Chromium Code Reviews Chromium Code Reviews
Issue 14949017:
Implementation of W3C compliant CSP script-src nonce. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) | 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) |
| 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) | 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) |
| 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) | 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) |
| 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. | 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. |
| 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ | 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ |
| 7 | 7 |
| 8 This library is free software; you can redistribute it and/or | 8 This library is free software; you can redistribute it and/or |
| 9 modify it under the terms of the GNU Library General Public | 9 modify it under the terms of the GNU Library General Public |
| 10 License as published by the Free Software Foundation; either | 10 License as published by the Free Software Foundation; either |
| (...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 140 Frame* CachedResourceLoader::frame() const | 140 Frame* CachedResourceLoader::frame() const |
| 141 { | 141 { |
| 142 return m_documentLoader ? m_documentLoader->frame() : 0; | 142 return m_documentLoader ? m_documentLoader->frame() : 0; |
| 143 } | 143 } |
| 144 | 144 |
| 145 CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou rceRequest& request) | 145 CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou rceRequest& request) |
| 146 { | 146 { |
| 147 if (Frame* f = frame()) { | 147 if (Frame* f = frame()) { |
| 148 if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoD ismissal) { | 148 if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoD ismissal) { |
| 149 KURL requestURL = request.resourceRequest().url(); | 149 KURL requestURL = request.resourceRequest().url(); |
| 150 if (requestURL.isValid() && canRequest(CachedResource::ImageResource , requestURL)) | 150 if (requestURL.isValid() && canRequest(CachedResource::ImageResource , requestURL, CheckContentSecurityPolicy)) |
| 151 PingLoader::loadImage(f, requestURL); | 151 PingLoader::loadImage(f, requestURL); |
| 152 return 0; | 152 return 0; |
| 153 } | 153 } |
| 154 } | 154 } |
| 155 request.setDefer(clientDefersImage(request.resourceRequest().url()) ? Cached ResourceRequest::DeferredByClient : CachedResourceRequest::NoDefer); | 155 request.setDefer(clientDefersImage(request.resourceRequest().url()) ? Cached ResourceRequest::DeferredByClient : CachedResourceRequest::NoDefer); |
| 156 return static_cast<CachedImage*>(requestResource(CachedResource::ImageResour ce, request).get()); | 156 return static_cast<CachedImage*>(requestResource(CachedResource::ImageResour ce, request).get()); |
| 157 } | 157 } |
| 158 | 158 |
| 159 CachedResourceHandle<CachedFont> CachedResourceLoader::requestFont(CachedResourc eRequest& request) | 159 CachedResourceHandle<CachedFont> CachedResourceLoader::requestFont(CachedResourc eRequest& request) |
| 160 { | 160 { |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 179 CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestUserCSSSt yleSheet(CachedResourceRequest& request) | 179 CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestUserCSSSt yleSheet(CachedResourceRequest& request) |
| 180 { | 180 { |
| 181 KURL url = MemoryCache::removeFragmentIdentifierIfNeeded(request.resourceReq uest().url()); | 181 KURL url = MemoryCache::removeFragmentIdentifierIfNeeded(request.resourceReq uest().url()); |
| 182 | 182 |
| 183 if (CachedResource* existing = memoryCache()->resourceForURL(url)) { | 183 if (CachedResource* existing = memoryCache()->resourceForURL(url)) { |
