Source/core/dom/ScriptLoader.cpp - Issue 26481005: Implementation of script hashes for CSP.

Side by Side Diff: Source/core/dom/ScriptLoader.cpp

Issue 26481005: Implementation of script hashes for CSP. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 7 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)	2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)

3 * (C) 1999 Antti Koivisto (koivisto@kde.org)	3 * (C) 1999 Antti Koivisto (koivisto@kde.org)

4 * (C) 2001 Dirk Mueller (mueller@kde.org)	4 * (C) 2001 Dirk Mueller (mueller@kde.org)

5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.	5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.

6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>	6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>

7 *	7 *

8 * This library is free software; you can redistribute it and/or	8 * This library is free software; you can redistribute it and/or

9 * modify it under the terms of the GNU Library General Public	9 * modify it under the terms of the GNU Library General Public

10 * License as published by the Free Software Foundation; either	10 * License as published by the Free Software Foundation; either

(...skipping 290 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
301 if (sourceCode.isEmpty())	301 if (sourceCode.isEmpty())

302 return;	302 return;

303	303

304 RefPtr<Document> elementDocument = &m_element->document();	304 RefPtr<Document> elementDocument = &m_element->document();

305 RefPtr<Document> contextDocument = elementDocument->contextDocument().get();	305 RefPtr<Document> contextDocument = elementDocument->contextDocument().get();

306 if (!contextDocument)	306 if (!contextDocument)

307 return;	307 return;

308	308

309 Frame* frame = contextDocument->frame();	309 Frame* frame = contextDocument->frame();

310	310

311 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()- >shouldBypassMainWorldContentSecurityPolicy()) \|\| elementDocument->contentSecuri tyPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));	311 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script()- >shouldBypassMainWorldContentSecurityPolicy()) \|\| elementDocument->contentSecuri tyPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)) \|\| elementDocument->contentSecurityPolicy()->allowScriptHash(sourceCode.source() );
	Mike West 2013/10/16 14:53:02 This is getting pretty ugly. I shouldn't have adde This is getting pretty ugly. I shouldn't have added the nonce bits here in the first place, but adding hash really makes it visibly wrong. Ideally, we'd refactor this in a separate CL so that the 'shouldBypassMainWorldContentSecurityPolicy' variable did what it said. jww 2013/10/16 21:49:21 I'm a little confused about what you'd like to see Show quoted text On 2013/10/16 14:53:02, Mike West wrote: > This is getting pretty ugly. I shouldn't have added the nonce bits here in the > first place, but adding hash really makes it visibly wrong. Ideally, we'd > refactor this in a separate CL so that the > 'shouldBypassMainWorldContentSecurityPolicy' variable did what it said. I'm a little confused about what you'd like to see here. How about I break up all of these calls into separate booleans and we can just \|\| them all together. That should make it quite a bit more readable, yes? I suppose the only problem is short circuiting extraneous checks, but that's what compilers are for, I suppose :-)
312	312

313 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url (), m_startLineNumber)))	313 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url (), m_startLineNumber)))

314 return;	314 return;

315	315

316 if (m_isExternalScript && m_resource && !m_resource->mimeTypeAllowedByNosnif f()) {	316 if (m_isExternalScript && m_resource && !m_resource->mimeTypeAllowedByNosnif f()) {

317 contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessageLe vel, "Refused to execute script from '" + m_resource->url().elidedString() + "' because its MIME type ('" + m_resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.");	317 contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessageLe vel, "Refused to execute script from '" + m_resource->url().elidedString() + "' because its MIME type ('" + m_resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.");

318 return;	318 return;

319 }	319 }

320	320

321 if (frame) {	321 if (frame) {

(...skipping 112 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
434 if (isHTMLScriptLoader(element))	434 if (isHTMLScriptLoader(element))

435 return toHTMLScriptElement(element)->loader();	435 return toHTMLScriptElement(element)->loader();

436	436

437 if (isSVGScriptLoader(element))	437 if (isSVGScriptLoader(element))

438 return toSVGScriptElement(element)->loader();	438 return toSVGScriptElement(element)->loader();

439	439

440 return 0;	440 return 0;

441 }	441 }

442	442

443 }	443 }

OLD	NEW

« no previous file with comments | « no previous file | Source/core/frame/ContentSecurityPolicy.h » ('j') | Source/core/frame/ContentSecurityPolicy.h » ('J')