[HTML Import] Respect Content Security Policy Model

Source/core/loader/cache/CachedResourceLoader.cpp

 /*
     Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
     Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
     Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
     Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
     Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
 
     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Library General Public
     License as published by the Free Software Foundation; either
@@ skipping 74 matching lines @@
     case CachedResource::XSLStyleSheet:
         return new CachedXSLStyleSheet(request);
     case CachedResource::LinkPrefetch:
         return new CachedResource(request, CachedResource::LinkPrefetch);
     case CachedResource::LinkSubresource:
         return new CachedResource(request, CachedResource::LinkSubresource);
     case CachedResource::TextTrackResource:
         return new CachedTextTrack(request);
     case CachedResource::ShaderResource:
         return new CachedShader(request);
+    case CachedResource::ImportResource:
+        return new CachedRawResource(request, type);
     }
+
     ASSERT_NOT_REACHED();
     return 0;
 }
 
 static ResourceLoadPriority loadPriority(CachedResource::Type type, const CachedResourceRequest& request)
 {
     if (request.priority() != ResourceLoadPriorityUnresolved)
         return request.priority();
 
     switch (type) {
     case CachedResource::MainResource:
         return ResourceLoadPriorityVeryHigh;
     case CachedResource::CSSStyleSheet:
         return ResourceLoadPriorityHigh;
     case CachedResource::Script:
     case CachedResource::FontResource:
     case CachedResource::RawResource:
+    case CachedResource::ImportResource:
         return ResourceLoadPriorityMedium;
     case CachedResource::ImageResource:
         return request.forPreload() ? ResourceLoadPriorityVeryLow : ResourceLoadPriorityLow;
     case CachedResource::XSLStyleSheet:
         return ResourceLoadPriorityHigh;
     case CachedResource::SVGDocumentResource:
         return ResourceLoadPriorityLow;
     case CachedResource::LinkPrefetch:
         return ResourceLoadPriorityVeryLow;
     case CachedResource::LinkSubresource:
@@ skipping 105 matching lines @@
 CachedResourceHandle<CachedTextTrack> CachedResourceLoader::requestTextTrack(CachedResourceRequest& request)
 {
     return static_cast<CachedTextTrack*>(requestResource(CachedResource::TextTrackResource, request).get());
 }
 
 CachedResourceHandle<CachedShader> CachedResourceLoader::requestShader(CachedResourceRequest& request)
 {
     return static_cast<CachedShader*>(requestResource(CachedResource::ShaderResource, request).get());
 }
 
+CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestImport(CachedResourceRequest& request)
+{
+    return static_cast<CachedRawResource*>(requestResource(CachedResource::ImportResource, request).get());
+}
+
 CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestCSSStyleSheet(CachedResourceRequest& request)
 {
     return static_cast<CachedCSSStyleSheet*>(requestResource(CachedResource::CSSStyleSheet, request).get());
 }
 
 CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestUserCSSStyleSheet(CachedResourceRequest& request)
 {
     KURL url = MemoryCache::removeFragmentIdentifierIfNeeded(request.resourceRequest().url());
 
     if (CachedResource* existing = memoryCache()->resourceForURL(url)) {
@@ skipping 38 matching lines @@
     return static_cast<CachedRawResource*>(requestResource(CachedResource::MainResource, request).get());
 }
 
 bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const KURL& url) const
 {
     switch (type) {
     case CachedResource::Script:
     case CachedResource::XSLStyleSheet:
     case CachedResource::SVGDocumentResource:
     case CachedResource::CSSStyleSheet:
+    case CachedResource::ImportResource:
         // These resource can inject script into the current document (Script,
         // XSL) or exfiltrate the content of the current document (CSS).
         if (Frame* f = frame())
             if (!f->loader()->mixedContentChecker()->canRunInsecureContent(m_document->securityOrigin(), url))
                 return false;
         break;
     case CachedResource::TextTrackResource:
     case CachedResource::ShaderResource:
     case CachedResource::RawResource:
     case CachedResource::ImageResource:
@@ skipping 56 matching lines @@
         }
         break;
     }
 
     switch (type) {
     case CachedResource::XSLStyleSheet:
         if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
             return false;
         break;
     case CachedResource::Script:
+    case CachedResource::ImportResource:
         if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
             return false;
 
         if (frame()) {
             Settings* settings = frame()->settings();
             if (!frame()->loader()->client()->allowScriptFromSource(!settings || settings->isScriptEnabled(), url)) {
                 frame()->loader()->client()->didNotAllowScript();
                 return false;
             }
         }
@@ skipping 40 matching lines @@
 
 bool CachedResourceLoader::canAccess(CachedResource* resource)
 {
     // Redirects can change the response URL different from one of request.
     if (!canRequest(resource->type(), resource->response().url(), resource->options(), false))
         return false;
 
     String error;
     switch (resource->type()) {
     case CachedResource::Script:
-    case CachedResource::RawResource:
+    case CachedResource::ImportResource:
         if (resource->options().requestOriginPolicy == PotentiallyCrossOriginEnabled
             && !m_document->securityOrigin()->canRequest(resource->response().url())
             && !resource->passesAccessControlCheck(m_document->securityOrigin(), error)) {
             m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Script from origin '" + SecurityOrigin::create(resource->response().url())->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + error);
             return false;
         }
 
         break;
     default:
         ASSERT_NOT_REACHED(); // FIXME: generalize to non-script resources
@@ skipping 116 matching lines @@
         targetType = ResourceRequest::TargetIsScript;
         break;
     case CachedResource::FontResource:
         targetType = ResourceRequest::TargetIsFontResource;
         break;
     case CachedResource::ImageResource:
         targetType = ResourceRequest::TargetIsImage;
         break;
     case CachedResource::ShaderResource:
     case CachedResource::RawResource:
+    case CachedResource::ImportResource:
         targetType = ResourceRequest::TargetIsSubresource;
         break;
     case CachedResource::LinkPrefetch:
         targetType = ResourceRequest::TargetIsPrefetch;
         break;
     case CachedResource::LinkSubresource:
         targetType = ResourceRequest::TargetIsSubresource;
         break;
     case CachedResource::TextTrackResource:
         targetType = ResourceRequest::TargetIsTextTrack;
@@ skipping 663 matching lines @@
 }
 #endif
 
 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
 {
     DEFINE_STATIC_LOCAL(ResourceLoaderOptions, options, (SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck, CheckContentSecurityPolicy, UseDefaultOriginRestrictionsForType, DocumentContext));
     return options;
 }
 
 }