OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. |
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
7 * | 7 * |
8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
(...skipping 340 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
351 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo rldCSP()) | 351 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo rldCSP()) |
352 || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonc eAttr)) | 352 || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonc eAttr)) |
353 || csp->allowScriptWithHash(sourceCode.source()); | 353 || csp->allowScriptWithHash(sourceCode.source()); |
354 | 354 |
355 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber, sourceCode.source()))) { | 355 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber, sourceCode.source()))) { |
356 return false; | 356 return false; |
357 } | 357 } |
358 | 358 |
359 if (m_isExternalScript) { | 359 if (m_isExternalScript) { |
360 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); | 360 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); |
361 if (resource && !resource->mimeTypeAllowedByNosniff()) { | 361 if (resource) { |
362 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); | 362 if (!resource->mimeTypeAllowedByNosniff()) { |
363 return false; | 363 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc e->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); |
364 } | 364 return false; |
365 } | |
365 | 366 |
366 if (resource && resource->mimeType().lower().startsWith("image/")) { | 367 String mimetype = resource->mimeType(); |
367 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable.")); | 368 if (mimetype.lower().startsWith("image/")) { |
368 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); | 369 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc e->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable.")); |
369 return false; | 370 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScrip t); |
371 return false; | |
372 } | |
373 | |
374 bool text = mimetype.lower().startsWith("text/"); | |
Nate Chapin
2015/11/10 18:02:49
Maybe pull this new logging into a helper?
Dan Ehrenberg
2015/11/24 00:55:20
Done
| |
375 bool expectedJs = MIMETypeRegistry::isSupportedJavaScriptMIMEType(mi metype) || (text && isLegacySupportedJavaScriptLanguage(mimetype.substring(5))); | |
376 bool sameOrigin = m_element->document().securityOrigin()->canRequest (m_resource->url()); | |
377 if (!expectedJs) { | |
378 UseCounter::Feature feature = sameOrigin ? (text ? UseCounter::S ameOriginTextScript : UseCounter::SameOriginOtherScript) : (text ? UseCounter::C rossOriginTextScript : UseCounter::CrossOriginOtherScript); | |
379 UseCounter::count(frame, feature); | |
380 } | |
370 } | 381 } |
371 } | 382 } |
372 | 383 |
373 // FIXME: Can this be moved earlier in the function? | 384 // FIXME: Can this be moved earlier in the function? |
374 // Why are we ever attempting to execute scripts without a frame? | 385 // Why are we ever attempting to execute scripts without a frame? |
375 if (!frame) | 386 if (!frame) |
376 return true; | 387 return true; |
377 | 388 |
378 AccessControlStatus accessControlStatus = NotSharableCrossOrigin; | 389 AccessControlStatus accessControlStatus = NotSharableCrossOrigin; |
379 if (!m_isExternalScript) { | 390 if (!m_isExternalScript) { |
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
500 if (isHTMLScriptLoader(element)) | 511 if (isHTMLScriptLoader(element)) |
501 return toHTMLScriptElement(element)->loader(); | 512 return toHTMLScriptElement(element)->loader(); |
502 | 513 |
503 if (isSVGScriptLoader(element)) | 514 if (isSVGScriptLoader(element)) |
504 return toSVGScriptElement(element)->loader(); | 515 return toSVGScriptElement(element)->loader(); |
505 | 516 |
506 return 0; | 517 return 0; |
507 } | 518 } |
508 | 519 |
509 } // namespace blink | 520 } // namespace blink |
OLD | NEW |