Introduce blink::Script

third_party/WebKit/Source/core/dom/ScriptLoader.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights
  * reserved.
  * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ skipping 11 matching lines @@
  * Boston, MA 02110-1301, USA.
  */
 
 #include "core/dom/ScriptLoader.h"
 
 #include "bindings/core/v8/ScriptController.h"
 #include "bindings/core/v8/ScriptSourceCode.h"
 #include "bindings/core/v8/V8Binding.h"
 #include "core/HTMLNames.h"
 #include "core/SVGNames.h"
+#include "core/dom/ClassicScript.h"
 #include "core/dom/Document.h"
 #include "core/dom/DocumentParserTiming.h"
 #include "core/dom/IgnoreDestructiveWriteCountIncrementer.h"
+#include "core/dom/Script.h"
 #include "core/dom/ScriptElementBase.h"
 #include "core/dom/ScriptRunner.h"
 #include "core/dom/ScriptableDocumentParser.h"
 #include "core/dom/Text.h"
 #include "core/events/Event.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/SubresourceIntegrity.h"
-#include "core/frame/UseCounter.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/html/CrossOriginAttribute.h"
 #include "core/html/imports/HTMLImport.h"
 #include "core/html/parser/HTMLParserIdioms.h"
-#include "core/inspector/ConsoleMessage.h"
 #include "platform/WebFrameScheduler.h"
 #include "platform/loader/fetch/AccessControlStatus.h"
 #include "platform/loader/fetch/FetchRequest.h"
 #include "platform/loader/fetch/MemoryCache.h"
 #include "platform/loader/fetch/ResourceFetcher.h"
 #include "platform/network/mime/MIMETypeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/WebCachePolicy.h"
 #include "wtf/StdLibExtras.h"
 #include "wtf/text/StringBuilder.h"
@@ skipping 82 matching lines @@
   m_nonBlocking = false;
 }
 
 void ScriptLoader::detachPendingScript() {
   if (!m_pendingScript)
     return;
   m_pendingScript->dispose();
   m_pendingScript = nullptr;
 }
 
-static bool isLegacySupportedJavaScriptLanguage(const String& language) {
-  // Mozilla 1.8 accepts javascript1.0 - javascript1.7, but WinIE 7 accepts only
-  // javascript1.1 - javascript1.3.
-  // Mozilla 1.8 and WinIE 7 both accept javascript and livescript.
-  // WinIE 7 accepts ecmascript and jscript, but Mozilla 1.8 doesn't.
-  // Neither Mozilla 1.8 nor WinIE 7 accept leading or trailing whitespace.
-  // We want to accept all the values that either of these browsers accept, but
-  // not other values.
-
-  // FIXME: This function is not HTML5 compliant. These belong in the MIME
-  // registry as "text/javascript<version>" entries.
-  return equalIgnoringASCIICase(language, "javascript") ||
-         equalIgnoringASCIICase(language, "javascript1.0") ||
-         equalIgnoringASCIICase(language, "javascript1.1") ||
-         equalIgnoringASCIICase(language, "javascript1.2") ||
-         equalIgnoringASCIICase(language, "javascript1.3") ||
-         equalIgnoringASCIICase(language, "javascript1.4") ||
-         equalIgnoringASCIICase(language, "javascript1.5") ||
-         equalIgnoringASCIICase(language, "javascript1.6") ||
-         equalIgnoringASCIICase(language, "javascript1.7") ||
-         equalIgnoringASCIICase(language, "livescript") ||
-         equalIgnoringASCIICase(language, "ecmascript") ||
-         equalIgnoringASCIICase(language, "jscript");
-}
-
 void ScriptLoader::dispatchErrorEvent() {
   m_element->dispatchErrorEvent();
 }
 
 void ScriptLoader::dispatchLoadEvent() {
   m_element->dispatchLoadEvent();
   setHaveFiredLoadEvent(true);
 }
 
