OLD | NEW |
(Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "core/dom/ClassicScript.h" |
| 6 |
| 7 #include "bindings/core/v8/ScriptController.h" |
| 8 #include "core/dom/Document.h" |
| 9 #include "core/frame/LocalFrame.h" |
| 10 #include "core/frame/UseCounter.h" |
| 11 #include "core/inspector/ConsoleMessage.h" |
| 12 #include "platform/loader/fetch/AccessControlStatus.h" |
| 13 #include "platform/network/mime/MIMETypeRegistry.h" |
| 14 |
| 15 namespace blink { |
| 16 |
| 17 namespace { |
| 18 |
| 19 void logScriptMIMEType(LocalFrame* frame, |
| 20 ScriptResource* resource, |
| 21 const String& mimeType, |
| 22 const SecurityOrigin* securityOrigin) { |
| 23 if (MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimeType)) |
| 24 return; |
| 25 bool isText = mimeType.startsWith("text/", TextCaseASCIIInsensitive); |
| 26 if (isText && MIMETypeRegistry::isLegacySupportedJavaScriptLanguage( |
| 27 mimeType.substring(5))) |
| 28 return; |
| 29 bool isSameOrigin = securityOrigin->canRequest(resource->url()); |
| 30 bool isApplication = |
| 31 !isText && mimeType.startsWith("application/", TextCaseASCIIInsensitive); |
| 32 |
| 33 UseCounter::Feature feature = |
| 34 isSameOrigin |
| 35 ? (isText ? UseCounter::SameOriginTextScript |
| 36 : isApplication ? UseCounter::SameOriginApplicationScript |
| 37 : UseCounter::SameOriginOtherScript) |
| 38 : (isText ? UseCounter::CrossOriginTextScript |
| 39 : isApplication ? UseCounter::CrossOriginApplicationScript |
| 40 : UseCounter::CrossOriginOtherScript); |
| 41 |
| 42 UseCounter::count(frame, feature); |
| 43 } |
| 44 |
| 45 } // namespace |
| 46 |
| 47 bool ClassicScript::isEmpty() const { |
| 48 return scriptSourceCode().isEmpty(); |
| 49 } |
| 50 |
| 51 bool ClassicScript::checkMIMETypeBeforeRunScript( |
| 52 Document* contextDocument, |
| 53 const SecurityOrigin* securityOrigin) const { |
| 54 ScriptResource* resource = scriptSourceCode().resource(); |
| 55 CHECK(resource); |
| 56 if (!ScriptResource::mimeTypeAllowedByNosniff(resource->response())) { |
| 57 contextDocument->addConsoleMessage(ConsoleMessage::create( |
| 58 SecurityMessageSource, ErrorMessageLevel, |
| 59 "Refused to execute script from '" + resource->url().elidedString() + |
| 60 "' because its MIME type ('" + resource->httpContentType() + |
| 61 "') is not executable, and strict MIME type checking is enabled.")); |
| 62 return false; |
| 63 } |
| 64 |
| 65 String mimeType = resource->httpContentType(); |
| 66 LocalFrame* frame = contextDocument->frame(); |
| 67 if (mimeType.startsWith("image/") || mimeType == "text/csv" || |
| 68 mimeType.startsWith("audio/") || mimeType.startsWith("video/")) { |
| 69 contextDocument->addConsoleMessage(ConsoleMessage::create( |
| 70 SecurityMessageSource, ErrorMessageLevel, |
| 71 "Refused to execute script from '" + resource->url().elidedString() + |
| 72 "' because its MIME type ('" + mimeType + "') is not executable.")); |
| 73 if (mimeType.startsWith("image/")) |
| 74 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); |
| 75 else if (mimeType.startsWith("audio/")) |
| 76 UseCounter::count(frame, UseCounter::BlockedSniffingAudioToScript); |
| 77 else if (mimeType.startsWith("video/")) |
| 78 UseCounter::count(frame, UseCounter::BlockedSniffingVideoToScript); |
| 79 else if (mimeType == "text/csv") |
| 80 UseCounter::count(frame, UseCounter::BlockedSniffingCSVToScript); |
| 81 return false; |
| 82 } |
| 83 |
| 84 logScriptMIMEType(frame, resource, mimeType, securityOrigin); |
| 85 return true; |
| 86 } |
| 87 |
| 88 void ClassicScript::runScript(LocalFrame* frame, |
| 89 const SecurityOrigin* securityOrigin) const { |
| 90 AccessControlStatus accessControlStatus = NotSharableCrossOrigin; |
| 91 const bool isExternalScript = scriptSourceCode().resource(); |
| 92 if (!isExternalScript) { |
| 93 accessControlStatus = SharableCrossOrigin; |
| 94 } else { |
| 95 CHECK(scriptSourceCode().resource()); |
| 96 accessControlStatus = |
| 97 scriptSourceCode().resource()->calculateAccessControlStatus( |
| 98 securityOrigin); |
| 99 } |
| 100 |
| 101 frame->script().executeScriptInMainWorld(scriptSourceCode(), |
| 102 accessControlStatus); |
| 103 } |
| 104 |
| 105 } // namespace blink |
OLD | NEW |