| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
| 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
| 4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
| 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv
ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv
ed. |
| 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
| 7 * | 7 * |
| 8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
| 9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
| 10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
| (...skipping 315 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 326 ASSERT(element); | 326 ASSERT(element); |
| 327 return isHTMLScriptElement(*element); | 327 return isHTMLScriptElement(*element); |
| 328 } | 328 } |
| 329 | 329 |
| 330 bool isSVGScriptLoader(Element* element) | 330 bool isSVGScriptLoader(Element* element) |
| 331 { | 331 { |
| 332 ASSERT(element); | 332 ASSERT(element); |
| 333 return isSVGScriptElement(*element); | 333 return isSVGScriptElement(*element); |
| 334 } | 334 } |
| 335 | 335 |
| 336 void ScriptLoader::logScriptMimetype(ScriptResource* resource, LocalFrame* frame
, String mimetype) |
| 337 { |
| 338 bool text = mimetype.lower().startsWith("text/"); |
| 339 bool application = mimetype.lower().startsWith("application/"); |
| 340 bool expectedJs = MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimetype)
|| (text && isLegacySupportedJavaScriptLanguage(mimetype.substring(5))); |
| 341 bool sameOrigin = m_element->document().securityOrigin()->canRequest(m_resou
rce->url()); |
| 342 if (expectedJs) { |
| 343 return; |
| 344 } |
| 345 UseCounter::Feature feature = sameOrigin ? (text ? UseCounter::SameOriginTex
tScript : application ? UseCounter::SameOriginApplicationScript : UseCounter::Sa
meOriginOtherScript) : (text ? UseCounter::CrossOriginTextScript : application ?
UseCounter::CrossOriginApplicationScript : UseCounter::CrossOriginOtherScript); |
| 346 UseCounter::count(frame, feature); |
| 347 } |
| 348 |
| 336 bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* com
pilationFinishTime) | 349 bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* com
pilationFinishTime) |
| 337 { | 350 { |
| 338 ASSERT(m_alreadyStarted); | 351 ASSERT(m_alreadyStarted); |
| 339 | 352 |
| 340 if (sourceCode.isEmpty()) | 353 if (sourceCode.isEmpty()) |
| 341 return true; | 354 return true; |
| 342 | 355 |
| 343 RefPtrWillBeRawPtr<Document> elementDocument(m_element->document()); | 356 RefPtrWillBeRawPtr<Document> elementDocument(m_element->document()); |
| 344 RefPtrWillBeRawPtr<Document> contextDocument = elementDocument->contextDocum
ent().get(); | 357 RefPtrWillBeRawPtr<Document> contextDocument = elementDocument->contextDocum
ent().get(); |
| 345 if (!contextDocument) | 358 if (!contextDocument) |
| 346 return true; | 359 return true; |
| 347 | 360 |
| 348 LocalFrame* frame = contextDocument->frame(); | 361 LocalFrame* frame = contextDocument->frame(); |
| 349 | 362 |
| 350 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); | 363 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); |
| 351 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo
rldCSP()) | 364 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo
rldCSP()) |
| 352 || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonc
eAttr)) | 365 || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonc
eAttr)) |
| 353 || csp->allowScriptWithHash(sourceCode.source()); | 366 || csp->allowScriptWithHash(sourceCode.source()); |
| 354 | 367 |
| 355 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc
ript(elementDocument->url(), m_startLineNumber, sourceCode.source()))) { | 368 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc
ript(elementDocument->url(), m_startLineNumber, sourceCode.source()))) { |
| 356 return false; | 369 return false; |
| 357 } | 370 } |
| 358 | 371 |
| 359 if (m_isExternalScript) { | 372 if (m_isExternalScript) { |
| 360 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re
source(); | 373 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re
source(); |
| 361 if (resource && !resource->mimeTypeAllowedByNosniff()) { | 374 if (resource) { |
| 362 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe
ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u
rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "')
is not executable, and strict MIME type checking is enabled.")); | 375 if (!resource->mimeTypeAllowedByNosniff()) { |
| 363 return false; | 376 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi
tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc
e->url().elidedString() + "' because its MIME type ('" + resource->mimeType() +
"') is not executable, and strict MIME type checking is enabled.")); |
| 364 } | 377 return false; |
| 378 } |
| 365 | 379 |
| 366 if (resource && resource->mimeType().lower().startsWith("image/")) { | 380 String mimetype = resource->mimeType(); |
| 367 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe
ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u
rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "')
is not executable.")); | 381 if (mimetype.lower().startsWith("image/")) { |
| 368 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); | 382 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi
tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc
e->url().elidedString() + "' because its MIME type ('" + resource->mimeType() +
"') is not executable.")); |
| 369 return false; | 383 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScrip
t); |
| 384 return false; |
| 385 } |
| 386 |
| 387 logScriptMimetype(resource, frame, mimetype); |
| 370 } | 388 } |
| 371 } | 389 } |
| 372 | 390 |
| 373 // FIXME: Can this be moved earlier in the function? | 391 // FIXME: Can this be moved earlier in the function? |
| 374 // Why are we ever attempting to execute scripts without a frame? | 392 // Why are we ever attempting to execute scripts without a frame? |
| 375 if (!frame) | 393 if (!frame) |
| 376 return true; | 394 return true; |
| 377 | 395 |
| 378 AccessControlStatus accessControlStatus = NotSharableCrossOrigin; | 396 AccessControlStatus accessControlStatus = NotSharableCrossOrigin; |
| 379 if (!m_isExternalScript) { | 397 if (!m_isExternalScript) { |
| (...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 500 if (isHTMLScriptLoader(element)) | 518 if (isHTMLScriptLoader(element)) |
| 501 return toHTMLScriptElement(element)->loader(); | 519 return toHTMLScriptElement(element)->loader(); |
| 502 | 520 |
| 503 if (isSVGScriptLoader(element)) | 521 if (isSVGScriptLoader(element)) |
| 504 return toSVGScriptElement(element)->loader(); | 522 return toSVGScriptElement(element)->loader(); |
| 505 | 523 |
| 506 return 0; | 524 return 0; |
| 507 } | 525 } |
| 508 | 526 |
| 509 } // namespace blink | 527 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1413193010:
Add counters for various ways of loading scripts with bad mimetypes (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master