Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(81)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/ScriptLoader.cpp

Issue 1279163005: Initial Fetch integration for Subresource Integrity (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fix test expectations Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/webexposed/global-interface-listing-shared-worker-expected.txt ('k') | Source/core/frame/SubresourceIntegrity.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 360 matching lines...) Expand 10 before | Expand all | Expand 10 after
371 if (sourceCode.resource()->response().wasFetchedViaServiceWorker()) { 371 if (sourceCode.resource()->response().wasFetchedViaServiceWorker()) {
372 if (sourceCode.resource()->response().serviceWorkerResponseType() == WebServiceWorkerResponseTypeOpaque) 372 if (sourceCode.resource()->response().serviceWorkerResponseType() == WebServiceWorkerResponseTypeOpaque)
373 accessControlStatus = OpaqueResource; 373 accessControlStatus = OpaqueResource;
374 else 374 else
375 accessControlStatus = SharableCrossOrigin; 375 accessControlStatus = SharableCrossOrigin;
376 } else if (sourceCode.resource()->passesAccessControlCheck(m_element->do cument().securityOrigin())) { 376 } else if (sourceCode.resource()->passesAccessControlCheck(m_element->do cument().securityOrigin())) {
377 accessControlStatus = SharableCrossOrigin; 377 accessControlStatus = SharableCrossOrigin;
378 } 378 }
379 } 379 }
380 380
381 // The following SRI checks need to be here because, unfortunately, fetches
382 // are not done purely according to the Fetch spec. In particular,
383 // different requests for the same resource do not have different
384 // responses; the memory cache can (and will) return the exact same
385 // Resource object. For different requests, the same Resource object will
386 // be returned and will not be associated with the particular request.
387 // Therefore, when the body of the response comes in, there's no way to
388 // validate the integrity of the Resource object against a particular
389 // request (since there may be several pending requests all tied to the
390 // identical object, and the actual requests are not stored).
391 //
392 // In order to simulate the correct behavior, Blink explicitly does the SRI
393 // checks at execution here (similar to the AccessControlStatus check done
394 // above), while having proper Fetch checks in the fetch module for use in
395 // the fetch JavaScript API. In a future world where the ResourceFetcher
396 // uses the Fetch algorithm, this should be fixed by having separate
397 // Response objects (perhaps attached to identical Resource objects) per
398 // request. See https://crbug.com/500701 for more information.
381 if (m_isExternalScript) { 399 if (m_isExternalScript) {
382 const KURL resourceUrl = sourceCode.resource()->resourceRequest().url(); 400 const KURL resourceUrl = sourceCode.resource()->resourceRequest().url();
383 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_element, sourceC ode.source(), sourceCode.resource()->url(), *sourceCode.resource())) { 401 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_element, sourceC ode.source(), sourceCode.resource()->url(), *sourceCode.resource())) {
384 return false; 402 return false;
385 } 403 }
386 } 404 }
387 405
388 const bool isImportedScript = contextDocument != elementDocument; 406 const bool isImportedScript = contextDocument != elementDocument;
389 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 407 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3
390 // with additional support for HTML imports. 408 // with additional support for HTML imports.
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after
498 if (isHTMLScriptLoader(element)) 516 if (isHTMLScriptLoader(element))
499 return toHTMLScriptElement(element)->loader(); 517 return toHTMLScriptElement(element)->loader();
500 518
501 if (isSVGScriptLoader(element)) 519 if (isSVGScriptLoader(element))
502 return toSVGScriptElement(element)->loader(); 520 return toSVGScriptElement(element)->loader();
503 521
504 return 0; 522 return 0;
505 } 523 }
506 524
507 } // namespace blink 525 } // namespace blink
OLDNEW
« no previous file with comments | « LayoutTests/webexposed/global-interface-listing-shared-worker-expected.txt ('k') | Source/core/frame/SubresourceIntegrity.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698