Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(705)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/ScriptLoader.cpp

Issue 137983010: (Re)organize handling of CORS access control during resource loading. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: HTMLImportLoader no longer needs a ResourceFetcher Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Source/core/dom/ScriptLoader.h ('k') | Source/core/fetch/FetchRequest.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after
58 , m_startLineNumber(WTF::OrdinalNumber::beforeFirst()) 58 , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
59 , m_parserInserted(parserInserted) 59 , m_parserInserted(parserInserted)
60 , m_isExternalScript(false) 60 , m_isExternalScript(false)
61 , m_alreadyStarted(alreadyStarted) 61 , m_alreadyStarted(alreadyStarted)
62 , m_haveFiredLoad(false) 62 , m_haveFiredLoad(false)
63 , m_willBeParserExecuted(false) 63 , m_willBeParserExecuted(false)
64 , m_readyToBeParserExecuted(false) 64 , m_readyToBeParserExecuted(false)
65 , m_willExecuteWhenDocumentFinishedParsing(false) 65 , m_willExecuteWhenDocumentFinishedParsing(false)
66 , m_forceAsync(!parserInserted) 66 , m_forceAsync(!parserInserted)
67 , m_willExecuteInOrder(false) 67 , m_willExecuteInOrder(false)
68 , m_isPotentiallyCORSEnabled(false)
69 { 68 {
70 ASSERT(m_element); 69 ASSERT(m_element);
71 if (parserInserted && element->document().scriptableDocumentParser() && !ele ment->document().isInDocumentWrite()) 70 if (parserInserted && element->document().scriptableDocumentParser() && !ele ment->document().isInDocumentWrite())
72 m_startLineNumber = element->document().scriptableDocumentParser()->line Number(); 71 m_startLineNumber = element->document().scriptableDocumentParser()->line Number();
73 } 72 }
74 73
75 ScriptLoader::~ScriptLoader() 74 ScriptLoader::~ScriptLoader()
76 { 75 {
77 stopLoadRequest(); 76 stopLoadRequest();
78 } 77 }
(...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after
234 m_willExecuteInOrder = true; 233 m_willExecuteInOrder = true;
235 contextDocument->scriptRunner()->queueScriptForExecution(this, m_resourc e, ScriptRunner::IN_ORDER_EXECUTION); 234 contextDocument->scriptRunner()->queueScriptForExecution(this, m_resourc e, ScriptRunner::IN_ORDER_EXECUTION);
236 m_resource->addClient(this); 235 m_resource->addClient(this);
237 } else if (client->hasSourceAttribute()) { 236 } else if (client->hasSourceAttribute()) {
238 contextDocument->scriptRunner()->queueScriptForExecution(this, m_resourc e, ScriptRunner::ASYNC_EXECUTION); 237 contextDocument->scriptRunner()->queueScriptForExecution(this, m_resourc e, ScriptRunner::ASYNC_EXECUTION);
239 m_resource->addClient(this); 238 m_resource->addClient(this);
240 } else { 239 } else {
241 // Reset line numbering for nested writes. 240 // Reset line numbering for nested writes.
242 TextPosition position = elementDocument.isInDocumentWrite() ? TextPositi on() : scriptStartPosition; 241 TextPosition position = elementDocument.isInDocumentWrite() ? TextPositi on() : scriptStartPosition;
243 KURL scriptURL = (!elementDocument.isInDocumentWrite() && m_parserInsert ed) ? elementDocument.url() : KURL(); 242 KURL scriptURL = (!elementDocument.isInDocumentWrite() && m_parserInsert ed) ? elementDocument.url() : KURL();
244 if (!executePotentiallyCrossOriginScript(ScriptSourceCode(scriptContent( ), scriptURL, position))) 243 executeScript(ScriptSourceCode(scriptContent(), scriptURL, position));
245 return false;
246 } 244 }
247 245
248 return true; 246 return true;
249 } 247 }
250 248
251 bool ScriptLoader::fetchScript(const String& sourceUrl) 249 bool ScriptLoader::fetchScript(const String& sourceUrl)
252 { 250 {
253 ASSERT(m_element); 251 ASSERT(m_element);
254 252
255 RefPtr<Document> elementDocument(m_element->document()); 253 RefPtr<Document> elementDocument(m_element->document());
256 if (!m_element->dispatchBeforeLoadEvent(sourceUrl)) 254 if (!m_element->dispatchBeforeLoadEvent(sourceUrl))
257 return false; 255 return false;
258 if (!m_element->inDocument() || m_element->document() != elementDocument) 256 if (!m_element->inDocument() || m_element->document() != elementDocument)
259 return false; 257 return false;
260 258
261 ASSERT(!m_resource); 259 ASSERT(!m_resource);
262 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { 260 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
263 FetchRequest request(ResourceRequest(elementDocument->completeURL(source Url)), m_element->localName()); 261 FetchRequest request(ResourceRequest(elementDocument->completeURL(source Url)), m_element->localName());
264 262
265 String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossori ginAttr); 263 String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossori ginAttr);
266 if (!crossOriginMode.isNull()) { 264 if (!crossOriginMode.isNull()) {
267 StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMo de, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; 265 StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMo de, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
