Introduce blink::Script

third_party/WebKit/Source/core/dom/ScriptLoader.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights
  * reserved.
  * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ skipping 11 matching lines @@
  * Boston, MA 02110-1301, USA.
  */
 
 #include "core/dom/ScriptLoader.h"
 
 #include "bindings/core/v8/ScriptController.h"
 #include "bindings/core/v8/ScriptSourceCode.h"
 #include "bindings/core/v8/V8Binding.h"
 #include "core/HTMLNames.h"
 #include "core/SVGNames.h"
+#include "core/dom/ClassicScript.h"
 #include "core/dom/Document.h"
 #include "core/dom/DocumentParserTiming.h"
 #include "core/dom/IgnoreDestructiveWriteCountIncrementer.h"
+#include "core/dom/Script.h"
 #include "core/dom/ScriptElementBase.h"
 #include "core/dom/ScriptRunner.h"
 #include "core/dom/ScriptableDocumentParser.h"
 #include "core/dom/Text.h"
 #include "core/events/Event.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/SubresourceIntegrity.h"
-#include "core/frame/UseCounter.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/html/CrossOriginAttribute.h"
 #include "core/html/imports/HTMLImport.h"
 #include "core/html/parser/HTMLParserIdioms.h"
-#include "core/inspector/ConsoleMessage.h"
 #include "platform/WebFrameScheduler.h"
 #include "platform/loader/fetch/AccessControlStatus.h"
 #include "platform/loader/fetch/FetchParameters.h"
 #include "platform/loader/fetch/MemoryCache.h"
 #include "platform/loader/fetch/ResourceFetcher.h"
 #include "platform/network/mime/MIMETypeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "platform/wtf/StdLibExtras.h"
 #include "platform/wtf/text/StringBuilder.h"
 #include "platform/wtf/text/StringHash.h"
@@ skipping 403 matching lines @@
   // and the element doesn't have a src attribute.
 
   // Reset line numbering for nested writes.
   TextPosition position = element_document.IsInDocumentWrite()
                               ? TextPosition()
                               : script_start_position;
   KURL script_url = (!element_document.IsInDocumentWrite() && parser_inserted_)
                         ? element_document.Url()
                         : KURL();
 
-  if (!ExecuteScript(ScriptSourceCode(ScriptContent(), script_url, position))) {
+  if (!ExecuteScript(ClassicScript::Create(
+          ScriptSourceCode(ScriptContent(), script_url, position)))) {
     DispatchErrorEvent();
     return false;
   }
 
   return true;
 }
 
 // Steps 15--21 of https://html.spec.whatwg.org/#prepare-a-script
 bool ScriptLoader::FetchScript(const String& source_url,
                                const String& encoding,
@@ skipping 106 matching lines @@
   }
 
   return true;
 }
 
 PendingScript* ScriptLoader::CreatePendingScript() {
   CHECK(resource_);
   return PendingScript::Create(element_, resource_);
 }
 
-void ScriptLoader::LogScriptMIMEType(LocalFrame* frame,
-                                     ScriptResource* resource,
-                                     const String& mime_type) {
-  if (MIMETypeRegistry::IsSupportedJavaScriptMIMEType(mime_type))
-    return;
-  bool is_text = mime_type.StartsWith("text/", kTextCaseASCIIInsensitive);
-  if (is_text && MIMETypeRegistry::IsLegacySupportedJavaScriptLanguage(
-                     mime_type.Substring(5)))
-    return;
-  bool is_same_origin =
-      element_->GetDocument().GetSecurityOrigin()->CanRequest(resource->Url());
-  bool is_application =
-      !is_text &&
-      mime_type.StartsWith("application/", kTextCaseASCIIInsensitive);
-
-  UseCounter::Feature feature =
-      is_same_origin
-          ? (is_text ? UseCounter::kSameOriginTextScript
-                     : is_application ? UseCounter::kSameOriginApplicationScript
-                                      : UseCounter::kSameOriginOtherScript)
-          : (is_text
-                 ? UseCounter::kCrossOriginTextScript
-                 : is_application ? UseCounter::kCrossOriginApplicationScript
-                                  : UseCounter::kCrossOriginOtherScript);
-
-  UseCounter::Count(frame, feature);
-}
-
-bool ScriptLoader::ExecuteScript(const ScriptSourceCode& source_code) {
+bool ScriptLoader::ExecuteScript(const Script* script) {
   double script_exec_start_time = MonotonicallyIncreasingTime();
-  bool result = DoExecuteScript(source_code);
+  bool result = DoExecuteScript(script);
 
