Source/core/dom/ScriptElement.cpp - Issue 14949017: Implementation of W3C compliant CSP script-src nonce.

Side by Side Diff: Source/core/dom/ScriptElement.cpp

Issue 14949017: Implementation of W3C compliant CSP script-src nonce. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Factored script nonce checks to point of resource request creation, plus nits from Adam Created 7 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.js ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | Source/core/loader/ResourceLoaderOptions.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)	2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)

3 * (C) 1999 Antti Koivisto (koivisto@kde.org)	3 * (C) 1999 Antti Koivisto (koivisto@kde.org)

4 * (C) 2001 Dirk Mueller (mueller@kde.org)	4 * (C) 2001 Dirk Mueller (mueller@kde.org)

5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.	5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.

6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>	6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>

7 *	7 *

8 * This library is free software; you can redistribute it and/or	8 * This library is free software; you can redistribute it and/or

9 * modify it under the terms of the GNU Library General Public	9 * modify it under the terms of the GNU Library General Public

10 * License as published by the Free Software Foundation; either	10 * License as published by the Free Software Foundation; either

(...skipping 236 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
247 return true;	247 return true;

248 }	248 }

249	249

250 bool ScriptElement::requestScript(const String& sourceUrl)	250 bool ScriptElement::requestScript(const String& sourceUrl)

251 {	251 {

252 RefPtr<Document> originalDocument = m_element->document();	252 RefPtr<Document> originalDocument = m_element->document();

253 if (!m_element->dispatchBeforeLoadEvent(sourceUrl))	253 if (!m_element->dispatchBeforeLoadEvent(sourceUrl))

254 return false;	254 return false;

255 if (!m_element->inDocument() \|\| m_element->document() != originalDocument)	255 if (!m_element->inDocument() \|\| m_element->document() != originalDocument)

256 return false;	256 return false;

257 if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_elem ent->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_sta rtLineNumber, m_element->document()->completeURL(sourceUrl)))

258 return false;

259	257

260 ASSERT(!m_cachedScript);	258 ASSERT(!m_cachedScript);

261 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {	259 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {

262 CachedResourceRequest request(ResourceRequest(m_element->document()->com pleteURL(sourceUrl)));	260 CachedResourceRequest request(ResourceRequest(m_element->document()->com pleteURL(sourceUrl)));

263	261

264 String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossori ginAttr);	262 String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossori ginAttr);

265 if (!crossOriginMode.isNull()) {	263 if (!crossOriginMode.isNull()) {

266 m_requestUsesAccessControl = true;	264 m_requestUsesAccessControl = true;

267 StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMo de, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;	265 StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMo de, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;

268 updateRequestForAccessControl(request.mutableResourceRequest(), m_el ement->document()->securityOrigin(), allowCredentials);	266 updateRequestForAccessControl(request.mutableResourceRequest(), m_el ement->document()->securityOrigin(), allowCredentials);

269 }	267 }

270 request.setCharset(scriptCharset());	268 request.setCharset(scriptCharset());

271 request.setInitiator(element());	269 request.setInitiator(element());

272	270

	271 bool isValidScriptNonce = m_element->document()->contentSecurityPolicy() ->allowScriptNonce(request.initiatorElement()->fastGetAttribute(HTMLNames::nonce Attr));
	abarth-chromium 2013/05/16 21:09:16 There's no reason to use the initiator element. W There's no reason to use the initiator element. We can just use m_element. We're about to remove initiatorElement. jww 2013/05/16 21:37:46 Done. Show quoted text On 2013/05/16 21:09:16, abarth wrote: > There's no reason to use the initiator element. We can just use m_element. > We're about to remove initiatorElement. Done.
	272 if (isValidScriptNonce)

	273 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);

	274

273 m_cachedScript = m_element->document()->cachedResourceLoader()->requestS cript(request);	275 m_cachedScript = m_element->document()->cachedResourceLoader()->requestS cript(request);

