Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(399)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/ScriptLoader.cpp

Issue 185593011: Apply 'x-content-type-options' check to dynamically inserted script. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Test. Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 290 matching lines...) Expand 10 before | Expand all | Expand 10 after
301 if (!contextDocument) 301 if (!contextDocument)
302 return; 302 return;
303 303
304 LocalFrame* frame = contextDocument->frame(); 304 LocalFrame* frame = contextDocument->frame();
305 305
306 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script(). shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurit yPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)) | | elementDocument->contentSecurityPolicy()->allowScriptHash(sourceCode.source()) ; 306 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script(). shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurit yPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)) | | elementDocument->contentSecurityPolicy()->allowScriptHash(sourceCode.source()) ;
307 307
308 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url (), m_startLineNumber))) 308 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url (), m_startLineNumber)))
309 return; 309 return;
310 310
311 if (m_isExternalScript && m_resource && !m_resource->mimeTypeAllowedByNosnif f()) { 311 if (m_isExternalScript) {
312 contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessageLe vel, "Refused to execute script from '" + m_resource->url().elidedString() + "' because its MIME type ('" + m_resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."); 312 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source();
313 return; 313 if (resource && !resource->mimeTypeAllowedByNosniff()) {
314 contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessa geLevel, "Refused to execute script from '" + resource->url().elidedString() + " ' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.");
315 return;
316 }
314 } 317 }
315 318
316 if (frame) { 319 if (frame) {
317 const bool isImportedScript = contextDocument != elementDocument; 320 const bool isImportedScript = contextDocument != elementDocument;
318 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script -block step 2.3 321 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script -block step 2.3
319 // with additional support for HTML imports. 322 // with additional support for HTML imports.
320 IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrem enter(m_isExternalScript || isImportedScript ? contextDocument.get() : 0); 323 IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrem enter(m_isExternalScript || isImportedScript ? contextDocument.get() : 0);
321 324
322 if (isHTMLScriptLoader(m_element)) 325 if (isHTMLScriptLoader(m_element))
323 contextDocument->pushCurrentScript(toHTMLScriptElement(m_element)); 326 contextDocument->pushCurrentScript(toHTMLScriptElement(m_element));
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after
432 if (isHTMLScriptLoader(element)) 435 if (isHTMLScriptLoader(element))
433 return toHTMLScriptElement(element)->loader(); 436 return toHTMLScriptElement(element)->loader();
434 437
435 if (isSVGScriptLoader(element)) 438 if (isSVGScriptLoader(element))
436 return toSVGScriptElement(element)->loader(); 439 return toSVGScriptElement(element)->loader();
437 440
438 return 0; 441 return 0;
439 } 442 }
440 443
441 } 444 }
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698