OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv
ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv
ed. |
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
7 * | 7 * |
8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
(...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
295 FetchRequest request(ResourceRequest(elementDocument->completeURL(source
Url)), m_element->localName()); | 295 FetchRequest request(ResourceRequest(elementDocument->completeURL(source
Url)), m_element->localName()); |
296 | 296 |
297 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_elem
ent->fastGetAttribute(HTMLNames::crossoriginAttr)); | 297 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_elem
ent->fastGetAttribute(HTMLNames::crossoriginAttr)); |
298 if (crossOrigin != CrossOriginAttributeNotSet) | 298 if (crossOrigin != CrossOriginAttributeNotSet) |
299 request.setCrossOriginAccessControl(elementDocument->getSecurityOrig
in(), crossOrigin); | 299 request.setCrossOriginAccessControl(elementDocument->getSecurityOrig
in(), crossOrigin); |
300 request.setCharset(scriptCharset()); | 300 request.setCharset(scriptCharset()); |
301 | 301 |
302 // Skip fetch-related CSP checks if dynamically injected script is white
listed and this script is not parser-inserted. | 302 // Skip fetch-related CSP checks if dynamically injected script is white
listed and this script is not parser-inserted. |
303 bool scriptPassesCSPDynamic = (!isParserInserted() && elementDocument->c
ontentSecurityPolicy()->allowDynamic()); | 303 bool scriptPassesCSPDynamic = (!isParserInserted() && elementDocument->c
ontentSecurityPolicy()->allowDynamic()); |
304 | 304 |
305 request.setContentSecurityPolicyNonce(m_element->fastGetAttribute(HTMLNa
mes::nonceAttr)); | 305 if (ContentSecurityPolicy::isNonceableElement(m_element.get())) |
| 306 request.setContentSecurityPolicyNonce(m_element->fastGetAttribute(HT
MLNames::nonceAttr)); |
306 | 307 |
307 if (scriptPassesCSPDynamic) { | 308 if (scriptPassesCSPDynamic) { |
308 UseCounter::count(elementDocument->frame(), UseCounter::ScriptPasses
CSPDynamic); | 309 UseCounter::count(elementDocument->frame(), UseCounter::ScriptPasses
CSPDynamic); |
309 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); | 310 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); |
310 } | 311 } |
311 request.setDefer(defer); | 312 request.setDefer(defer); |
312 | 313 |
313 String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityA
ttr); | 314 String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityA
ttr); |
314 if (!integrityAttr.isEmpty()) { | 315 if (!integrityAttr.isEmpty()) { |
315 IntegrityMetadataSet metadataSet; | 316 IntegrityMetadataSet metadataSet; |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
366 if (!contextDocument) | 367 if (!contextDocument) |
367 return true; | 368 return true; |
368 | 369 |
369 LocalFrame* frame = contextDocument->frame(); | 370 LocalFrame* frame = contextDocument->frame(); |
370 | 371 |
371 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); | 372 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); |
372 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo
rldCSP()) | 373 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo
rldCSP()) |
373 || csp->allowScriptWithHash(sourceCode.source(), ContentSecurityPolicy::
InlineType::Block) | 374 || csp->allowScriptWithHash(sourceCode.source(), ContentSecurityPolicy::
InlineType::Block) |
374 || (!isParserInserted() && csp->allowDynamic()); | 375 || (!isParserInserted() && csp->allowDynamic()); |
375 | 376 |
376 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc
ript(elementDocument->url(), m_element->fastGetAttribute(HTMLNames::nonceAttr),
m_startLineNumber, sourceCode.source()))) { | 377 AtomicString nonce = ContentSecurityPolicy::isNonceableElement(m_element.get
()) ? m_element->fastGetAttribute(HTMLNames::nonceAttr) : AtomicString(); |
| 378 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc
ript(elementDocument->url(), nonce, m_startLineNumber, sourceCode.source()))) { |
377 return false; | 379 return false; |
378 } | 380 } |
379 | 381 |
380 if (m_isExternalScript) { | 382 if (m_isExternalScript) { |
381 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re
source(); | 383 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re
source(); |
382 if (resource) { | 384 if (resource) { |
383 if (!resource->mimeTypeAllowedByNosniff()) { | 385 if (!resource->mimeTypeAllowedByNosniff()) { |
384 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi
tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc
e->url().elidedString() + "' because its MIME type ('" + resource->httpContentTy
pe() + "') is not executable, and strict MIME type checking is enabled.")); | 386 contextDocument->addConsoleMessage(ConsoleMessage::create(Securi
tyMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resourc
e->url().elidedString() + "' because its MIME type ('" + resource->httpContentTy
pe() + "') is not executable, and strict MIME type checking is enabled.")); |
385 return false; | 387 return false; |
386 } | 388 } |
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
519 if (isHTMLScriptLoader(element)) | 521 if (isHTMLScriptLoader(element)) |
520 return toHTMLScriptElement(element)->loader(); | 522 return toHTMLScriptElement(element)->loader(); |
521 | 523 |
522 if (isSVGScriptLoader(element)) | 524 if (isSVGScriptLoader(element)) |
523 return toSVGScriptElement(element)->loader(); | 525 return toSVGScriptElement(element)->loader(); |
524 | 526 |
525 return 0; | 527 return 0; |
526 } | 528 } |
527 | 529 |
528 } // namespace blink | 530 } // namespace blink |
OLD | NEW |