 bool ScriptLoader::isValidScriptTypeAndLanguage(
     const String& type,
     const String& language,
     LegacyTypeSupport supportLegacyTypes) {
   // FIXME: isLegacySupportedJavaScriptLanguage() is not valid HTML5. It is used
   // here to maintain backwards compatibility with existing layout tests. The
   // specific violations are:
   // - Allowing type=javascript. type= should only support MIME types, such as
   //   text/javascript.
   // - Allowing a different set of languages for language= and type=. language=
   //   supports Javascript 1.1 and 1.4-1.6, but type= does not.
   if (type.isEmpty()) {
     return language.isEmpty() ||  // assume text/javascript.
            MIMETypeRegistry::isSupportedJavaScriptMIMEType("text/" +
                                                            language) ||
-           isLegacySupportedJavaScriptLanguage(language);
+           MIMETypeRegistry::isLegacySupportedJavaScriptLanguage(language);
   } else if (RuntimeEnabledFeatures::moduleScriptsEnabled() &&
              type == "module") {
     return true;
   } else if (MIMETypeRegistry::isSupportedJavaScriptMIMEType(
                  type.stripWhiteSpace()) ||
              (supportLegacyTypes == AllowLegacyTypeInTypeAttribute &&
-              isLegacySupportedJavaScriptLanguage(type))) {
+              MIMETypeRegistry::isLegacySupportedJavaScriptLanguage(type))) {
     return true;
   }
 
   return false;
 }
 
 bool ScriptLoader::isScriptTypeSupported(
     LegacyTypeSupport supportLegacyTypes) const {
   return isValidScriptTypeAndLanguage(m_element->typeAttributeValue(),
                                       m_element->languageAttributeValue(),
@@ skipping 274 matching lines @@
   // and the element doesn't have a src attribute.
 
   // Reset line numbering for nested writes.
   TextPosition position = elementDocument.isInDocumentWrite()
                               ? TextPosition()
                               : scriptStartPosition;
   KURL scriptURL = (!elementDocument.isInDocumentWrite() && m_parserInserted)
                        ? elementDocument.url()
                        : KURL();
 
-  if (!executeScript(ScriptSourceCode(scriptContent(), scriptURL, position))) {
+  if (!executeScript(ClassicScript::create(
+          ScriptSourceCode(scriptContent(), scriptURL, position)))) {
     dispatchErrorEvent();
     return false;
   }
 
   return true;
 }
 
 // Steps 15--21 of https://html.spec.whatwg.org/#prepare-a-script
 bool ScriptLoader::fetchScript(const String& sourceUrl,
                                const String& encoding,
@@ skipping 100 matching lines @@
   if (m_createdDuringDocumentWrite &&
       m_resource->resourceRequest().getCachePolicy() ==
           WebCachePolicy::ReturnCacheDataDontLoad) {
     m_documentWriteIntervention =
         DocumentWriteIntervention::DoNotFetchDocWrittenScript;
   }
 
   return true;
 }
 
-void ScriptLoader::logScriptMIMEType(LocalFrame* frame,
-                                     ScriptResource* resource,
-                                     const String& mimeType) {
-  if (MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimeType))
-    return;
-  bool isText = mimeType.startsWith("text/", TextCaseASCIIInsensitive);
-  if (isText && isLegacySupportedJavaScriptLanguage(mimeType.substring(5)))
-    return;
-  bool isSameOrigin =
-      m_element->document().getSecurityOrigin()->canRequest(resource->url());
-  bool isApplication =
-      !isText && mimeType.startsWith("application/", TextCaseASCIIInsensitive);
-
-  UseCounter::Feature feature =
-      isSameOrigin
-          ? (isText ? UseCounter::SameOriginTextScript
-                    : isApplication ? UseCounter::SameOriginApplicationScript
-                                    : UseCounter::SameOriginOtherScript)
-          : (isText ? UseCounter::CrossOriginTextScript
-                    : isApplication ? UseCounter::CrossOriginApplicationScript
-                                    : UseCounter::CrossOriginOtherScript);
-
-  UseCounter::count(frame, feature);
-}
-
-bool ScriptLoader::executeScript(const ScriptSourceCode& sourceCode) {
+bool ScriptLoader::executeScript(const Script* script) {
   double scriptExecStartTime = monotonicallyIncreasingTime();
-  bool result = doExecuteScript(sourceCode);
+  bool result = doExecuteScript(script);
 
