Implementation of W3C compliant CSP script-src nonce.

Source/core/loader/cache/CachedResourceLoader.cpp

Index: Source/core/loader/cache/CachedResourceLoader.cpp
diff --git a/Source/core/loader/cache/CachedResourceLoader.cpp b/Source/core/loader/cache/CachedResourceLoader.cpp
index 719dd753d8073077b3de4c858bbb0d4c1f1b3af7..6021d4f1199cb80e06fa8da16538c0fbb2388b0c 100644
--- a/Source/core/loader/cache/CachedResourceLoader.cpp
+++ b/Source/core/loader/cache/CachedResourceLoader.cpp
@@ -147,7 +147,7 @@ CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou
     if (Frame* f = frame()) {
         if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoDismissal) {
             KURL requestURL = request.resourceRequest().url();
-            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL))
+            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, CheckContentSecurityPolicy))
                 PingLoader::loadImage(f, requestURL);
             return 0;
         }
@@ -186,7 +186,7 @@ CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestUserCSSSt
         memoryCache()->remove(existing);
     }
 
-    request.setOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck));
+    request.setOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck, CheckContentSecurityPolicy));
     return static_cast<CachedCSSStyleSheet*>(requestResource(CachedResource::CSSStyleSheet, request).get());
 }
 
@@ -261,7 +261,7 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const
     return true;
 }
 
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, ContentSecurityPolicyCheck contentSecurityPolicyCheck, bool forPreload)
 {
     if (document() && !document()->securityOrigin()->canDisplay(url)) {
         if (!forPreload)
@@ -273,6 +273,8 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
     // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
     bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->script()->shouldBypassMainWorldContentSecurityPolicy());
 
+    bool doNotCheckContentSecurityPolicy = contentSecurityPolicyCheck == DoNotCheckContentSecurityPolicy;

[abarth-chromium, 2013/05/16 21:09:16]

We should just fold this value into shouldBypassMainWorldContentSecurityPolicy

[jww, 2013/05/16 21:37:46]

Done.

+
     // Some types of resources can be loaded only from the same origin.  Other
     // types of resources, like Images, Scripts, and CSS, can be loaded from
     // any URL.
@@ -303,11 +305,11 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
 
     switch (type) {
     case CachedResource::XSLStyleSheet:
-        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+        if (!shouldBypassMainWorldContentSecurityPolicy && !(doNotCheckContentSecurityPolicy || m_document->contentSecurityPolicy()->allowScriptFromSource(url)))
             return false;
         break;
     case CachedResource::Script:
-        if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+        if (!shouldBypassMainWorldContentSecurityPolicy && !(doNotCheckContentSecurityPolicy || m_document->contentSecurityPolicy()->allowScriptFromSource(url)))
             return false;
 
         if (frame()) {
@@ -372,7 +374,7 @@ CachedResourceHandle<CachedResource> CachedResourceLoader::requestResource(Cache
     if (!url.isValid())
         return 0;
 
-    if (!canRequest(type, url, request.forPreload()))
+    if (!canRequest(type, url, request.options().cspCheck, request.forPreload()))
         return 0;
 
     if (Frame* f = frame())
@@ -545,7 +547,7 @@ CachedResourceHandle<CachedResource> CachedResourceLoader::revalidateResource(co
     
     LOG(ResourceLoading, "Resource %p created to revalidate %p", newResource.get(), resource);
     newResource->setResourceToRevalidate(resource);
-    
+

[abarth-chromium, 2013/05/16 21:09:16]

This change seems spurious.

[jww, 2013/05/16 21:37:46]

Done.

     memoryCache()->remove(resource);
     memoryCache()->add(newResource.get());
     storeResourceTimingInitiatorInformation(newResource, request);
@@ -1014,7 +1016,7 @@ void CachedResourceLoader::reportMemoryUsage(MemoryObjectInfo* memoryObjectInfo)
 
 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
 {
-    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck);
+    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck, CheckContentSecurityPolicy);
     return options;
 }