Source/core/loader/cache/CachedResourceLoader.cpp - Issue 14949017: Implementation of W3C compliant CSP script-src nonce.

Side by Side Diff: Source/core/loader/cache/CachedResourceLoader.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 7 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« Source/core/loader/cache/CachedResourceLoader.h ('K') | « Source/core/loader/cache/CachedResourceLoader.h ('k') | Source/core/page/ContentSecurityPolicy.h » ('j') | Source/core/page/ContentSecurityPolicy.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)	2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)

3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)	3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)

4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)	4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)

5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.	5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.

6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/	6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/

7	7

8 This library is free software; you can redistribute it and/or	8 This library is free software; you can redistribute it and/or

9 modify it under the terms of the GNU Library General Public	9 modify it under the terms of the GNU Library General Public

10 License as published by the Free Software Foundation; either	10 License as published by the Free Software Foundation; either

(...skipping 128 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
139 Frame* CachedResourceLoader::frame() const	139 Frame* CachedResourceLoader::frame() const

140 {	140 {

141 return m_documentLoader ? m_documentLoader->frame() : 0;	141 return m_documentLoader ? m_documentLoader->frame() : 0;

142 }	142 }

143	143

144 CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou rceRequest& request)	144 CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou rceRequest& request)

145 {	145 {

146 if (Frame* f = frame()) {	146 if (Frame* f = frame()) {

147 if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoD ismissal) {	147 if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoD ismissal) {

148 KURL requestURL = request.resourceRequest().url();	148 KURL requestURL = request.resourceRequest().url();

149 if (requestURL.isValid() && canRequest(CachedResource::ImageResource , requestURL))	149 if (requestURL.isValid() && canRequest(CachedResource::ImageResource , requestURL, String()))

150 PingLoader::loadImage(f, requestURL);	150 PingLoader::loadImage(f, requestURL);

151 return 0;	151 return 0;

152 }	152 }

153 }	153 }

154 request.setDefer(clientDefersImage(request.resourceRequest().url()) ? Cached ResourceRequest::DeferredByClient : CachedResourceRequest::NoDefer);	154 request.setDefer(clientDefersImage(request.resourceRequest().url()) ? Cached ResourceRequest::DeferredByClient : CachedResourceRequest::NoDefer);

155 return static_cast<CachedImage*>(requestResource(CachedResource::ImageResour ce, request).get());	155 return static_cast<CachedImage*>(requestResource(CachedResource::ImageResour ce, request).get());

156 }	156 }

157	157

158 CachedResourceHandle<CachedFont> CachedResourceLoader::requestFont(CachedResourc eRequest& request)	158 CachedResourceHandle<CachedFont> CachedResourceLoader::requestFont(CachedResourc eRequest& request)

159 {	159 {

(...skipping 101 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
261 }	261 }

262 case CachedResource::MainResource:	262 case CachedResource::MainResource:

263 case CachedResource::LinkPrefetch:	263 case CachedResource::LinkPrefetch:

264 case CachedResource::LinkSubresource:	264 case CachedResource::LinkSubresource:

265 // Prefetch cannot affect the current document.	265 // Prefetch cannot affect the current document.

266 break;	266 break;

267 }	267 }

268 return true;	268 return true;

269 }	269 }

270	270

271 bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url , bool forPreload)	271 bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url , const String& nonce, bool forPreload)

272 {	272 {

273 if (document() && !document()->securityOrigin()->canDisplay(url)) {	273 if (document() && !document()->securityOrigin()->canDisplay(url)) {

274 if (!forPreload)	274 if (!forPreload)

275 FrameLoader::reportLocalLoadFailed(frame(), url.elidedString());	275 FrameLoader::reportLocalLoadFailed(frame(), url.elidedString());

276 LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");	276 LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");

277 return 0;	277 return 0;

278 }	278 }

279	279

280 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.	280 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.

281 bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->scrip t()->shouldBypassMainWorldContentSecurityPolicy());	281 bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->scrip t()->shouldBypassMainWorldContentSecurityPolicy());

(...skipping 21 matching lines...) Expand all Loading...
303 case CachedResource::XSLStyleSheet:	303 case CachedResource::XSLStyleSheet:

304 if (!m_document->securityOrigin()->canRequest(url)) {	304 if (!m_document->securityOrigin()->canRequest(url)) {

305 printAccessDeniedMessage(url);	305 printAccessDeniedMessage(url);

306 return false;	306 return false;

307 }	307 }

308 break;	308 break;

