Add counters for various ways of loading scripts with bad mimetypes

third_party/WebKit/Source/core/dom/ScriptLoader.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
@@ skipping 315 matching lines @@
     ASSERT(element);
     return isHTMLScriptElement(*element);
 }
 
 bool isSVGScriptLoader(Element* element)
 {
     ASSERT(element);
     return isSVGScriptElement(*element);
 }
 
+void ScriptLoader::logScriptMimetype(ScriptResource* resource, LocalFrame* frame, String mimetype)
+{
+    bool text = mimetype.lower().startsWith("text/");
+    bool application = mimetype.lower().startsWith("application/");
+    bool expectedJs = MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimetype) || (text && isLegacySupportedJavaScriptLanguage(mimetype.substring(5)));
+    bool sameOrigin = m_element->document().securityOrigin()->canRequest(m_resource->url());
+    if (!expectedJs) {

[Nate Chapin, 2015/12/03 17:53:32]

Early exit is probably more readable than the remainder of the function wrapped
in an if().

[Dan Ehrenberg, 2015/12/04 19:28:53]

Done

+        UseCounter::Feature feature = sameOrigin ? (text ? UseCounter::SameOriginTextScript : application ? UseCounter::SameOriginApplicationScript : UseCounter::SameOriginOtherScript) : (text ? UseCounter::CrossOriginTextScript : application ? UseCounter::CrossOriginApplicationScript : UseCounter::CrossOriginOtherScript);

[Nate Chapin, 2015/12/03 17:53:32]

This is a bit much for 1 line, even by WebKit-style standards :)

[Dan Ehrenberg, 2015/12/04 19:28:53]

Well, I'd love to, but this is what git cl format seems to force me to do.

+        UseCounter::count(frame, feature);
+    }
+}
+
 bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* compilationFinishTime)
 {
     ASSERT(m_alreadyStarted);
 
     if (sourceCode.isEmpty())
         return true;
 
     RefPtrWillBeRawPtr<Document> elementDocument(m_element->document());
     RefPtrWillBeRawPtr<Document> contextDocument = elementDocument->contextDocument().get();
     if (!contextDocument)
         return true;
 
     LocalFrame* frame = contextDocument->frame();
 
     const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();
     bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWorldCSP())
         || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr))
         || csp->allowScriptWithHash(sourceCode.source());
 
     if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineScript(elementDocument->url(), m_startLineNumber, sourceCode.source()))) {
         return false;
     }
 
     if (m_isExternalScript) {
         ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.resource();
-        if (resource && !resource->mimeTypeAllowedByNosniff()) {
-            contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
-            return false;
-        }
+        if (resource) {
+            if (!resource->mimeTypeAllowedByNosniff()) {
+                contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
+                return false;
+            }
 
-        if (resource && resource->mimeType().lower().startsWith("image/")) {
-            contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable."));
-            UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript);
-            return false;
+            String mimetype = resource->mimeType();
+            if (mimetype.lower().startsWith("image/")) {
+                contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable."));
+                UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript);
+                return false;
+            }
+
+            logScriptMimetype(resource, frame, mimetype);
         }
     }
 
     // FIXME: Can this be moved earlier in the function?
     // Why are we ever attempting to execute scripts without a frame?
     if (!frame)
         return true;
 
     AccessControlStatus accessControlStatus = NotSharableCrossOrigin;
     if (!m_isExternalScript) {
@@ skipping 120 matching lines @@
     if (isHTMLScriptLoader(element))
         return toHTMLScriptElement(element)->loader();
 
     if (isSVGScriptLoader(element))
         return toSVGScriptElement(element)->loader();
 
     return 0;
 }
 
 } // namespace blink