   // NOTE: we do not check m_willBeParserExecuted here, since
   // m_willBeParserExecuted is false for inline scripts, and we want to
   // include inline script execution time as part of parser blocked script
   // execution time.
   if (m_asyncExecType == ScriptRunner::None)
     DocumentParserTiming::from(m_element->document())
         .recordParserBlockedOnScriptExecutionDuration(
             monotonicallyIncreasingTime() - scriptExecStartTime,
             wasCreatedDuringDocumentWrite());
   return result;
 }
 
 // https://html.spec.whatwg.org/#execute-the-script-block
 // with additional support for HTML imports.
 // Note that Steps 2 and 8 must be handled by the caller of doExecuteScript(),
 // i.e. load/error events are dispatched by the caller.
 // Steps 3--7 are implemented here in doExecuteScript().
 // TODO(hiroshige): Move event dispatching code to doExecuteScript().
-bool ScriptLoader::doExecuteScript(const ScriptSourceCode& sourceCode) {
+bool ScriptLoader::doExecuteScript(const Script* script) {
   DCHECK(m_alreadyStarted);
 
-  if (sourceCode.isEmpty())
+  if (script->isEmpty())
     return true;
 
   Document* elementDocument = &(m_element->document());
   Document* contextDocument = elementDocument->contextDocument();
   if (!contextDocument)
     return true;
 
   LocalFrame* frame = contextDocument->frame();
   if (!frame)
     return true;
 
-  const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();
-  bool shouldBypassMainWorldCSP =
-      (frame->script().shouldBypassMainWorldCSP()) ||
-      csp->allowScriptWithHash(sourceCode.source(),
-                               ContentSecurityPolicy::InlineType::Block);
+  if (!m_isExternalScript) {
+    const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();
+    bool shouldBypassMainWorldCSP =
+        frame->script().shouldBypassMainWorldCSP() ||
+        csp->allowScriptWithHash(script->inlineSourceTextForCSP(),
+                                 ContentSecurityPolicy::InlineType::Block);
 
-  AtomicString nonce =
-      m_element->isNonceableElement() ? m_element->nonce() : nullAtom;
-  if (!m_isExternalScript && !shouldBypassMainWorldCSP &&
-      !m_element->allowInlineScriptForCSP(nonce, m_startLineNumber,
-                                          sourceCode.source())) {
-    return false;
+    AtomicString nonce =
+        m_element->isNonceableElement() ? m_element->nonce() : nullAtom;
+
+    if (!shouldBypassMainWorldCSP &&
+        !m_element->allowInlineScriptForCSP(nonce, m_startLineNumber,
+                                            script->inlineSourceTextForCSP())) {
+      return false;
+    }
   }
 
