third_party/WebKit/Source/core/dom/ScriptLoader.cpp - Issue 2401573003: CSP: Fix 'strict-dynamic' with multiple policies.

Side by Side Diff: third_party/WebKit/Source/core/dom/ScriptLoader.cpp

Issue 2401573003: CSP: Fix 'strict-dynamic' with multiple policies. (Closed)

Patch Set: Tests compile. Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic/script-src-strict-dynamic-whitelist.html ('k') | third_party/WebKit/Source/core/fetch/FetchRequest.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)	2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)

3 * (C) 1999 Antti Koivisto (koivisto@kde.org)	3 * (C) 1999 Antti Koivisto (koivisto@kde.org)

4 * (C) 2001 Dirk Mueller (mueller@kde.org)	4 * (C) 2001 Dirk Mueller (mueller@kde.org)

5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights	5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights

6 * reserved.	6 * reserved.

7 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>	7 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>

8 *	8 *

9 * This library is free software; you can redistribute it and/or	9 * This library is free software; you can redistribute it and/or

10 * modify it under the terms of the GNU Library General Public	10 * modify it under the terms of the GNU Library General Public

(...skipping 327 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
338 ResourceRequest(elementDocument->completeURL(sourceUrl)),	338 ResourceRequest(elementDocument->completeURL(sourceUrl)),

339 m_element->localName());	339 m_element->localName());

340	340

341 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(	341 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(

342 m_element->fastGetAttribute(HTMLNames::crossoriginAttr));	342 m_element->fastGetAttribute(HTMLNames::crossoriginAttr));

343 if (crossOrigin != CrossOriginAttributeNotSet)	343 if (crossOrigin != CrossOriginAttributeNotSet)

344 request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(),	344 request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(),

345 crossOrigin);	345 crossOrigin);

346 request.setCharset(scriptCharset());	346 request.setCharset(scriptCharset());

347	347

348 // Skip fetch-related CSP checks if dynamically injected script is	348 if (ContentSecurityPolicy::isNonceableElement(m_element.get())) {

349 // whitelisted and this script is not parser-inserted.

350 bool scriptPassesCSPDynamic =

351 (!isParserInserted() &&

352 elementDocument->contentSecurityPolicy()->allowDynamic());

353

354 if (ContentSecurityPolicy::isNonceableElement(m_element.get()))

355 request.setContentSecurityPolicyNonce(	349 request.setContentSecurityPolicyNonce(

356 m_element->fastGetAttribute(HTMLNames::nonceAttr));	350 m_element->fastGetAttribute(HTMLNames::nonceAttr));

	351 }

357	352

358 if (scriptPassesCSPDynamic) {	353 request.setParserDisposition(isParserInserted() ? ParserInserted

359 UseCounter::count(elementDocument->frame(),	354 : NotParserInserted);

360 UseCounter::ScriptPassesCSPDynamic);	355

361 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);

362 }

363 request.setDefer(defer);	356 request.setDefer(defer);

364	357

365 String integrityAttr =	358 String integrityAttr =

366 m_element->fastGetAttribute(HTMLNames::integrityAttr);	359 m_element->fastGetAttribute(HTMLNames::integrityAttr);

367 if (!integrityAttr.isEmpty()) {	360 if (!integrityAttr.isEmpty()) {

368 IntegrityMetadataSet metadataSet;	361 IntegrityMetadataSet metadataSet;

369 SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadataSet,	362 SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadataSet,

370 elementDocument);	363 elementDocument);

371 request.setIntegrityMetadata(metadataSet);	364 request.setIntegrityMetadata(metadataSet);

372 }	365 }

(...skipping 86 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
459 Document* contextDocument = elementDocument->contextDocument();	452 Document* contextDocument = elementDocument->contextDocument();

460 if (!contextDocument)	453 if (!contextDocument)

461 return true;	454 return true;

462	455

463 LocalFrame* frame = contextDocument->frame();	456 LocalFrame* frame = contextDocument->frame();

464	457

465 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();	458 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();

466 bool shouldBypassMainWorldCSP =	459 bool shouldBypassMainWorldCSP =

467 (frame && frame->script().shouldBypassMainWorldCSP()) \|\|	460 (frame && frame->script().shouldBypassMainWorldCSP()) \|\|

468 csp->allowScriptWithHash(sourceCode.source(),	461 csp->allowScriptWithHash(sourceCode.source(),

469 ContentSecurityPolicy::InlineType::Block) \|\|	462 ContentSecurityPolicy::InlineType::Block);

470 (!isParserInserted() && csp->allowDynamic());	463

	464 ParserDisposition parserDisposition =

	465 isParserInserted() ? ParserInserted : NotParserInserted;

471	466

472 AtomicString nonce =	467 AtomicString nonce =

473 ContentSecurityPolicy::isNonceableElement(m_element.get())	468 ContentSecurityPolicy::isNonceableElement(m_element.get())

474 ? m_element->fastGetAttribute(HTMLNames::nonceAttr)	469 ? m_element->fastGetAttribute(HTMLNames::nonceAttr)

475 : AtomicString();	470 : AtomicString();

476 if (!m_isExternalScript &&	471 if (!m_isExternalScript &&

477 (!shouldBypassMainWorldCSP &&	472 (!shouldBypassMainWorldCSP &&

478 !csp->allowInlineScript(elementDocument->url(), nonce, m_startLineNumber,	473 !csp->allowInlineScript(elementDocument->url(), nonce, parserDisposition,

479 sourceCode.source()))) {	474 m_startLineNumber, sourceCode.source()))) {

480 return false;	475 return false;

481 }	476 }

482	477

483 if (m_isExternalScript) {	478 if (m_isExternalScript) {

484 ScriptResource* resource =	479 ScriptResource* resource =

485 m_resource ? m_resource.get() : sourceCode.resource();	480 m_resource ? m_resource.get() : sourceCode.resource();

486 if (resource) {	481 if (resource) {

487 if (!resource->mimeTypeAllowedByNosniff()) {	482 if (!resource->mimeTypeAllowedByNosniff()) {

488 contextDocument->addConsoleMessage(ConsoleMessage::create(	483 contextDocument->addConsoleMessage(ConsoleMessage::create(

489 SecurityMessageSource, ErrorMessageLevel,	484 SecurityMessageSource, ErrorMessageLevel,

(...skipping 163 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
653 if (isHTMLScriptLoader(element))	648 if (isHTMLScriptLoader(element))

654 return toHTMLScriptElement(element)->loader();	649 return toHTMLScriptElement(element)->loader();

655	650

656 if (isSVGScriptLoader(element))	651 if (isSVGScriptLoader(element))

657 return toSVGScriptElement(element)->loader();	652 return toSVGScriptElement(element)->loader();

658	653

659 return 0;	654 return 0;

660 }	655 }

661	656

662 } // namespace blink	657 } // namespace blink

OLD	NEW