| Index: third_party/WebKit/Source/core/dom/ScriptLoader.cpp
|
| diff --git a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
|
| index a7b90c6739fafc8dca761bb50c11c5a5d3962981..f3f9a43dc9815393d7038c17ca56a3aac42d80e8 100644
|
| --- a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
|
| +++ b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
|
| @@ -333,6 +333,19 @@ bool isSVGScriptLoader(Element* element)
|
| return isSVGScriptElement(*element);
|
| }
|
|
|
| +void ScriptLoader::logScriptMimetype(ScriptResource* resource, LocalFrame* frame, String mimetype)
|
| +{
|
| + bool text = mimetype.lower().startsWith("text/");
|
| + bool application = mimetype.lower().startsWith("application/");
|
| + bool expectedJs = MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimetype) || (text && isLegacySupportedJavaScriptLanguage(mimetype.substring(5)));
|
| + bool sameOrigin = m_element->document().securityOrigin()->canRequest(m_resource->url());
|
| + if (expectedJs) {
|
| + return;
|
| + }
|
| + UseCounter::Feature feature = sameOrigin ? (text ? UseCounter::SameOriginTextScript : application ? UseCounter::SameOriginApplicationScript : UseCounter::SameOriginOtherScript) : (text ? UseCounter::CrossOriginTextScript : application ? UseCounter::CrossOriginApplicationScript : UseCounter::CrossOriginOtherScript);
|
| + UseCounter::count(frame, feature);
|
| +}
|
| +
|
| bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* compilationFinishTime)
|
| {
|
| ASSERT(m_alreadyStarted);
|
| @@ -358,15 +371,20 @@ bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* com
|
|
|
| if (m_isExternalScript) {
|
| ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.resource();
|
| - if (resource && !resource->mimeTypeAllowedByNosniff()) {
|
| - contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
|
| - return false;
|
| - }
|
| -
|
| - if (resource && resource->mimeType().lower().startsWith("image/")) {
|
| - contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable."));
|
| - UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript);
|
| - return false;
|
| + if (resource) {
|
| + if (!resource->mimeTypeAllowedByNosniff()) {
|
| + contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
|
| + return false;
|
| + }
|
| +
|
| + String mimetype = resource->mimeType();
|
| + if (mimetype.lower().startsWith("image/")) {
|
| + contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable."));
|
| + UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript);
|
| + return false;
|
| + }
|
| +
|
| + logScriptMimetype(resource, frame, mimetype);
|
| }
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 1413193010:
Add counters for various ways of loading scripts with bad mimetypes (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master