   if (m_isExternalScript) {
-    ScriptResource* resource = sourceCode.resource();
-    CHECK_EQ(resource, m_resource);
-    CHECK(resource);
-    if (!ScriptResource::mimeTypeAllowedByNosniff(resource->response())) {
-      contextDocument->addConsoleMessage(ConsoleMessage::create(
-          SecurityMessageSource, ErrorMessageLevel,
-          "Refused to execute script from '" + resource->url().elidedString() +
-              "' because its MIME type ('" + resource->httpContentType() +
-              "') is not executable, and "
-              "strict MIME type checking is "
-              "enabled."));
+    if (!script->checkMIMETypeBeforeRunScript(
+            contextDocument, m_element->document().getSecurityOrigin()))
       return false;
-    }
-
-    String mimeType = resource->httpContentType();
-    if (mimeType.startsWith("image/") || mimeType == "text/csv" ||
-        mimeType.startsWith("audio/") || mimeType.startsWith("video/")) {
-      contextDocument->addConsoleMessage(ConsoleMessage::create(
-          SecurityMessageSource, ErrorMessageLevel,
-          "Refused to execute script from '" + resource->url().elidedString() +
-              "' because its MIME type ('" + mimeType +
-              "') is not executable."));
-      if (mimeType.startsWith("image/"))
-        UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript);
-      else if (mimeType.startsWith("audio/"))
-        UseCounter::count(frame, UseCounter::BlockedSniffingAudioToScript);
-      else if (mimeType.startsWith("video/"))
-        UseCounter::count(frame, UseCounter::BlockedSniffingVideoToScript);
-      else if (mimeType == "text/csv")
-        UseCounter::count(frame, UseCounter::BlockedSniffingCSVToScript);
-      return false;
-    }
-
-    logScriptMIMEType(frame, resource, mimeType);
-  }
-
-  AccessControlStatus accessControlStatus = NotSharableCrossOrigin;
-  if (!m_isExternalScript) {
-    accessControlStatus = SharableCrossOrigin;
-  } else {
-    CHECK(sourceCode.resource());
-    accessControlStatus = sourceCode.resource()->calculateAccessControlStatus(
-        m_element->document().getSecurityOrigin());
   }
 
   const bool isImportedScript = contextDocument != elementDocument;
 
   // 3. "If the script is from an external file,
   //     or the script's type is module",
   //     then increment the ignore-destructive-writes counter of the
   //     script element's node document. Let neutralized doc be that Document."
   // TODO(hiroshige): Implement "module" case.
   IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrementer(
       m_isExternalScript || isImportedScript ? contextDocument : 0);
 
   // 4. "Let old script element be the value to which the script element's
   //     node document's currentScript object was most recently set."
   // This is implemented as push/popCurrentScript().
 
   // 5. "Switch on the script's type:"
   //    - "classic":
   //    1. "If the script element's root is not a shadow root,
   //        then set the script element's node document's currentScript
   //        attribute to the script element. Otherwise, set it to null."
   contextDocument->pushCurrentScript(m_element.get());
 
   //    2. "Run the classic script given by the script's script."
   // Note: This is where the script is compiled and actually executed.
-  frame->script().executeScriptInMainWorld(sourceCode, accessControlStatus);
+  script->runScript(frame, m_element->document().getSecurityOrigin());
 
   //    - "module":
   // TODO(hiroshige): Implement this.
 
   // 6. "Set the script element's node document's currentScript attribute
   //     to old script element."
   contextDocument->popCurrentScript(m_element.get());
 
   return true;
 
   // 7. "Decrement the ignore-destructive-writes counter of neutralized doc,
   //     if it was incremented in the earlier step."
   // Implemented as the scope out of IgnoreDestructiveWriteCountIncrementer.
 }
 
 void ScriptLoader::execute() {
   DCHECK(!m_willBeParserExecuted);
   DCHECK(m_asyncExecType != ScriptRunner::None);
   DCHECK(m_pendingScript->resource());
   bool errorOccurred = false;
-  ScriptSourceCode source = m_pendingScript->getSource(KURL(), errorOccurred);
+  Script* script = m_pendingScript->getSource(KURL(), errorOccurred);
   detachPendingScript();
   if (errorOccurred) {
     dispatchErrorEvent();
   } else if (!m_resource->wasCanceled()) {
-    if (executeScript(source))
+    if (executeScript(script))
       dispatchLoadEvent();
     else
       dispatchErrorEvent();
   }
   m_resource = nullptr;
 }
 
 void ScriptLoader::pendingScriptFinished(PendingScript* pendingScript) {
   DCHECK(!m_willBeParserExecuted);
   DCHECK_EQ(m_pendingScript, pendingScript);
@@ skipping 60 matching lines @@
   //     then abort these steps at this point. The script is not executed.
   return equalIgnoringCase(eventAttribute, "onload") ||
          equalIgnoringCase(eventAttribute, "onload()");
 }
 
 String ScriptLoader::scriptContent() const {
   return m_element->textFromChildren();
 }
 
 }  // namespace blink