   // NOTE: we do not check m_willBeParserExecuted here, since
   // m_willBeParserExecuted is false for inline scripts, and we want to
   // include inline script execution time as part of parser blocked script
   // execution time.
   if (async_exec_type_ == ScriptRunner::kNone)
     DocumentParserTiming::From(element_->GetDocument())
         .RecordParserBlockedOnScriptExecutionDuration(
             MonotonicallyIncreasingTime() - script_exec_start_time,
             WasCreatedDuringDocumentWrite());
   return result;
 }
 
 // https://html.spec.whatwg.org/#execute-the-script-block
 // with additional support for HTML imports.
 // Note that Steps 2 and 8 must be handled by the caller of doExecuteScript(),
 // i.e. load/error events are dispatched by the caller.
 // Steps 3--7 are implemented here in doExecuteScript().
 // TODO(hiroshige): Move event dispatching code to doExecuteScript().
-bool ScriptLoader::DoExecuteScript(const ScriptSourceCode& source_code) {
+bool ScriptLoader::DoExecuteScript(const Script* script) {
   DCHECK(already_started_);
 
-  if (source_code.IsEmpty())
+  if (script->IsEmpty())
     return true;
 
   Document* element_document = &(element_->GetDocument());
   Document* context_document = element_document->ContextDocument();
   if (!context_document)
     return true;
 
   LocalFrame* frame = context_document->GetFrame();
   if (!frame)
     return true;
 
-  const ContentSecurityPolicy* csp =
-      element_document->GetContentSecurityPolicy();
-  bool should_bypass_main_world_csp =
-      (frame->GetScriptController().ShouldBypassMainWorldCSP()) ||
-      csp->AllowScriptWithHash(source_code.Source(),
-                               ContentSecurityPolicy::InlineType::kBlock);
+  if (!is_external_script_) {
+    const ContentSecurityPolicy* csp =
+        element_document->GetContentSecurityPolicy();
+    bool should_bypass_main_world_csp =
+        (frame->GetScriptController().ShouldBypassMainWorldCSP()) ||
+        csp->AllowScriptWithHash(script->InlineSourceTextForCSP(),
+                                 ContentSecurityPolicy::InlineType::kBlock);
 
-  AtomicString nonce =
-      element_->IsNonceableElement() ? element_->nonce() : g_null_atom;
-  if (!is_external_script_ && !should_bypass_main_world_csp &&
-      !element_->AllowInlineScriptForCSP(nonce, start_line_number_,
-                                         source_code.Source())) {
-    return false;
+    AtomicString nonce =
+        element_->IsNonceableElement() ? element_->nonce() : g_null_atom;
+    if (!should_bypass_main_world_csp &&
+        !element_->AllowInlineScriptForCSP(nonce, start_line_number_,
+                                           script->InlineSourceTextForCSP())) {
+      return false;
+    }
   }
 