274 m_isExternalScript = true;	276 m_isExternalScript = true;

275 }	277 }

276	278

277 if (m_cachedScript) {	279 if (m_cachedScript) {

278 return true;	280 return true;

279 }	281 }

280	282

281 dispatchErrorEvent();	283 dispatchErrorEvent();

282 return false;	284 return false;

283 }	285 }

284	286

285 void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)	287 void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)

286 {	288 {

287 ASSERT(m_alreadyStarted);	289 ASSERT(m_alreadyStarted);

288	290

289 if (sourceCode.isEmpty())	291 if (sourceCode.isEmpty())

290 return;	292 return;

291	293

292 RefPtr<Document> document = m_element->document();	294 RefPtr<Document> document = m_element->document();

293 Frame* frame = document->frame();	295 Frame* frame = document->frame();

294	296

295 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()- >shouldBypassMainWorldContentSecurityPolicy());	297 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()- >shouldBypassMainWorldContentSecurityPolicy());

296 if (!shouldBypassMainWorldContentSecurityPolicy && !document->contentSecurit yPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), d ocument->url(), m_startLineNumber))

297 return;

298	298

299 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! document->contentSecurityPolicy()->allowInlineScript(document->url(), m_startLin eNumber)))	299 bool isValidScriptNonce = document->contentSecurityPolicy()->allowScriptNonc e(m_element->fastGetAttribute(HTMLNames::nonceAttr));

	300 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! (isValidScriptNonce \|\| document->contentSecurityPolicy()->allowInlineScript(docu ment->url(), m_startLineNumber))))
	abarth-chromium 2013/05/16 21:09:16 We should treat shouldBypassMainWorldContentSecuri We should treat shouldBypassMainWorldContentSecurityPolicy and isValidScriptNonce the same typographically since they're treated the same operationally. jww 2013/05/16 21:37:46 I'm sure what you mean here. I think what you're I'm sure what you mean here. I think what you're saying is merge the isValidScriptNonce check into the shouldBypassMainWorldContentSecurityPolicy value, similar to what you suggest in a later comment. This is what I put into the patch, so let me know if I misunderstood. On 2013/05/16 21:09:16, abarth wrote: Show quoted text > We should treat shouldBypassMainWorldContentSecurityPolicy and > isValidScriptNonce the same typographically since they're treated the same > operationally.
300 return;	301 return;

301	302

302 if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowed ByNosniff()) {	303 if (m_isExternalScript && m_cachedScript && !m_cachedScript->mimeTypeAllowed ByNosniff()) {

303 document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "R efused to execute script from '" + m_cachedScript->url().elidedString() + "' bec ause its MIME type ('" + m_cachedScript->mimeType() + "') is not executable, and strict MIME type checking is enabled.");	304 document->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "R efused to execute script from '" + m_cachedScript->url().elidedString() + "' bec ause its MIME type ('" + m_cachedScript->mimeType() + "') is not executable, and strict MIME type checking is enabled.");

304 return;	305 return;

305 }	306 }

306	307

307 if (frame) {	308 if (frame) {

308 {	309 {

309 IgnoreDestructiveWriteCountIncrementer ignoreDesctructiveWriteCountI ncrementer(m_isExternalScript ? document.get() : 0);	310 IgnoreDestructiveWriteCountIncrementer ignoreDesctructiveWriteCountI ncrementer(m_isExternalScript ? document.get() : 0);

(...skipping 112 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
422	423

423 #if ENABLE(SVG)	424 #if ENABLE(SVG)

424 if (element->isSVGElement() && element->hasTagName(SVGNames::scriptTag))	425 if (element->isSVGElement() && element->hasTagName(SVGNames::scriptTag))

425 return static_cast<SVGScriptElement*>(element);	426 return static_cast<SVGScriptElement*>(element);

426 #endif	427 #endif

427	428

428 return 0;	429 return 0;

429 }	430 }

430	431

431 }	432 }

OLD	NEW