309 }	309 }

310	310

311 switch (type) {	311 switch (type) {

312 case CachedResource::XSLStyleSheet:	312 case CachedResource::XSLStyleSheet:

313 if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentS ecurityPolicy()->allowScriptFromSource(url))	313 if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentS ecurityPolicy()->allowScriptFromSource(url, nonce))

314 return false;	314 return false;

315 break;	315 break;

316 case CachedResource::Script:	316 case CachedResource::Script:

317 if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentS ecurityPolicy()->allowScriptFromSource(url))	317 if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentS ecurityPolicy()->allowScriptFromSource(url, nonce))

318 return false;	318 return false;

319	319

320 if (frame()) {	320 if (frame()) {

321 Settings* settings = frame()->settings();	321 Settings* settings = frame()->settings();

322 if (!frame()->loader()->client()->allowScriptFromSource(!settings \|\| settings->isScriptEnabled(), url)) {	322 if (!frame()->loader()->client()->allowScriptFromSource(!settings \|\| settings->isScriptEnabled(), url)) {

323 frame()->loader()->client()->didNotAllowScript();	323 frame()->loader()->client()->didNotAllowScript();

324 return false;	324 return false;

325 }	325 }

326 }	326 }

327 break;	327 break;

(...skipping 44 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
372 KURL url = request.resourceRequest().url();	372 KURL url = request.resourceRequest().url();

373	373

374 LOG(ResourceLoading, "CachedResourceLoader::requestResource '%s', charset '% s', priority=%d, forPreload=%u", url.elidedString().latin1().data(), request.cha rset().latin1().data(), request.priority(), request.forPreload());	374 LOG(ResourceLoading, "CachedResourceLoader::requestResource '%s', charset '% s', priority=%d, forPreload=%u", url.elidedString().latin1().data(), request.cha rset().latin1().data(), request.priority(), request.forPreload());

375	375

376 // If only the fragment identifiers differ, it is the same resource.	376 // If only the fragment identifiers differ, it is the same resource.

377 url = MemoryCache::removeFragmentIdentifierIfNeeded(url);	377 url = MemoryCache::removeFragmentIdentifierIfNeeded(url);

378	378

379 if (!url.isValid())	379 if (!url.isValid())

380 return 0;	380 return 0;

381	381

382 if (!canRequest(type, url, request.forPreload()))	382 const String& nonce = (request.initiatorElement() != NULL) ? request.initiat orElement()->fastGetAttribute(HTMLNames::nonceAttr) : AtomicString();
	abarth-chromium 2013/05/14 05:58:16 Can we put this in the CachedResourceRequest inste Can we put this in the CachedResourceRequest instead? Then we can pass the CachedResourceRequest directly to canRequest instead of exploding out the nonce and "forPreload" parts of the request. jww 2013/05/14 20:49:30 This is tough because there are 3 call sites for c This is tough because there are 3 call sites for canRequest, and one of them has a ResourceRequest, but not a CachedResourceRequest. A not-quite as elegant version of this would be to pass in an Element* instead. It won't get rid of the forPreload argument, but it would move the fastGetAttribute into canRequest, which I think does make sense to do. On 2013/05/14 05:58:16, abarth wrote: Show quoted text > Can we put this in the CachedResourceRequest instead? Then we can pass the > CachedResourceRequest directly to canRequest instead of exploding out the nonce > and "forPreload" parts of the request.
	383 if (!canRequest(type, url, nonce, request.forPreload()))

383 return 0;	384 return 0;

384	385

385 if (Frame* f = frame())	386 if (Frame* f = frame())

386 f->loader()->client()->dispatchWillRequestResource(&request);	387 f->loader()->client()->dispatchWillRequestResource(&request);

387	388

388 if (memoryCache()->disabled()) {	389 if (memoryCache()->disabled()) {

389 DocumentResourceMap::iterator it = m_documentResources.find(url.string() );	390 DocumentResourceMap::iterator it = m_documentResources.find(url.string() );

390 if (it != m_documentResources.end()) {	391 if (it != m_documentResources.end()) {

391 it->value->setOwningCachedResourceLoader(0);	392 it->value->setOwningCachedResourceLoader(0);

392 m_documentResources.remove(it);	393 m_documentResources.remove(it);

(...skipping 534 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
927 info.ignoreMember(m_initiatorMap);	928 info.ignoreMember(m_initiatorMap);

928 }	929 }

929	930

930 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions( )	931 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions( )

931 {	932 {

932 static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData , AllowStoredCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck);	933 static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData , AllowStoredCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck);

933 return options;	934 return options;

934 }	935 }

935	936

936 }	937 }

OLD	NEW