Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(73)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/ScriptElement.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixed broken nonce behavior on script redirects. Added test for redirects as well. Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.js ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | Source/core/loader/ResourceLoaderOptions.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 236 matching lines...) Expand 10 before | Expand all | Expand 10 after
247 return true; 247 return true;
248 } 248 }
249 249
250 bool ScriptElement::requestScript(const String& sourceUrl) 250 bool ScriptElement::requestScript(const String& sourceUrl)
251 { 251 {
252 RefPtr<Document> originalDocument = m_element->document(); 252 RefPtr<Document> originalDocument = m_element->document();
253 if (!m_element->dispatchBeforeLoadEvent(sourceUrl)) 253 if (!m_element->dispatchBeforeLoadEvent(sourceUrl))
254 return false; 254 return false;
255 if (!m_element->inDocument() || m_element->document() != originalDocument) 255 if (!m_element->inDocument() || m_element->document() != originalDocument)
256 return false; 256 return false;
257 if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_elem ent->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_sta rtLineNumber, m_element->document()->completeURL(sourceUrl)))
258 return false;
259 257
260 ASSERT(!m_cachedScript); 258 ASSERT(!m_cachedScript);
261 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { 259 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
262 CachedResourceRequest request(ResourceRequest(m_element->document()->com pleteURL(sourceUrl))); 260 CachedResourceRequest request(ResourceRequest(m_element->document()->com pleteURL(sourceUrl)));
263 261
264 String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossori ginAttr); 262 String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossori ginAttr);
265 if (!crossOriginMode.isNull()) { 263 if (!crossOriginMode.isNull()) {
266 m_requestUsesAccessControl = true; 264 m_requestUsesAccessControl = true;
267 StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMo de, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; 265 StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMo de, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
268 updateRequestForAccessControl(request.mutableResourceRequest(), m_el ement->document()->securityOrigin(), allowCredentials); 266 updateRequestForAccessControl(request.mutableResourceRequest(), m_el ement->document()->securityOrigin(), allowCredentials);
(...skipping 17 matching lines...) Expand all
286 { 284 {
287 ASSERT(m_alreadyStarted); 285 ASSERT(m_alreadyStarted);
288 286
289 if (sourceCode.isEmpty()) 287 if (sourceCode.isEmpty())
290 return; 288 return;
291 289
292 RefPtr<Document> document = m_element->document(); 290 RefPtr<Document> document = m_element->document();
293 Frame* frame = document->frame(); 291 Frame* frame = document->frame();
294 292
295 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()- >shouldBypassMainWorldContentSecurityPolicy()); 293 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()- >shouldBypassMainWorldContentSecurityPolicy());
296 if (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurit yPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), d ocument->url(), m_startLineNumber))
297 return;
298 294
299 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! document->contentSecurityPolicy()->allowInlineScript(document->url(), m_startLin eNumber))) 295 bool validNonce = document->contentSecurityPolicy()->allowNonce(m_element->f astGetAttribute(HTMLNames::nonceAttr));
abarth-chromium 2013/05/16 00:59:27 Maybe isValidNonceForScript? Different types of r
jww 2013/05/16 20:59:00 Done.
296 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! document->contentSecurityPolicy()->allowInlineScript(validNonce, document->url() , m_startLineNumber)))
abarth-chromium 2013/05/16 00:59:27 Is there a reason to call allowInlineScript if the
jww 2013/05/16 20:59:00 Sure, I can do this. I guess my thought was to kee
300 return; 297 return;
301 298
302 if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowed ByNosniff()) { 299 if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowed ByNosniff()) {
303 document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "R efused to execute script from '" + m_cachedScript->url().elidedString() + "' bec ause its MIME type ('" + m_cachedScript->mimeType() + "') is not executable, and strict MIME type checking is enabled."); 300 document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "R efused to execute script from '" + m_cachedScript->url().elidedString() + "' bec ause its MIME type ('" + m_cachedScript->mimeType() + "') is not executable, and strict MIME type checking is enabled.");
304 return; 301 return;
305 } 302 }
306 303
307 if (frame) { 304 if (frame) {
308 { 305 {
309 IgnoreDestructiveWriteCountIncrementer ignoreDesctructiveWriteCountI ncrementer(m_isExternalScript ? document.get() : 0); 306 IgnoreDestructiveWriteCountIncrementer ignoreDesctructiveWriteCountI ncrementer(m_isExternalScript ? document.get() : 0);
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after
422 419
423 #if ENABLE(SVG) 420 #if ENABLE(SVG)
424 if (element->isSVGElement() && element->hasTagName(SVGNames::scriptTag)) 421 if (element->isSVGElement() && element->hasTagName(SVGNames::scriptTag))
425 return static_cast<SVGScriptElement*>(element); 422 return static_cast<SVGScriptElement*>(element);
426 #endif 423 #endif
427 424
428 return 0; 425 return 0;
429 } 426 }
430 427
431 } 428 }
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.js ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | Source/core/loader/ResourceLoaderOptions.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698