Blocking synchronous and third party doc.written scripts

third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 38 matching lines @@
 #include "core/inspector/InstrumentingAgents.h"
 #include "core/loader/DocumentLoader.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "core/loader/LinkLoader.h"
 #include "core/loader/MixedContentChecker.h"
 #include "core/loader/NetworkHintsInterface.h"
 #include "core/loader/PingLoader.h"
 #include "core/loader/ProgressTracker.h"
 #include "core/loader/appcache/ApplicationCacheHost.h"
+#include "core/page/NetworkStateNotifier.h"
 #include "core/page/Page.h"
 #include "core/svg/graphics/SVGImageChromeClient.h"
 #include "core/timing/DOMWindowPerformance.h"
 #include "core/timing/Performance.h"
 #include "platform/Logging.h"
 #include "platform/mhtml/MHTMLArchive.h"
 #include "platform/network/ResourceTimingInfo.h"
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityPolicy.h"
 #include "public/platform/WebFrameScheduler.h"
@@ skipping 97 matching lines @@
         return UseProtocolCachePolicy;
     if (policy == CachePolicyRevalidate)
         return ReloadIgnoringCacheData;
     if (policy == CachePolicyReload)
         return ReloadBypassingCache;
     if (policy == CachePolicyHistoryBuffer)
         return ReturnCacheDataElseLoad;
     return UseProtocolCachePolicy;
 }
 
-ResourceRequestCachePolicy FrameFetchContext::resourceRequestCachePolicy(const ResourceRequest& request, Resource::Type type) const
+ResourceRequestCachePolicy FrameFetchContext::resourceRequestCachePolicy(const ResourceRequest& request, Resource::Type type, FetchRequest::DeferOption defer) const
 {
     ASSERT(frame());
     if (type == Resource::MainResource) {
         FrameLoadType frameLoadType = frame()->loader().loadType();
         if (request.httpMethod() == "POST" && frameLoadType == FrameLoadTypeBackForward)
             return ReturnCacheDataDontLoad;
         if (!frame()->host()->overrideEncoding().isEmpty())
             return ReturnCacheDataElseLoad;
         if (frameLoadType == FrameLoadTypeSame || request.isConditional() || request.httpMethod() == "POST")
             return ReloadIgnoringCacheData;
@@ skipping 14 matching lines @@
 
     // For users on slow connections, we want to avoid blocking the parser in
     // the main frame on script loads inserted via document.write, since it can
     // add significant delays before page content is displayed on the screen.
     // For now, as a prototype, we block fetches for main frame scripts
     // inserted via document.write as long as the
     // disallowFetchForDocWrittenScriptsInMainFrame setting is enabled. In the
     // future, we'll extend this logic to only block if estimated network RTT
     // is above some threshold.
     if (type == Resource::Script && isMainFrame()) {
+        const bool disallowFetchForDocWriteScripts = frame()->settings() && frame()->settings()->disallowFetchForDocWrittenScriptsInMainFrame();
         const bool isInDocumentWrite = m_document && m_document->isInDocumentWrite();
-        const bool disallowFetchForDocWriteScripts = frame()->settings() && frame()->settings()->disallowFetchForDocWrittenScriptsInMainFrame();
-        if (isInDocumentWrite && disallowFetchForDocWriteScripts)
-            return ReturnCacheDataDontLoad;
+        if (isInDocumentWrite && disallowFetchForDocWriteScripts) {
+            const bool isSync = (defer == FetchRequest::NoDefer);
+            const bool isThirdParty = (request.url().host() != m_document->getSecurityOrigin()->domain());

[Bryan McQuade, 2016/04/05 12:46:11]

let's add a comment here noting that we continue to allow same origin scripts to
run because they may be used to render main page content, whereas we block
cross-origin scripts because they are likely for third party content.

i just want to make sure readers of the code understand that we aren't doing an
origin check for security reasons (might be worth noting that in the comment
too) which is the more common reason to compare origins.

+            const bool isSlowConnection = networkStateNotifier().connectionType() == WebConnectionTypeCellular2G;

[Bryan McQuade, 2016/04/05 12:46:11]

Let's add a comment that for now we restrict slow connections to 2G, but that we
might try to expand coverage using the network quality estimator in the future.

+            if (isSync && isThirdParty && isSlowConnection)
+                return ReturnCacheDataDontLoad;
+        }
     }
 
     if (request.isConditional())
         return ReloadIgnoringCacheData;
 
     if (m_documentLoader && m_document && !m_document->loadEventFinished()) {
         // For POST requests, we mutate the main resource's cache policy to avoid form resubmission.
         // This policy should not be inherited by subresources.
         ResourceRequestCachePolicy mainResourceCachePolicy = m_documentLoader->request().getCachePolicy();
         if (m_documentLoader->request().httpMethod() == "POST") {
@@ skipping 581 matching lines @@
 }
 
 DEFINE_TRACE(FrameFetchContext)
 {
     visitor->trace(m_document);
     visitor->trace(m_documentLoader);
     FetchContext::trace(visitor);
 }
 
 } // namespace blink