Implementation of W3C compliant CSP script-src nonce.

Source/core/loader/cache/CachedResourceLoader.cpp

 /*
     Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
     Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
     Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
     Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
     Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
 
     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Library General Public
     License as published by the Free Software Foundation; either
@@ skipping 128 matching lines @@
 Frame* CachedResourceLoader::frame() const
 {
     return m_documentLoader ? m_documentLoader->frame() : 0;
 }
 
 CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResourceRequest& request)
 {
     if (Frame* f = frame()) {
         if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoDismissal) {
             KURL requestURL = request.resourceRequest().url();
-            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL))
+            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, NULL))

[abarth-chromium, 2013/05/14 21:11:08]

NULL -> 0

[jww, 2013/05/14 22:55:30]

Done.

                 PingLoader::loadImage(f, requestURL);
             return 0;
         }
     }
     request.setDefer(clientDefersImage(request.resourceRequest().url()) ? CachedResourceRequest::DeferredByClient : CachedResourceRequest::NoDefer);
     return static_cast<CachedImage*>(requestResource(CachedResource::ImageResource, request).get());
 }
 
 CachedResourceHandle<CachedFont> CachedResourceLoader::requestFont(CachedResourceRequest& request)
 {
@@ skipping 101 matching lines @@
     }
     case CachedResource::MainResource:
     case CachedResource::LinkPrefetch:
     case CachedResource::LinkSubresource:
         // Prefetch cannot affect the current document.
         break;
     }
     return true;
 }
 
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, PassRefPtr<Element> initiatorElement, bool forPreload)
 {
     if (document() && !document()->securityOrigin()->canDisplay(url)) {
         if (!forPreload)
             FrameLoader::reportLocalLoadFailed(frame(), url.elidedString());
         LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
         return 0;
     }
 
     // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
     bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->script()->shouldBypassMainWorldContentSecurityPolicy());
@@ skipping 19 matching lines @@
     case CachedResource::SVGDocumentResource:
 #endif
     case CachedResource::XSLStyleSheet:
         if (!m_document->securityOrigin()->canRequest(url)) {
             printAccessDeniedMessage(url);
             return false;
         }
         break;
     }
 
+    const String& nonce = (initiatorElement != NULL) ? initiatorElement->fastGetAttribute(HTMLNames::nonceAttr) : AtomicString();

[abarth-chromium, 2013/05/14 21:11:08]

(initiatorElement != NULL)   ->   initiatorElement

No need to compare against 0.  The default boolean operator does that for us.

[jww, 2013/05/14 22:55:30]

Done.

+
     switch (type) {
     case CachedResource::XSLStyleSheet:
-        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, nonce))
             return false;
         break;
     case CachedResource::Script:
-        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, nonce))
             return false;
 
         if (frame()) {
             Settings* settings = frame()->settings();
             if (!frame()->loader()->client()->allowScriptFromSource(!settings || settings->isScriptEnabled(), url)) {
                 frame()->loader()->client()->didNotAllowScript();
                 return false;
             }
         }
         break;
@@ skipping 44 matching lines @@
     KURL url = request.resourceRequest().url();
     
     LOG(ResourceLoading, "CachedResourceLoader::requestResource '%s', charset '%s', priority=%d, forPreload=%u", url.elidedString().latin1().data(), request.charset().latin1().data(), request.priority(), request.forPreload());
     
     // If only the fragment identifiers differ, it is the same resource.
     url = MemoryCache::removeFragmentIdentifierIfNeeded(url);
 
     if (!url.isValid())
         return 0;
 
-    if (!canRequest(type, url, request.forPreload()))
+    if (!canRequest(type, url, request.initiatorElement(), request.forPreload()))
         return 0;
 
     if (Frame* f = frame())
         f->loader()->client()->dispatchWillRequestResource(&request);
 
     if (memoryCache()->disabled()) {
         DocumentResourceMap::iterator it = m_documentResources.find(url.string());
         if (it != m_documentResources.end()) {
             it->value->setOwningCachedResourceLoader(0);
             m_documentResources.remove(it);
@@ skipping 534 matching lines @@
     info.ignoreMember(m_initiatorMap);
 }
 
 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
 {
     static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck);
     return options;
 }
 
 }