third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp - Issue 2689173002: Implement script MIME restrictions for X-Content-Type-Options: nosniff for Workers

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp

Issue 2689173002: Implement script MIME restrictions for X-Content-Type-Options: nosniff for Workers (Closed)

Patch Set: incorporated mkwst@'s comment Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/Source/core/workers/WorkerScriptLoader.h ('k') | third_party/WebKit/Source/platform/loader/fetch/Resource.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp

diff --git a/third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp b/third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp

index c0d1b0762f7b094daf11662bd57504ee22ffffa0..53bc06937fb2fbcc91971f69e0e1510fdf84716c 100644

--- a/third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp

+++ b/third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp

@@ -27,9 +27,12 @@

#include "core/workers/WorkerScriptLoader.h"

+#include <memory>

#include "core/dom/ExecutionContext.h"

#include "core/html/parser/TextResourceDecoder.h"

+#include "core/inspector/ConsoleMessage.h"

#include "core/loader/WorkerThreadableLoader.h"

+#include "core/loader/resource/ScriptResource.h"

#include "core/origin_trials/OriginTrialContext.h"

#include "core/workers/WorkerGlobalScope.h"

#include "platform/HTTPNames.h"

@@ -41,7 +44,6 @@

#include "public/platform/WebURLRequest.h"

#include "wtf/PtrUtil.h"

#include "wtf/RefPtr.h"

-#include <memory>

namespace blink {

@@ -66,6 +68,7 @@ void WorkerScriptLoader::loadSynchronously(

CrossOriginRequestPolicy crossOriginRequestPolicy,

WebAddressSpace creationAddressSpace) {

m_url = url;

+ m_executionContext = &executionContext;

ResourceRequest request(createResourceRequest(creationAddressSpace));

SECURITY_DCHECK(executionContext.isWorkerGlobalScope());

@@ -94,6 +97,7 @@ void WorkerScriptLoader::loadAsynchronously(

m_responseCallback = std::move(responseCallback);

m_finishedCallback = std::move(finishedCallback);

m_url = url;

+ m_executionContext = &executionContext;

ResourceRequest request(createResourceRequest(creationAddressSpace));

ThreadableLoaderOptions options;

@@ -139,6 +143,15 @@ void WorkerScriptLoader::didReceiveResponse(

notifyError();

return;

}

+ if (!ScriptResource::mimeTypeAllowedByNosniff(response)) {

+ m_executionContext->addConsoleMessage(ConsoleMessage::create(

+ SecurityMessageSource, ErrorMessageLevel,

+ "Refused to execute script from '" + m_url.elidedString() +

+ "' because its MIME type ('" + response.httpContentType() +

+ "') is not executable, and strict MIME type checking is enabled."));

+ notifyError();

+ return;

+ }

m_identifier = identifier;

m_responseURL = response.url();

m_responseEncoding = response.textEncodingName();