition::minimumPosition()); | 301 parseStringAtPosition(sheetText, TextPosition::minimumPosition()); |
| 312 } | 302 } |
| 313 | 303 |
| 314 void StyleSheetContents::parseStringAtPosition(const String& sheetText, const Te
xtPosition& startPosition) | 304 void StyleSheetContents::parseStringAtPosition(const String& sheetText, const Te
xtPosition& startPosition) |
| 315 { | 305 { |
| 316 CSSParserContext context(parserContext(), UseCounter::getFrom(this)); | 306 CSSParserContext context(parserContext(), UseCounter::getFrom(this)); |
| (...skipping 332 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 649 visitor->trace(m_ownerRule); | 639 visitor->trace(m_ownerRule); |
| 650 visitor->trace(m_importRules); | 640 visitor->trace(m_importRules); |
| 651 visitor->trace(m_childRules); | 641 visitor->trace(m_childRules); |
| 652 visitor->trace(m_loadingClients); | 642 visitor->trace(m_loadingClients); |
| 653 visitor->trace(m_completedClients); | 643 visitor->trace(m_completedClients); |
| 654 visitor->trace(m_ruleSet); | 644 visitor->trace(m_ruleSet); |
| 655 #endif | 645 #endif |
| 656 } | 646 } |
| 657 | 647 |
| 658 } | 648 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1169713004:
Allow lax MIME type parsing for same-origin CSS in quirks mode. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master