Index: Source/core/loader/cache/CachedResourceLoader.cpp |
diff --git a/Source/core/loader/cache/CachedResourceLoader.cpp b/Source/core/loader/cache/CachedResourceLoader.cpp |
index 6f1a33037b25294ae8fea1cae4247c88ef6ae961..d691e92fe0e0567e38cc33d62ecd04f86e5ea65a 100644 |
--- a/Source/core/loader/cache/CachedResourceLoader.cpp |
+++ b/Source/core/loader/cache/CachedResourceLoader.cpp |
@@ -146,7 +146,7 @@ CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou |
if (Frame* f = frame()) { |
if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoDismissal) { |
KURL requestURL = request.resourceRequest().url(); |
- if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL)) |
+ if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, false)) |
abarth-chromium
2013/05/16 00:59:27
If you use the enum rather than a bool, then call
jww
2013/05/16 20:59:00
Done.
|
PingLoader::loadImage(f, requestURL); |
return 0; |
} |
@@ -192,7 +192,12 @@ CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestUserCSSSt |
memoryCache()->add(userSheet.get()); |
// FIXME: loadResource calls setOwningCachedResourceLoader() if the resource couldn't be added to cache. Does this function need to call it, too? |
- userSheet->load(this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck)); |
+ // This check is currently not used. However, it will be used once we |
+ // implement nonce checks for style sheets. |
+ ContentSecurityPolicyNonceCheck nonceCheck = NonceCheckNotValid; |
+ if (checkNonceFromInitiatorElement(request.initiatorElement().get())) |
+ nonceCheck = NonceCheckValid; |
abarth-chromium
2013/05/16 00:59:27
If this code isn't used, we shouldn't add it. We
jww
2013/05/16 20:59:00
Done.
|
+ userSheet->load(this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck, nonceCheck)); |
return userSheet; |
} |
@@ -268,7 +273,12 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const |
return true; |
} |
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload) |
+bool CachedResourceLoader::checkNonceFromInitiatorElement(const Element* initiatorElement) |
+{ |
+ return initiatorElement && m_document->contentSecurityPolicy()->allowNonce(initiatorElement->fastGetAttribute(HTMLNames::nonceAttr)); |
abarth-chromium
2013/05/16 00:59:27
This isn't right. Different types have different
jww
2013/05/16 20:59:00
Okay, I think I've basically factored all of the c
|
+} |
+ |
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool validNonce, bool forPreload) |
{ |
if (document() && !document()->securityOrigin()->canDisplay(url)) { |
if (!forPreload) |
@@ -310,11 +320,11 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url |
switch (type) { |
case CachedResource::XSLStyleSheet: |
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url)) |
+ if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, validNonce)) |
return false; |
break; |
case CachedResource::Script: |
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url)) |
+ if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, validNonce)) |
return false; |
if (frame()) { |
@@ -379,7 +389,7 @@ CachedResourceHandle<CachedResource> CachedResourceLoader::requestResource(Cache |
if (!url.isValid()) |
return 0; |
- if (!canRequest(type, url, request.forPreload())) |
+ if (!canRequest(type, url, checkNonceFromInitiatorElement(request.initiatorElement().get()), request.forPreload())) |
abarth-chromium
2013/05/16 00:59:27
This needs to be done in type-specific code becaus
jww
2013/05/16 20:59:00
Done.
|
return 0; |
if (Frame* f = frame()) |
@@ -420,7 +430,10 @@ CachedResourceHandle<CachedResource> CachedResourceLoader::requestResource(Cache |
resource->setLoadPriority(request.priority()); |
if ((policy != Use || resource->stillNeedsLoad()) && CachedResourceRequest::NoDefer == request.defer()) { |
- resource->load(this, request.options()); |
+ ResourceLoaderOptions options(request.options()); |
+ if (checkNonceFromInitiatorElement(request.initiatorElement().get())) |
+ options.cspNonce = NonceCheckValid; |
+ resource->load(this, options); |
// We don't support immediate loads, but we do support immediate failure. |
if (resource->errorOccurred()) { |
@@ -929,7 +942,7 @@ void CachedResourceLoader::reportMemoryUsage(MemoryObjectInfo* memoryObjectInfo) |
const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions() |
{ |
- static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck); |
+ static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck, NonceCheckNotValid); |
return options; |
} |