OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv
ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv
ed. |
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
7 * | 7 * |
8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
(...skipping 285 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
296 | 296 |
297 ASSERT(!m_resource); | 297 ASSERT(!m_resource); |
298 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { | 298 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { |
299 FetchRequest request(ResourceRequest(elementDocument->completeURL(source
Url)), m_element->localName()); | 299 FetchRequest request(ResourceRequest(elementDocument->completeURL(source
Url)), m_element->localName()); |
300 | 300 |
301 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_elem
ent->fastGetAttribute(HTMLNames::crossoriginAttr)); | 301 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_elem
ent->fastGetAttribute(HTMLNames::crossoriginAttr)); |
302 if (crossOrigin != CrossOriginAttributeNotSet) | 302 if (crossOrigin != CrossOriginAttributeNotSet) |
303 request.setCrossOriginAccessControl(elementDocument->securityOrigin(
), crossOrigin); | 303 request.setCrossOriginAccessControl(elementDocument->securityOrigin(
), crossOrigin); |
304 request.setCharset(scriptCharset()); | 304 request.setCharset(scriptCharset()); |
305 | 305 |
306 bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowSc
riptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)); | 306 // Skip fetch-related CSP checks if the script element has a valid nonce
, or if dynamically |
| 307 // injected script is whitelisted and this script is not parser-inserted
. |
| 308 bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowSc
riptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)) || (!isParserIn
serted() && elementDocument->contentSecurityPolicy()->allowDynamic()); |
| 309 |
307 if (scriptPassesCSP) | 310 if (scriptPassesCSP) |
308 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); | 311 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); |
309 request.setDefer(defer); | 312 request.setDefer(defer); |
310 | 313 |
311 String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityA
ttr); | 314 String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityA
ttr); |
312 if (!integrityAttr.isEmpty()) { | 315 if (!integrityAttr.isEmpty()) { |
313 IntegrityMetadataSet metadataSet; | 316 IntegrityMetadataSet metadataSet; |
314 SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadat
aSet, elementDocument.get()); | 317 SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadat
aSet, elementDocument.get()); |
315 request.setIntegrityMetadata(metadataSet); | 318 request.setIntegrityMetadata(metadataSet); |
316 } | 319 } |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
362 RefPtrWillBeRawPtr<Document> elementDocument(m_element->document()); | 365 RefPtrWillBeRawPtr<Document> elementDocument(m_element->document()); |
363 RefPtrWillBeRawPtr<Document> contextDocument = elementDocument->contextDocum
ent().get(); | 366 RefPtrWillBeRawPtr<Document> contextDocument = elementDocument->contextDocum
ent().get(); |
364 if (!contextDocument) | 367 if (!contextDocument) |
365 return true; | 368 return true; |
366 | 369 |
367 LocalFrame* frame = contextDocument->frame(); | 370 LocalFrame* frame = contextDocument->frame(); |
368 | 371 |
369 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); | 372 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); |
370 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo
rldCSP()) | 373 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo
rldCSP()) |
371 || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonc
eAttr)) | 374 || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonc
eAttr)) |
372 || csp->allowScriptWithHash(sourceCode.source().toString()); | 375 || csp->allowScriptWithHash(sourceCode.source().toString()) |
| 376 || (!isParserInserted() && csp->allowDynamic()); |
373 | 377 |
374 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc
ript(elementDocument->url(), m_startLineNumber, sourceCode.source().toString()))
) { | 378 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc
ript(elementDocument->url(), m_startLineNumber, sourceCode.source().toString()))
) { |
375 return false; | 379 return false; |
376 } | 380 } |
377 | 381 |
378 if (m_isExternalScript) { | 382 if (m_isExternalScript) { |
379 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re
source(); | 383 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re
source(); |
380 if (resource) { | 384 if (resource) { |
381 if (!resource->mimeTypeAllowedByNosniff()) { | 385 if (!resource->mimeTypeAllowedByNosniff()) { |
382 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi
tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc
e->url().elidedString() + "' because its MIME type ('" + resource->mimeType() +
"') is not executable, and strict MIME type checking is enabled.")); | 386 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi
tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc
e->url().elidedString() + "' because its MIME type ('" + resource->mimeType() +
"') is not executable, and strict MIME type checking is enabled.")); |
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
521 if (isHTMLScriptLoader(element)) | 525 if (isHTMLScriptLoader(element)) |
522 return toHTMLScriptElement(element)->loader(); | 526 return toHTMLScriptElement(element)->loader(); |
523 | 527 |
524 if (isSVGScriptLoader(element)) | 528 if (isSVGScriptLoader(element)) |
525 return toSVGScriptElement(element)->loader(); | 529 return toSVGScriptElement(element)->loader(); |
526 | 530 |
527 return 0; | 531 return 0; |
528 } | 532 } |
529 | 533 |
530 } // namespace blink | 534 } // namespace blink |
OLD | NEW |