268 request.setCrossOriginAccessControl(elementDocument->securityOrigin( ), allowCredentials); 266 request.setCrossOriginAccessControl(elementDocument->securityOrigin( ), allowCredentials);
269 m_isPotentiallyCORSEnabled = true;
270 } 267 }
271 request.setCharset(scriptCharset()); 268 request.setCharset(scriptCharset());
272 269
273 bool isValidScriptNonce = elementDocument->contentSecurityPolicy()->allo wScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)); 270 bool isValidScriptNonce = elementDocument->contentSecurityPolicy()->allo wScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
274 if (isValidScriptNonce) 271 if (isValidScriptNonce)
275 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); 272 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
276 273
277 m_resource = elementDocument->fetcher()->fetchScript(request); 274 m_resource = elementDocument->fetcher()->fetchScript(request);
278 m_isExternalScript = true; 275 m_isExternalScript = true;
279 } 276 }
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after
356 ASSERT(resource); 353 ASSERT(resource);
357 if (resource->errorOccurred()) { 354 if (resource->errorOccurred()) {
358 dispatchErrorEvent(); 355 dispatchErrorEvent();
359 } else if (!resource->wasCanceled()) { 356 } else if (!resource->wasCanceled()) {
360 executeScript(ScriptSourceCode(resource)); 357 executeScript(ScriptSourceCode(resource));
361 dispatchLoadEvent(); 358 dispatchLoadEvent();
362 } 359 }
363 resource->removeClient(this); 360 resource->removeClient(this);
364 } 361 }
365 362
366 bool ScriptLoader::executePotentiallyCrossOriginScript(const ScriptSourceCode& s ourceCode)
367 {
368 if (sourceCode.resource()
369 && isPotentiallyCORSEnabled()
370 && !m_element->document().fetcher()->canAccess(sourceCode.resource(), Po tentiallyCORSEnabled)) {
371 dispatchErrorEvent();
372 return false;
373 }
374 executeScript(sourceCode);
375 return true;
376 }
377
378 void ScriptLoader::notifyFinished(Resource* resource) 363 void ScriptLoader::notifyFinished(Resource* resource)
379 { 364 {
380 ASSERT(!m_willBeParserExecuted); 365 ASSERT(!m_willBeParserExecuted);
381 366
382 RefPtr<Document> elementDocument(m_element->document()); 367 RefPtr<Document> elementDocument(m_element->document());
383 RefPtr<Document> contextDocument = elementDocument->contextDocument().get(); 368 RefPtr<Document> contextDocument = elementDocument->contextDocument().get();
384 if (!contextDocument) 369 if (!contextDocument)
385 return; 370 return;
386 371
387 // Resource possibly invokes this notifyFinished() more than 372 // Resource possibly invokes this notifyFinished() more than
388 // once because ScriptLoader doesn't unsubscribe itself from 373 // once because ScriptLoader doesn't unsubscribe itself from
389 // Resource here and does it in execute() instead. 374 // Resource here and does it in execute() instead.
390 // We use m_resource to check if this function is already called. 375 // We use m_resource to check if this function is already called.
391 ASSERT_UNUSED(resource, resource == m_resource); 376 ASSERT_UNUSED(resource, resource == m_resource);
392 if (!m_resource) 377 if (!m_resource)
393 return; 378 return;
394 CORSEnabled corsEnabled = isPotentiallyCORSEnabled() ? PotentiallyCORSEnable d : NotCORSEnabled; 379 if (m_resource->errorOccurred()) {
395 if (!elementDocument->fetcher()->canAccess(m_resource.get(), corsEnabled)) {
396 dispatchErrorEvent(); 380 dispatchErrorEvent();
397 contextDocument->scriptRunner()->notifyScriptLoadError(this, m_willExecu teInOrder ? ScriptRunner::IN_ORDER_EXECUTION : ScriptRunner::ASYNC_EXECUTION); 381 contextDocument->scriptRunner()->notifyScriptLoadError(this, m_willExecu teInOrder ? ScriptRunner::IN_ORDER_EXECUTION : ScriptRunner::ASYNC_EXECUTION);
398 return; 382 return;
399 } 383 }
400
401 if (m_willExecuteInOrder) 384 if (m_willExecuteInOrder)
402 contextDocument->scriptRunner()->notifyScriptReady(this, ScriptRunner::I N_ORDER_EXECUTION); 385 contextDocument->scriptRunner()->notifyScriptReady(this, ScriptRunner::I N_ORDER_EXECUTION);
403 else 386 else
404 contextDocument->scriptRunner()->notifyScriptReady(this, ScriptRunner::A SYNC_EXECUTION); 387 contextDocument->scriptRunner()->notifyScriptReady(this, ScriptRunner::A SYNC_EXECUTION);
405 388
406 m_resource = 0; 389 m_resource = 0;
407 } 390 }
408 391
409 bool ScriptLoader::ignoresLoadRequest() const 392 bool ScriptLoader::ignoresLoadRequest() const
410 { 393 {
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
449 if (isHTMLScriptLoader(element)) 432 if (isHTMLScriptLoader(element))
450 return toHTMLScriptElement(element)->loader(); 433 return toHTMLScriptElement(element)->loader();
451 434
452 if (isSVGScriptLoader(element)) 435 if (isSVGScriptLoader(element))
453 return toSVGScriptElement(element)->loader(); 436 return toSVGScriptElement(element)->loader();
454 437
455 return 0; 438 return 0;
456 } 439 }
457 440
458 } 441 }
OLDNEW
« no previous file with comments | « Source/core/dom/ScriptLoader.h ('k') | Source/core/fetch/FetchRequest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698