   if (is_external_script_) {
-    ScriptResource* resource = source_code.GetResource();
-    CHECK_EQ(resource, resource_);
-    CHECK(resource);
-    if (!ScriptResource::MimeTypeAllowedByNosniff(resource->GetResponse())) {
-      context_document->AddConsoleMessage(ConsoleMessage::Create(
-          kSecurityMessageSource, kErrorMessageLevel,
-          "Refused to execute script from '" + resource->Url().ElidedString() +
-              "' because its MIME type ('" + resource->HttpContentType() +
-              "') is not executable, and "
-              "strict MIME type checking is "
-              "enabled."));
+    if (!script->CheckMIMETypeBeforeRunScript(
+            context_document, element_->GetDocument().GetSecurityOrigin()))
       return false;
-    }
-
-    String mime_type = resource->HttpContentType();
-    if (mime_type.StartsWith("image/") || mime_type == "text/csv" ||
-        mime_type.StartsWith("audio/") || mime_type.StartsWith("video/")) {
-      context_document->AddConsoleMessage(ConsoleMessage::Create(
-          kSecurityMessageSource, kErrorMessageLevel,
-          "Refused to execute script from '" + resource->Url().ElidedString() +
-              "' because its MIME type ('" + mime_type +
-              "') is not executable."));
-      if (mime_type.StartsWith("image/"))
-        UseCounter::Count(frame, UseCounter::kBlockedSniffingImageToScript);
-      else if (mime_type.StartsWith("audio/"))
-        UseCounter::Count(frame, UseCounter::kBlockedSniffingAudioToScript);
-      else if (mime_type.StartsWith("video/"))
-        UseCounter::Count(frame, UseCounter::kBlockedSniffingVideoToScript);
-      else if (mime_type == "text/csv")
-        UseCounter::Count(frame, UseCounter::kBlockedSniffingCSVToScript);
-      return false;
-    }
-
-    LogScriptMIMEType(frame, resource, mime_type);
-  }
-
-  AccessControlStatus access_control_status = kNotSharableCrossOrigin;
-  if (!is_external_script_) {
-    access_control_status = kSharableCrossOrigin;
-  } else {
-    CHECK(source_code.GetResource());
-    access_control_status =
-        source_code.GetResource()->CalculateAccessControlStatus(
-            element_->GetDocument().GetSecurityOrigin());
   }
 
   const bool is_imported_script = context_document != element_document;
 
   // 3. "If the script is from an external file,
   //     or the script's type is module",
   //     then increment the ignore-destructive-writes counter of the
   //     script element's node document. Let neutralized doc be that Document."
   // TODO(hiroshige): Implement "module" case.
   IgnoreDestructiveWriteCountIncrementer
       ignore_destructive_write_count_incrementer(
           is_external_script_ || is_imported_script ? context_document : 0);
 
   // 4. "Let old script element be the value to which the script element's
   //     node document's currentScript object was most recently set."
   // This is implemented as push/popCurrentScript().
 
   // 5. "Switch on the script's type:"
   //    - "classic":
   //    1. "If the script element's root is not a shadow root,
   //        then set the script element's node document's currentScript
   //        attribute to the script element. Otherwise, set it to null."
   context_document->PushCurrentScript(element_.Get());
 
   //    2. "Run the classic script given by the script's script."
   // Note: This is where the script is compiled and actually executed.
-  frame->GetScriptController().ExecuteScriptInMainWorld(source_code,
-                                                        access_control_status);
+  script->RunScript(frame, element_->GetDocument().GetSecurityOrigin());
 
   //    - "module":
   // TODO(hiroshige): Implement this.
 
   // 6. "Set the script element's node document's currentScript attribute
   //     to old script element."
   context_document->PopCurrentScript(element_.Get());
 
   return true;
 
   // 7. "Decrement the ignore-destructive-writes counter of neutralized doc,
   //     if it was incremented in the earlier step."
   // Implemented as the scope out of IgnoreDestructiveWriteCountIncrementer.
 }
 
 void ScriptLoader::Execute() {
   DCHECK(!will_be_parser_executed_);
   DCHECK(async_exec_type_ != ScriptRunner::kNone);
   DCHECK(pending_script_->GetResource());
   bool error_occurred = false;
-  ScriptSourceCode source = pending_script_->GetSource(KURL(), error_occurred);
+  Script* script = pending_script_->GetSource(KURL(), error_occurred);
   DetachPendingScript();
   if (error_occurred) {
     DispatchErrorEvent();
   } else if (!resource_->WasCanceled()) {
-    if (ExecuteScript(source))
+    if (ExecuteScript(script))
       DispatchLoadEvent();
     else
       DispatchErrorEvent();
   }
   resource_ = nullptr;
 }
 
 void ScriptLoader::PendingScriptFinished(PendingScript* pending_script) {
   DCHECK(!will_be_parser_executed_);
   DCHECK_EQ(pending_script_, pending_script);
@@ skipping 61 matching lines @@
   //     then abort these steps at this point. The script is not executed.
   return DeprecatedEqualIgnoringCase(event_attribute, "onload") ||
          DeprecatedEqualIgnoringCase(event_attribute, "onload()");
 }
 
 String ScriptLoader::ScriptContent() const {
   return element_->TextFromChildren();
 }
 
 }  // namespace blink