Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(489)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/SubresourceIntegrity.cpp

Issue 1279163005: Initial Fetch integration for Subresource Integrity (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Source/core/frame/SubresourceIntegrity.h ('k') | Source/core/html/HTMLLinkElement.cpp » ('j') | Source/modules/fetch/BodyStreamBuffer.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "config.h" 5 #include "config.h"
6 #include "core/frame/SubresourceIntegrity.h" 6 #include "core/frame/SubresourceIntegrity.h"
7 7
8 #include "core/HTMLNames.h" 8 #include "core/HTMLNames.h"
9 #include "core/dom/Document.h" 9 #include "core/dom/Document.h"
10 #include "core/dom/Element.h" 10 #include "core/dom/Element.h"
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after
108 String attribute = element.fastGetAttribute(HTMLNames::integrityAttr); 108 String attribute = element.fastGetAttribute(HTMLNames::integrityAttr);
109 if (attribute.isEmpty()) 109 if (attribute.isEmpty())
110 return true; 110 return true;
111 111
112 if (!resource.isEligibleForIntegrityCheck(document.securityOrigin())) { 112 if (!resource.isEligibleForIntegrityCheck(document.securityOrigin())) {
113 UseCounter::count(document, UseCounter::SRIElementIntegrityAttributeButI neligible); 113 UseCounter::count(document, UseCounter::SRIElementIntegrityAttributeButI neligible);
114 logErrorToConsole("Subresource Integrity: The resource '" + resourceUrl. elidedString() + "' has an integrity attribute, but the resource requires the re quest to be CORS enabled to check the integrity, and it is not. The resource has not been blocked, but no integrity check occurred.", document); 114 logErrorToConsole("Subresource Integrity: The resource '" + resourceUrl. elidedString() + "' has an integrity attribute, but the resource requires the re quest to be CORS enabled to check the integrity, and it is not. The resource has not been blocked, but no integrity check occurred.", document);
115 return false; 115 return false;
116 } 116 }
117 117
118 String errorMessage;
119 bool result = CheckSubresourceIntegrity(attribute, source, resourceUrl, docu ment, errorMessage);
120 logErrorToConsole(errorMessage, document);
121 return result;
122 }
123
124 bool SubresourceIntegrity::CheckSubresourceIntegrity(const String& integrityMeta data, const WTF::String& source, const KURL& resourceUrl, Document& document, St ring& errorMessage)
125 {
118 WTF::Vector<IntegrityMetadata> metadataList; 126 WTF::Vector<IntegrityMetadata> metadataList;
119 IntegrityParseResult integrityParseResult = parseIntegrityAttribute(attribut e, metadataList, document); 127 IntegrityParseResult integrityParseResult = parseIntegrityAttribute(integrit yMetadata, metadataList, document);
120 // On failed parsing, there's no need to log an error here, as 128 // On failed parsing, there's no need to log an error here, as
121 // parseIntegrityAttribute() will output an appropriate console message. 129 // parseIntegrityAttribute() will output an appropriate console message.
122 if (integrityParseResult != IntegrityParseValidResult) 130 if (integrityParseResult != IntegrityParseValidResult)
123 return true; 131 return true;
124 132
125 StringUTF8Adaptor normalizedSource(source, StringUTF8Adaptor::Normalize, WTF ::EntitiesForUnencodables); 133 StringUTF8Adaptor normalizedSource(source, StringUTF8Adaptor::Normalize, WTF ::EntitiesForUnencodables);
126 134
127 if (!metadataList.size()) 135 if (!metadataList.size())
128 return true; 136 return true;
129 137
(...skipping 22 matching lines...) Expand all
152 } 160 }
153 } 161 }
154 162
155 digest.clear(); 163 digest.clear();
156 if (computeDigest(HashAlgorithmSha256, normalizedSource.data(), normalizedSo urce.length(), digest)) { 164 if (computeDigest(HashAlgorithmSha256, normalizedSource.data(), normalizedSo urce.length(), digest)) {
157 // This message exposes the digest of the resource to the console. 165 // This message exposes the digest of the resource to the console.
158 // Because this is only to the console, that's okay for now, but we 166 // Because this is only to the console, that's okay for now, but we
159 // need to be very careful not to expose this in exceptions or 167 // need to be very careful not to expose this in exceptions or
160 // JavaScript, otherwise it risks exposing information about the 168 // JavaScript, otherwise it risks exposing information about the
161 // resource cross-origin. 169 // resource cross-origin.
162 logErrorToConsole("Failed to find a valid digest in the 'integrity' attr ibute for resource '" + resourceUrl.elidedString() + "' with computed SHA-256 in tegrity '" + digestToString(digest) + "'. The resource has been blocked.", docum ent); 170 errorMessage = "Failed to find a valid digest in the 'integrity' attribu te for resource '" + resourceUrl.elidedString() + "' with computed SHA-256 integ rity '" + digestToString(digest) + "'. The resource has been blocked.";
163 } else { 171 } else {
164 logErrorToConsole("There was an error computing an integrity value for r esource '" + resourceUrl.elidedString() + "'. The resource has been blocked.", d ocument); 172 errorMessage = "There was an error computing an integrity value for reso urce '" + resourceUrl.elidedString() + "'. The resource has been blocked.";
165 } 173 }
166 UseCounter::count(document, UseCounter::SRIElementWithNonMatchingIntegrityAt tribute); 174 UseCounter::count(document, UseCounter::SRIElementWithNonMatchingIntegrityAt tribute);
167 return false; 175 return false;
168 } 176 }
169 177
170 // Before: 178 // Before:
171 // 179 //
172 // [algorithm]-[hash] 180 // [algorithm]-[hash]
173 // ^ ^ 181 // ^ ^
174 // position end 182 // position end
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after
318 metadataList.append(integrityMetadata); 326 metadataList.append(integrityMetadata);
319 } 327 }
320 328
321 if (metadataList.size() == 0 && error) 329 if (metadataList.size() == 0 && error)
322 return IntegrityParseNoValidResult; 330 return IntegrityParseNoValidResult;
323 331
324 return IntegrityParseValidResult; 332 return IntegrityParseValidResult;
325 } 333 }
326 334
327 } // namespace blink 335 } // namespace blink
OLDNEW
« no previous file with comments | « Source/core/frame/SubresourceIntegrity.h ('k') | Source/core/html/HTMLLinkElement.cpp » ('j') | Source/modules/fetch/BodyStreamBuffer.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698