OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. |
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
7 * | 7 * |
8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
(...skipping 236 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
247 return true; | 247 return true; |
248 } | 248 } |
249 | 249 |
250 bool ScriptElement::requestScript(const String& sourceUrl) | 250 bool ScriptElement::requestScript(const String& sourceUrl) |
251 { | 251 { |
252 RefPtr<Document> originalDocument = m_element->document(); | 252 RefPtr<Document> originalDocument = m_element->document(); |
253 if (!m_element->dispatchBeforeLoadEvent(sourceUrl)) | 253 if (!m_element->dispatchBeforeLoadEvent(sourceUrl)) |
254 return false; | 254 return false; |
255 if (!m_element->inDocument() || m_element->document() != originalDocument) | 255 if (!m_element->inDocument() || m_element->document() != originalDocument) |
256 return false; | 256 return false; |
257 if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_elem ent->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_sta rtLineNumber, m_element->document()->completeURL(sourceUrl))) | |
258 return false; | |
259 | 257 |
260 ASSERT(!m_cachedScript); | 258 ASSERT(!m_cachedScript); |
261 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { | 259 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { |
262 CachedResourceRequest request(ResourceRequest(m_element->document()->com pleteURL(sourceUrl))); | 260 CachedResourceRequest request(ResourceRequest(m_element->document()->com pleteURL(sourceUrl))); |
263 | 261 |
264 String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossori ginAttr); | 262 String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossori ginAttr); |
265 if (!crossOriginMode.isNull()) { | 263 if (!crossOriginMode.isNull()) { |
266 m_requestUsesAccessControl = true; | 264 m_requestUsesAccessControl = true; |
267 StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMo de, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; | 265 StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMo de, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; |
268 updateRequestForAccessControl(request.mutableResourceRequest(), m_el ement->document()->securityOrigin(), allowCredentials); | 266 updateRequestForAccessControl(request.mutableResourceRequest(), m_el ement->document()->securityOrigin(), allowCredentials); |
269 } | 267 } |
270 request.setCharset(scriptCharset()); | 268 request.setCharset(scriptCharset()); |
271 request.setInitiator(element()); | 269 request.setInitiator(element()); |
272 | 270 |
271 bool isValidScriptNonce = m_element->document()->contentSecurityPolicy() ->allowScriptNonce(request.initiatorElement()->fastGetAttribute(HTMLNames::nonce Attr)); | |
abarth-chromium
2013/05/16 21:09:16
There's no reason to use the initiator element. W
jww
2013/05/16 21:37:46
Done.
| |
272 if (isValidScriptNonce) | |
273 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); | |
274 | |
273 m_cachedScript = m_element->document()->cachedResourceLoader()->requestS cript(request); | 275 m_cachedScript = m_element->document()->cachedResourceLoader()->requestS cript(request); |
274 m_isExternalScript = true; | 276 m_isExternalScript = true; |
275 } | 277 } |
276 | 278 |
277 if (m_cachedScript) { | 279 if (m_cachedScript) { |
278 return true; | 280 return true; |
279 } | 281 } |
280 | 282 |
281 dispatchErrorEvent(); | 283 dispatchErrorEvent(); |
282 return false; | 284 return false; |
283 } | 285 } |
284 | 286 |
285 void ScriptElement::executeScript(const ScriptSourceCode& sourceCode) | 287 void ScriptElement::executeScript(const ScriptSourceCode& sourceCode) |
286 { | 288 { |
287 ASSERT(m_alreadyStarted); | 289 ASSERT(m_alreadyStarted); |
288 | 290 |
289 if (sourceCode.isEmpty()) | 291 if (sourceCode.isEmpty()) |
290 return; | 292 return; |
291 | 293 |
292 RefPtr<Document> document = m_element->document(); | 294 RefPtr<Document> document = m_element->document(); |
293 Frame* frame = document->frame(); | 295 Frame* frame = document->frame(); |
294 | 296 |
295 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()- >shouldBypassMainWorldContentSecurityPolicy()); | 297 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()- >shouldBypassMainWorldContentSecurityPolicy()); |
296 if (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurit yPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), d ocument->url(), m_startLineNumber)) | |
297 return; | |
298 | 298 |
299 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! document->contentSecurityPolicy()->allowInlineScript(document->url(), m_startLin eNumber))) | 299 bool isValidScriptNonce = document->contentSecurityPolicy()->allowScriptNonc e(m_element->fastGetAttribute(HTMLNames::nonceAttr)); |
300 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! (isValidScriptNonce || document->contentSecurityPolicy()->allowInlineScript(docu ment->url(), m_startLineNumber)))) | |
abarth-chromium
2013/05/16 21:09:16
We should treat shouldBypassMainWorldContentSecuri
jww
2013/05/16 21:37:46
I'm sure what you mean here. I *think* what you're
| |
300 return; | 301 return; |
301 | 302 |
302 if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowed ByNosniff()) { | 303 if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowed ByNosniff()) { |
303 document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "R efused to execute script from '" + m_cachedScript->url().elidedString() + "' bec ause its MIME type ('" + m_cachedScript->mimeType() + "') is not executable, and strict MIME type checking is enabled."); | 304 document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "R efused to execute script from '" + m_cachedScript->url().elidedString() + "' bec ause its MIME type ('" + m_cachedScript->mimeType() + "') is not executable, and strict MIME type checking is enabled."); |
304 return; | 305 return; |
305 } | 306 } |
306 | 307 |
307 if (frame) { | 308 if (frame) { |
308 { | 309 { |
309 IgnoreDestructiveWriteCountIncrementer ignoreDesctructiveWriteCountI ncrementer(m_isExternalScript ? document.get() : 0); | 310 IgnoreDestructiveWriteCountIncrementer ignoreDesctructiveWriteCountI ncrementer(m_isExternalScript ? document.get() : 0); |
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
422 | 423 |
423 #if ENABLE(SVG) | 424 #if ENABLE(SVG) |
424 if (element->isSVGElement() && element->hasTagName(SVGNames::scriptTag)) | 425 if (element->isSVGElement() && element->hasTagName(SVGNames::scriptTag)) |
425 return static_cast<SVGScriptElement*>(element); | 426 return static_cast<SVGScriptElement*>(element); |
426 #endif | 427 #endif |
427 | 428 |
428 return 0; | 429 return 0; |
429 } | 430 } |
430 | 431 |
431 } | 432 } |
OLD | NEW |