| 184 if (existing->type() == CachedResource::CSSStyleSheet) | 184 if (existing->type() == CachedResource::CSSStyleSheet) |
| 185 return static_cast<CachedCSSStyleSheet*>(existing); | 185 return static_cast<CachedCSSStyleSheet*>(existing); |
| 186 memoryCache()->remove(existing); | 186 memoryCache()->remove(existing); |
| 187 } | 187 } |
| 188 | 188 |
| 189 request.setOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, B ufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCross OriginCredentials, SkipSecurityCheck)); | 189 request.setOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, B ufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCross OriginCredentials, SkipSecurityCheck, CheckContentSecurityPolicy)); |
| 190 return static_cast<CachedCSSStyleSheet*>(requestResource(CachedResource::CSS StyleSheet, request).get()); | 190 return static_cast<CachedCSSStyleSheet*>(requestResource(CachedResource::CSS StyleSheet, request).get()); |
| 191 } | 191 } |
| 192 | 192 |
| 193 CachedResourceHandle<CachedScript> CachedResourceLoader::requestScript(CachedRes ourceRequest& request) | 193 CachedResourceHandle<CachedScript> CachedResourceLoader::requestScript(CachedRes ourceRequest& request) |
| 194 { | 194 { |
| 195 return static_cast<CachedScript*>(requestResource(CachedResource::Script, re quest).get()); | 195 return static_cast<CachedScript*>(requestResource(CachedResource::Script, re quest).get()); |
| 196 } | 196 } |
| 197 | 197 |
| 198 CachedResourceHandle<CachedXSLStyleSheet> CachedResourceLoader::requestXSLStyleS heet(CachedResourceRequest& request) | 198 CachedResourceHandle<CachedXSLStyleSheet> CachedResourceLoader::requestXSLStyleS heet(CachedResourceRequest& request) |
| 199 { | 199 { |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 254 } | 254 } |
| 255 case CachedResource::MainResource: | 255 case CachedResource::MainResource: |
| 256 case CachedResource::LinkPrefetch: | 256 case CachedResource::LinkPrefetch: |
| 257 case CachedResource::LinkSubresource: | 257 case CachedResource::LinkSubresource: |
| 258 // Prefetch cannot affect the current document. | 258 // Prefetch cannot affect the current document. |
| 259 break; | 259 break; |
| 260 } | 260 } |
| 261 return true; | 261 return true; |
| 262 } | 262 } |
| 263 | 263 |
| 264 bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url , bool forPreload) | 264 bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url , ContentSecurityPolicyCheck contentSecurityPolicyCheck, bool forPreload) |
| 265 { | 265 { |
| 266 if (document() && !document()->securityOrigin()->canDisplay(url)) { | 266 if (document() && !document()->securityOrigin()->canDisplay(url)) { |
| 267 if (!forPreload) | 267 if (!forPreload) |
| 268 FrameLoader::reportLocalLoadFailed(frame(), url.elidedString()); | 268 FrameLoader::reportLocalLoadFailed(frame(), url.elidedString()); |
| 269 LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay"); | 269 LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay"); |
| 270 return 0; | 270 return 0; |
| 271 } | 271 } |
| 272 | 272 |
| 273 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. | 273 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. |
| 274 bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->scrip t()->shouldBypassMainWorldContentSecurityPolicy()); | 274 bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->scrip t()->shouldBypassMainWorldContentSecurityPolicy()); |
| 275 | 275 |
| 276 bool doNotCheckContentSecurityPolicy = contentSecurityPolicyCheck == DoNotCh eckContentSecurityPolicy; | |
|
abarth-chromium
2013/05/16 21:09:16
We should just fold this value into shouldBypassMa
jww
2013/05/16 21:37:46
Done.
