Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(384)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/dom/ScriptLoader.cpp

Issue 2020223002: Refactor nonce support. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@inline
Patch Set: Rebase. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/Source/core/dom/Element.cpp ('k') | third_party/WebKit/Source/core/dom/StyleElement.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 282 matching lines...) Expand 10 before | Expand all | Expand 10 after
293 293
294 DCHECK(!m_resource); 294 DCHECK(!m_resource);
295 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { 295 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
296 FetchRequest request(ResourceRequest(elementDocument->completeURL(source Url)), m_element->localName()); 296 FetchRequest request(ResourceRequest(elementDocument->completeURL(source Url)), m_element->localName());
297 297
298 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_elem ent->fastGetAttribute(HTMLNames::crossoriginAttr)); 298 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_elem ent->fastGetAttribute(HTMLNames::crossoriginAttr));
299 if (crossOrigin != CrossOriginAttributeNotSet) 299 if (crossOrigin != CrossOriginAttributeNotSet)
300 request.setCrossOriginAccessControl(elementDocument->getSecurityOrig in(), crossOrigin); 300 request.setCrossOriginAccessControl(elementDocument->getSecurityOrig in(), crossOrigin);
301 request.setCharset(scriptCharset()); 301 request.setCharset(scriptCharset());
302 302
303 // Skip fetch-related CSP checks if the script element has a valid nonce , or if dynamically 303 // Skip fetch-related CSP checks if dynamically injected script is white listed and this script is not parser-inserted.
304 // injected script is whitelisted and this script is not parser-inserted .
305 bool scriptPassesCSPDynamic = (!isParserInserted() && elementDocument->c ontentSecurityPolicy()->allowDynamic()); 304 bool scriptPassesCSPDynamic = (!isParserInserted() && elementDocument->c ontentSecurityPolicy()->allowDynamic());
306 bool scriptPassesCSPNonce = elementDocument->contentSecurityPolicy()->al lowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
307 305
308 if (scriptPassesCSPDynamic) 306 request.setContentSecurityPolicyNonce(m_element->fastGetAttribute(HTMLNa mes::nonceAttr));
307
308 if (scriptPassesCSPDynamic) {
309 UseCounter::count(elementDocument->frame(), UseCounter::ScriptPasses CSPDynamic); 309 UseCounter::count(elementDocument->frame(), UseCounter::ScriptPasses CSPDynamic);
310
311 if (scriptPassesCSPNonce)
312 UseCounter::count(elementDocument->frame(), UseCounter::ScriptPasses CSPNonce);
313
314 if (scriptPassesCSPDynamic || scriptPassesCSPNonce)
315 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); 310 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
311 }
316 request.setDefer(defer); 312 request.setDefer(defer);
317 313
318 String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityA ttr); 314 String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityA ttr);
319 if (!integrityAttr.isEmpty()) { 315 if (!integrityAttr.isEmpty()) {
320 IntegrityMetadataSet metadataSet; 316 IntegrityMetadataSet metadataSet;
321 SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadat aSet, elementDocument); 317 SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadat aSet, elementDocument);
322 request.setIntegrityMetadata(metadataSet); 318 request.setIntegrityMetadata(metadataSet);
323 } 319 }
324 320
325 m_resource = ScriptResource::fetch(request, elementDocument->fetcher()); 321 m_resource = ScriptResource::fetch(request, elementDocument->fetcher());
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
368 364
369 Document* elementDocument = &(m_element->document()); 365 Document* elementDocument = &(m_element->document());
370 Document* contextDocument = elementDocument->contextDocument(); 366 Document* contextDocument = elementDocument->contextDocument();
371 if (!contextDocument) 367 if (!contextDocument)
372 return true; 368 return true;
373 369
374 LocalFrame* frame = contextDocument->frame(); 370 LocalFrame* frame = contextDocument->frame();
375 371
376 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); 372 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();
377 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo rldCSP()) 373 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo rldCSP())
378 || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonc eAttr))
379 || csp->allowScriptWithHash(sourceCode.source().toString(), ContentSecur ityPolicy::InlineType::Block) 374 || csp->allowScriptWithHash(sourceCode.source().toString(), ContentSecur ityPolicy::InlineType::Block)
380 || (!isParserInserted() && csp->allowDynamic()); 375 || (!isParserInserted() && csp->allowDynamic());
381 376
382 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber, sourceCode.source().toString())) ) { 377 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_element->fastGetAttribute(HTMLNames::nonceAttr), m_startLineNumber, sourceCode.source().toString()))) {
383 return false; 378 return false;
384 } 379 }
385 380
386 if (m_isExternalScript) { 381 if (m_isExternalScript) {
387 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); 382 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source();
388 if (resource) { 383 if (resource) {
389 if (!resource->mimeTypeAllowedByNosniff()) { 384 if (!resource->mimeTypeAllowedByNosniff()) {
390 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc e->url().elidedString() + "' because its MIME type ('" + resource->httpContentTy pe() + "') is not executable, and strict MIME type checking is enabled.")); 385 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc e->url().elidedString() + "' because its MIME type ('" + resource->httpContentTy pe() + "') is not executable, and strict MIME type checking is enabled."));
391 return false; 386 return false;
392 } 387 }
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after
525 if (isHTMLScriptLoader(element)) 520 if (isHTMLScriptLoader(element))
526 return toHTMLScriptElement(element)->loader(); 521 return toHTMLScriptElement(element)->loader();
527 522
528 if (isSVGScriptLoader(element)) 523 if (isSVGScriptLoader(element))
529 return toSVGScriptElement(element)->loader(); 524 return toSVGScriptElement(element)->loader();
530 525
531 return 0; 526 return 0;
532 } 527 }
533 528
534 } // namespace blink 529 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/Source/core/dom/Element.cpp ('k') | third_party/WebKit/Source/core/dom/StyleElement.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698