Chromium Code Reviews Chromium Code Reviews
Issue 1413193010:
Add counters for various ways of loading scripts with bad mimetypes (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: third_party/WebKit/Source/core/dom/ScriptLoader.cpp |
| diff --git a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp |
| index a7b90c6739fafc8dca761bb50c11c5a5d3962981..c1acd20dba3514b3884393b42ed82b44c64b96f5 100644 |
| --- a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp |
| +++ b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp |
| @@ -333,6 +333,18 @@ bool isSVGScriptLoader(Element* element) |
| return isSVGScriptElement(*element); |
| } |
| +void ScriptLoader::logScriptMimetype(ScriptResource* resource, LocalFrame* frame, String mimetype) |
| +{ |
| + bool text = mimetype.lower().startsWith("text/"); |
| + bool application = mimetype.lower().startsWith("application/"); |
| + bool expectedJs = MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimetype) || (text && isLegacySupportedJavaScriptLanguage(mimetype.substring(5))); |
| + bool sameOrigin = m_element->document().securityOrigin()->canRequest(m_resource->url()); |
| + if (!expectedJs) { |
|
Nate Chapin
2015/12/03 17:53:32
Early exit is probably more readable than the rema
Dan Ehrenberg
2015/12/04 19:28:53
Done
|
| + UseCounter::Feature feature = sameOrigin ? (text ? UseCounter::SameOriginTextScript : application ? UseCounter::SameOriginApplicationScript : UseCounter::SameOriginOtherScript) : (text ? UseCounter::CrossOriginTextScript : application ? UseCounter::CrossOriginApplicationScript : UseCounter::CrossOriginOtherScript); |
|
Nate Chapin
2015/12/03 17:53:32
This is a bit much for 1 line, even by WebKit-styl
Dan Ehrenberg
2015/12/04 19:28:53
Well, I'd love to, but this is what git cl format
|
| + UseCounter::count(frame, feature); |
| + } |
| +} |
| + |
| bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* compilationFinishTime) |
| { |
| ASSERT(m_alreadyStarted); |
| @@ -358,15 +370,20 @@ bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* com |
| if (m_isExternalScript) { |
| ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.resource(); |
| - if (resource && !resource->mimeTypeAllowedByNosniff()) { |
| - contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); |
| - return false; |
| - } |
| - |
| - if (resource && resource->mimeType().lower().startsWith("image/")) { |
| - contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable.")); |
| - UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); |
| - return false; |
| + if (resource) { |
| + if (!resource->mimeTypeAllowedByNosniff()) { |
| + contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); |
| + return false; |
| + } |
| + |
| + String mimetype = resource->mimeType(); |
| + if (mimetype.lower().startsWith("image/")) { |
| + contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable.")); |
| + UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); |
| + return false; |
| + } |
| + |
| + logScriptMimetype(resource, frame, mimetype); |
| } |
| } |
