Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(71)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/dom/ScriptLoader.cpp

Issue 1706243002: Don't use SVG resource documents with an unrecognized MIME-type (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html ('K') | « third_party/WebKit/LayoutTests/http/tests/svg/use-no-contenttype-blocked-expected.html ('k') | third_party/WebKit/Source/core/fetch/CSSStyleSheetResource.h » ('j') | third_party/WebKit/Source/core/fetch/Resource.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 358 matching lines...) Expand 10 before | Expand all | Expand 10 after
369 || (!isParserInserted() && csp->allowDynamic()); 369 || (!isParserInserted() && csp->allowDynamic());
370 370
371 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber, sourceCode.source().toString())) ) { 371 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber, sourceCode.source().toString())) ) {
372 return false; 372 return false;
373 } 373 }
374 374
375 if (m_isExternalScript) { 375 if (m_isExternalScript) {
376 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); 376 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source();
377 if (resource) { 377 if (resource) {
378 if (!resource->mimeTypeAllowedByNosniff()) { 378 if (!resource->mimeTypeAllowedByNosniff()) {
379 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc e->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); 379 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc e->url().elidedString() + "' because its MIME type ('" + resource->httpContentTy pe() + "') is not executable, and strict MIME type checking is enabled."));
380 return false; 380 return false;
381 } 381 }
382 382
383 String mimetype = resource->mimeType(); 383 String mimetype = resource->httpContentType();
384 if (mimetype.lower().startsWith("image/")) { 384 if (mimetype.startsWith("image/")) {
385 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc e->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable.")); 385 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc e->url().elidedString() + "' because its MIME type ('" + mimetype + "') is not e xecutable."));
386 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScrip t); 386 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScrip t);
387 return false; 387 return false;
388 } 388 }
389 389
390 logScriptMimetype(resource, frame, mimetype); 390 logScriptMimetype(resource, frame, mimetype);
391 } 391 }
392 } 392 }
393 393
394 // FIXME: Can this be moved earlier in the function? 394 // FIXME: Can this be moved earlier in the function?
395 // Why are we ever attempting to execute scripts without a frame? 395 // Why are we ever attempting to execute scripts without a frame?
(...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after
518 if (isHTMLScriptLoader(element)) 518 if (isHTMLScriptLoader(element))
519 return toHTMLScriptElement(element)->loader(); 519 return toHTMLScriptElement(element)->loader();
520 520
521 if (isSVGScriptLoader(element)) 521 if (isSVGScriptLoader(element))
522 return toSVGScriptElement(element)->loader(); 522 return toSVGScriptElement(element)->loader();
523 523
524 return 0; 524 return 0;
525 } 525 }
526 526
527 } // namespace blink 527 } // namespace blink
OLDNEW
« third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html ('K') | « third_party/WebKit/LayoutTests/http/tests/svg/use-no-contenttype-blocked-expected.html ('k') | third_party/WebKit/Source/core/fetch/CSSStyleSheetResource.h » ('j') | third_party/WebKit/Source/core/fetch/Resource.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698