| |
| 277 | |
| 276 // Some types of resources can be loaded only from the same origin. Other | 278 // Some types of resources can be loaded only from the same origin. Other |
| 277 // types of resources, like Images, Scripts, and CSS, can be loaded from | 279 // types of resources, like Images, Scripts, and CSS, can be loaded from |
| 278 // any URL. | 280 // any URL. |
| 279 switch (type) { | 281 switch (type) { |
| 280 case CachedResource::MainResource: | 282 case CachedResource::MainResource: |
| 281 case CachedResource::ImageResource: | 283 case CachedResource::ImageResource: |
| 282 case CachedResource::CSSStyleSheet: | 284 case CachedResource::CSSStyleSheet: |
| 283 case CachedResource::Script: | 285 case CachedResource::Script: |
| 284 case CachedResource::FontResource: | 286 case CachedResource::FontResource: |
| 285 case CachedResource::RawResource: | 287 case CachedResource::RawResource: |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 296 case CachedResource::XSLStyleSheet: | 298 case CachedResource::XSLStyleSheet: |
| 297 if (!m_document->securityOrigin()->canRequest(url)) { | 299 if (!m_document->securityOrigin()->canRequest(url)) { |
| 298 printAccessDeniedMessage(url); | 300 printAccessDeniedMessage(url); |
| 299 return false; | 301 return false; |
| 300 } | 302 } |
| 301 break; | 303 break; |
| 302 } | 304 } |
| 303 | 305 |
| 304 switch (type) { | 306 switch (type) { |
| 305 case CachedResource::XSLStyleSheet: | 307 case CachedResource::XSLStyleSheet: |
| 306 if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentS ecurityPolicy()->allowScriptFromSource(url)) | 308 if (!shouldBypassMainWorldContentSecurityPolicy && !(doNotCheckContentSe curityPolicy || m_document->contentSecurityPolicy()->allowScriptFromSource(url)) ) |
| 307 return false; | 309 return false; |
| 308 break; | 310 break; |
| 309 case CachedResource::Script: | 311 case CachedResource::Script: |
| 310 if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentS ecurityPolicy()->allowScriptFromSource(url)) | 312 if (!shouldBypassMainWorldContentSecurityPolicy && !(doNotCheckContentSe curityPolicy || m_document->contentSecurityPolicy()->allowScriptFromSource(url)) ) |
| 311 return false; | 313 return false; |
| 312 | 314 |
| 313 if (frame()) { | 315 if (frame()) { |
| 314 Settings* settings = frame()->settings(); | 316 Settings* settings = frame()->settings(); |
| 315 if (!frame()->loader()->client()->allowScriptFromSource(!settings || settings->isScriptEnabled(), url)) { | 317 if (!frame()->loader()->client()->allowScriptFromSource(!settings || settings->isScriptEnabled(), url)) { |
| 316 frame()->loader()->client()->didNotAllowScript(); | 318 frame()->loader()->client()->didNotAllowScript(); |
| 317 return false; | 319 return false; |
| 318 } | 320 } |
| 319 } | 321 } |
| 320 break; | 322 break; |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 365 KURL url = request.resourceRequest().url(); | 367 KURL url = request.resourceRequest().url(); |
| 366 | 368 |
| 367 LOG(ResourceLoading, "CachedResourceLoader::requestResource '%s', charset '% s', priority=%d, forPreload=%u", url.elidedString().latin1().data(), request.cha rset().latin1().data(), request.priority(), request.forPreload()); | 369 LOG(ResourceLoading, "CachedResourceLoader::requestResource '%s', charset '% s', priority=%d, forPreload=%u", url.elidedString().latin1().data(), request.cha rset().latin1().data(), request.priority(), request.forPreload()); |
| 368 | 370 |
| 369 // If only the fragment identifiers differ, it is the same resource. | 371 // If only the fragment identifiers differ, it is the same resource. |
| 370 url = MemoryCache::removeFragmentIdentifierIfNeeded(url); | 372 url = MemoryCache::removeFragmentIdentifierIfNeeded(url); |
| 371 | 373 |
| 372 if (!url.isValid()) | 374 if (!url.isValid()) |
| 373 return 0; | 375 return 0; |
| 374 | 376 |
| 375 if (!canRequest(type, url, request.forPreload())) | 377 if (!canRequest(type, url, request.options().cspCheck, request.forPreload()) ) |
| 376 return 0; | 378 return 0; |
| 377 | 379 |
| 378 if (Frame* f = frame()) | 380 if (Frame* f = frame()) |
| 379 f->loader()->client()->dispatchWillRequestResource(&request); | 381 f->loader()->client()->dispatchWillRequestResource(&request); |
| 380 | 382 |
