| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
| 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
| 4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
| 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights |
| 6 * reserved. | 6 * reserved. |
| 7 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 7 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
| 8 * | 8 * |
| 9 * This library is free software; you can redistribute it and/or | 9 * This library is free software; you can redistribute it and/or |
| 10 * modify it under the terms of the GNU Library General Public | 10 * modify it under the terms of the GNU Library General Public |
| (...skipping 329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 340 ResourceRequest(elementDocument->completeURL(sourceUrl)), | 340 ResourceRequest(elementDocument->completeURL(sourceUrl)), |
| 341 m_element->localName()); | 341 m_element->localName()); |
| 342 | 342 |
| 343 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue( | 343 CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue( |
| 344 m_element->fastGetAttribute(HTMLNames::crossoriginAttr)); | 344 m_element->fastGetAttribute(HTMLNames::crossoriginAttr)); |
| 345 if (crossOrigin != CrossOriginAttributeNotSet) | 345 if (crossOrigin != CrossOriginAttributeNotSet) |
| 346 request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(), | 346 request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(), |
| 347 crossOrigin); | 347 crossOrigin); |
| 348 request.setCharset(scriptCharset()); | 348 request.setCharset(scriptCharset()); |
| 349 | 349 |
| 350 if (ContentSecurityPolicy::isNonceableElement(m_element.get())) { | 350 if (ContentSecurityPolicy::isNonceableElement(m_element.get())) |
| 351 request.setContentSecurityPolicyNonce( | 351 request.setContentSecurityPolicyNonce(client()->nonce()); |
| 352 m_element->fastGetAttribute(HTMLNames::nonceAttr)); | |
| 353 } | |
| 354 | 352 |
| 355 request.setParserDisposition(isParserInserted() ? ParserInserted | 353 request.setParserDisposition(isParserInserted() ? ParserInserted |
| 356 : NotParserInserted); | 354 : NotParserInserted); |
| 357 | 355 |
| 358 request.setDefer(defer); | 356 request.setDefer(defer); |
| 359 | 357 |
| 360 String integrityAttr = | 358 String integrityAttr = |
| 361 m_element->fastGetAttribute(HTMLNames::integrityAttr); | 359 m_element->fastGetAttribute(HTMLNames::integrityAttr); |
| 362 if (!integrityAttr.isEmpty()) { | 360 if (!integrityAttr.isEmpty()) { |
| 363 IntegrityMetadataSet metadataSet; | 361 IntegrityMetadataSet metadataSet; |
| (...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 458 LocalFrame* frame = contextDocument->frame(); | 456 LocalFrame* frame = contextDocument->frame(); |
| 459 | 457 |
| 460 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); | 458 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy(); |
| 461 bool shouldBypassMainWorldCSP = | 459 bool shouldBypassMainWorldCSP = |
| 462 (frame && frame->script().shouldBypassMainWorldCSP()) || | 460 (frame && frame->script().shouldBypassMainWorldCSP()) || |
| 463 csp->allowScriptWithHash(sourceCode.source(), | 461 csp->allowScriptWithHash(sourceCode.source(), |
| 464 ContentSecurityPolicy::InlineType::Block); | 462 ContentSecurityPolicy::InlineType::Block); |
| 465 | 463 |
| 466 AtomicString nonce = | 464 AtomicString nonce = |
| 467 ContentSecurityPolicy::isNonceableElement(m_element.get()) | 465 ContentSecurityPolicy::isNonceableElement(m_element.get()) |
| 468 ? m_element->fastGetAttribute(HTMLNames::nonceAttr) | 466 ? client()->nonce() |
| 469 : AtomicString(); | 467 : nullAtom; |
| 470 if (!m_isExternalScript && | 468 if (!m_isExternalScript && |
| 471 (!shouldBypassMainWorldCSP && | 469 (!shouldBypassMainWorldCSP && |
| 472 !csp->allowInlineScript(m_element, elementDocument->url(), nonce, | 470 !csp->allowInlineScript(m_element, elementDocument->url(), nonce, |
| 473 m_startLineNumber, sourceCode.source()))) { | 471 m_startLineNumber, sourceCode.source()))) { |
| 474 return false; | 472 return false; |
| 475 } | 473 } |
| 476 | 474 |
| 477 if (m_isExternalScript) { | 475 if (m_isExternalScript) { |
| 478 ScriptResource* resource = | 476 ScriptResource* resource = |
| 479 m_resource ? m_resource.get() : sourceCode.resource(); | 477 m_resource ? m_resource.get() : sourceCode.resource(); |
| (...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 545 // Create a script from the script element node, using the script | 543 // Create a script from the script element node, using the script |
| 546 // block's source and the script block's type. | 544 // block's source and the script block's type. |
| 547 // Note: This is where the script is compiled and actually executed. | 545 // Note: This is where the script is compiled and actually executed. |
| 548 frame->script().executeScriptInMainWorld(sourceCode, accessControlStatus); | 546 frame->script().executeScriptInMainWorld(sourceCode, accessControlStatus); |
| 549 | 547 |
| 550 if (isHTMLScriptLoader(m_element) || isSVGScriptLoader(m_element)) { | 548 if (isHTMLScriptLoader(m_element) || isSVGScriptLoader(m_element)) { |
| 551 DCHECK(contextDocument->currentScript() == m_element); | 549 DCHECK(contextDocument->currentScript() == m_element); |
| 552 contextDocument->popCurrentScript(); | 550 contextDocument->popCurrentScript(); |
| 553 } | 551 } |
| 554 | 552 |
| 553 // "Number used _once_", so, clear it out after execution. |
| 554 if (RuntimeEnabledFeatures::hideNonceContentAttributeEnabled()) |
| 555 client()->clearNonce(); |
| 556 |
| 555 return true; | 557 return true; |
| 556 } | 558 } |
| 557 | 559 |
| 558 void ScriptLoader::execute() { | 560 void ScriptLoader::execute() { |
| 559 DCHECK(!m_willBeParserExecuted); | 561 DCHECK(!m_willBeParserExecuted); |
| 560 DCHECK(m_asyncExecType != ScriptRunner::None); | 562 DCHECK(m_asyncExecType != ScriptRunner::None); |
| 561 DCHECK(m_pendingScript->resource()); | 563 DCHECK(m_pendingScript->resource()); |
| 562 bool errorOccurred = false; | 564 bool errorOccurred = false; |
| 563 ScriptSourceCode source = m_pendingScript->getSource(KURL(), errorOccurred); | 565 ScriptSourceCode source = m_pendingScript->getSource(KURL(), errorOccurred); |
| 564 m_pendingScript->dispose(); | 566 m_pendingScript->dispose(); |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 647 if (isHTMLScriptLoader(element)) | 649 if (isHTMLScriptLoader(element)) |
| 648 return toHTMLScriptElement(element)->loader(); | 650 return toHTMLScriptElement(element)->loader(); |
| 649 | 651 |
| 650 if (isSVGScriptLoader(element)) | 652 if (isSVGScriptLoader(element)) |
| 651 return toSVGScriptElement(element)->loader(); | 653 return toSVGScriptElement(element)->loader(); |
| 652 | 654 |
| 653 return 0; | 655 return 0; |
| 654 } | 656 } |
| 655 | 657 |
| 656 } // namespace blink | 658 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2628733005:
Experiment with hiding <script>'s 'nonce' content attribute. (Closed)