| 381 if (memoryCache()->disabled()) { | 383 if (memoryCache()->disabled()) { |
| 382 DocumentResourceMap::iterator it = m_documentResources.find(url.string() ); | 384 DocumentResourceMap::iterator it = m_documentResources.find(url.string() ); |
| 383 if (it != m_documentResources.end()) { | 385 if (it != m_documentResources.end()) { |
| 384 it->value->setOwningCachedResourceLoader(0); | 386 it->value->setOwningCachedResourceLoader(0); |
| 385 m_documentResources.remove(it); | 387 m_documentResources.remove(it); |
| (...skipping 152 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 538 ASSERT(resource->inCache()); | 540 ASSERT(resource->inCache()); |
| 539 ASSERT(!memoryCache()->disabled()); | 541 ASSERT(!memoryCache()->disabled()); |
| 540 ASSERT(resource->canUseCacheValidator()); | 542 ASSERT(resource->canUseCacheValidator()); |
| 541 ASSERT(!resource->resourceToRevalidate()); | 543 ASSERT(!resource->resourceToRevalidate()); |
| 542 | 544 |
| 543 addAdditionalRequestHeaders(resource->resourceRequest(), resource->type()); | 545 addAdditionalRequestHeaders(resource->resourceRequest(), resource->type()); |
| 544 CachedResourceHandle<CachedResource> newResource = createResource(resource-> type(), resource->resourceRequest(), resource->encoding()); | 546 CachedResourceHandle<CachedResource> newResource = createResource(resource-> type(), resource->resourceRequest(), resource->encoding()); |
| 545 | 547 |
| 546 LOG(ResourceLoading, "Resource %p created to revalidate %p", newResource.get (), resource); | 548 LOG(ResourceLoading, "Resource %p created to revalidate %p", newResource.get (), resource); |
| 547 newResource->setResourceToRevalidate(resource); | 549 newResource->setResourceToRevalidate(resource); |
| 548 | 550 |
|
abarth-chromium
2013/05/16 21:09:16
This change seems spurious.
jww
2013/05/16 21:37:46
Done.
| |
| 549 memoryCache()->remove(resource); | 551 memoryCache()->remove(resource); |
| 550 memoryCache()->add(newResource.get()); | 552 memoryCache()->add(newResource.get()); |
| 551 storeResourceTimingInitiatorInformation(newResource, request); | 553 storeResourceTimingInitiatorInformation(newResource, request); |
| 552 return newResource; | 554 return newResource; |
| 553 } | 555 } |
| 554 | 556 |
| 555 CachedResourceHandle<CachedResource> CachedResourceLoader::loadResource(CachedRe source::Type type, CachedResourceRequest& request, const String& charset) | 557 CachedResourceHandle<CachedResource> CachedResourceLoader::loadResource(CachedRe source::Type type, CachedResourceRequest& request, const String& charset) |
| 556 { | 558 { |
| 557 ASSERT(!memoryCache()->resourceForURL(request.resourceRequest().url())); | 559 ASSERT(!memoryCache()->resourceForURL(request.resourceRequest().url())); |
| 558 | 560 |
| (...skipping 448 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1007 info.addMember(m_validatedURLs, "validatedURLs"); | 1009 info.addMember(m_validatedURLs, "validatedURLs"); |
| 1008 info.addMember(m_preloads, "preloads"); | 1010 info.addMember(m_preloads, "preloads"); |
| 1009 info.addMember(m_pendingPreloads, "pendingPreloads"); | 1011 info.addMember(m_pendingPreloads, "pendingPreloads"); |
| 1010 info.addMember(m_garbageCollectDocumentResourcesTimer, "garbageCollectDocume ntResourcesTimer"); | 1012 info.addMember(m_garbageCollectDocumentResourcesTimer, "garbageCollectDocume ntResourcesTimer"); |
| 1011 // FIXME: m_initiatorMap has pointers to already deleted CachedResources | 1013 // FIXME: m_initiatorMap has pointers to already deleted CachedResources |
| 1012 info.ignoreMember(m_initiatorMap); | 1014 info.ignoreMember(m_initiatorMap); |
| 1013 } | 1015 } |
| 1014 | 1016 |
| 1015 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions( ) | 1017 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions( ) |
| 1016 { | 1018 { |
| 1017 static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData , AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCre dentials, DoSecurityCheck); | 1019 static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData , AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCre dentials, DoSecurityCheck, CheckContentSecurityPolicy); |
| 1018 return options; | 1020 return options; |
| 1019 } | 1021 } |
| 1020 | 1022 |
| 1021 } | 1023 } |
| OLD | NEW |
