Index: third_party/WebKit/Source/core/dom/ClassicScript.cpp |
diff --git a/third_party/WebKit/Source/core/dom/ClassicScript.cpp b/third_party/WebKit/Source/core/dom/ClassicScript.cpp |
new file mode 100644 |
index 0000000000000000000000000000000000000000..34d45b4aaaf7f8952428e928b75631812df3f829 |
--- /dev/null |
+++ b/third_party/WebKit/Source/core/dom/ClassicScript.cpp |
@@ -0,0 +1,105 @@ |
+// Copyright 2017 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "core/dom/ClassicScript.h" |
+ |
+#include "bindings/core/v8/ScriptController.h" |
+#include "core/dom/Document.h" |
+#include "core/frame/LocalFrame.h" |
+#include "core/frame/UseCounter.h" |
+#include "core/inspector/ConsoleMessage.h" |
+#include "platform/loader/fetch/AccessControlStatus.h" |
+#include "platform/network/mime/MIMETypeRegistry.h" |
+ |
+namespace blink { |
+ |
+namespace { |
+ |
+void logScriptMIMEType(LocalFrame* frame, |
+ ScriptResource* resource, |
+ const String& mimeType, |
+ const SecurityOrigin* securityOrigin) { |
+ if (MIMETypeRegistry::isSupportedJavaScriptMIMEType(mimeType)) |
+ return; |
+ bool isText = mimeType.startsWith("text/", TextCaseASCIIInsensitive); |
+ if (isText && MIMETypeRegistry::isLegacySupportedJavaScriptLanguage( |
+ mimeType.substring(5))) |
+ return; |
+ bool isSameOrigin = securityOrigin->canRequest(resource->url()); |
+ bool isApplication = |
+ !isText && mimeType.startsWith("application/", TextCaseASCIIInsensitive); |
+ |
+ UseCounter::Feature feature = |
+ isSameOrigin |
+ ? (isText ? UseCounter::SameOriginTextScript |
+ : isApplication ? UseCounter::SameOriginApplicationScript |
+ : UseCounter::SameOriginOtherScript) |
+ : (isText ? UseCounter::CrossOriginTextScript |
+ : isApplication ? UseCounter::CrossOriginApplicationScript |
+ : UseCounter::CrossOriginOtherScript); |
+ |
+ UseCounter::count(frame, feature); |
+} |
+ |
+} // namespace |
+ |
+bool ClassicScript::isEmpty() const { |
+ return scriptSourceCode().isEmpty(); |
+} |
+ |
+bool ClassicScript::checkMIMETypeBeforeRunScript( |
+ Document* contextDocument, |
+ const SecurityOrigin* securityOrigin) const { |
+ ScriptResource* resource = scriptSourceCode().resource(); |
+ CHECK(resource); |
+ if (!ScriptResource::mimeTypeAllowedByNosniff(resource->response())) { |
+ contextDocument->addConsoleMessage(ConsoleMessage::create( |
+ SecurityMessageSource, ErrorMessageLevel, |
+ "Refused to execute script from '" + resource->url().elidedString() + |
+ "' because its MIME type ('" + resource->httpContentType() + |
+ "') is not executable, and strict MIME type checking is enabled.")); |
+ return false; |
+ } |
+ |
+ String mimeType = resource->httpContentType(); |
+ LocalFrame* frame = contextDocument->frame(); |
+ if (mimeType.startsWith("image/") || mimeType == "text/csv" || |
+ mimeType.startsWith("audio/") || mimeType.startsWith("video/")) { |
+ contextDocument->addConsoleMessage(ConsoleMessage::create( |
+ SecurityMessageSource, ErrorMessageLevel, |
+ "Refused to execute script from '" + resource->url().elidedString() + |
+ "' because its MIME type ('" + mimeType + "') is not executable.")); |
+ if (mimeType.startsWith("image/")) |
+ UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); |
+ else if (mimeType.startsWith("audio/")) |
+ UseCounter::count(frame, UseCounter::BlockedSniffingAudioToScript); |
+ else if (mimeType.startsWith("video/")) |
+ UseCounter::count(frame, UseCounter::BlockedSniffingVideoToScript); |
+ else if (mimeType == "text/csv") |
+ UseCounter::count(frame, UseCounter::BlockedSniffingCSVToScript); |
+ return false; |
+ } |
+ |
+ logScriptMIMEType(frame, resource, mimeType, securityOrigin); |
+ return true; |
+} |
+ |
+void ClassicScript::runScript(LocalFrame* frame, |
+ const SecurityOrigin* securityOrigin) const { |
+ AccessControlStatus accessControlStatus = NotSharableCrossOrigin; |
+ const bool isExternalScript = scriptSourceCode().resource(); |
+ if (!isExternalScript) { |
+ accessControlStatus = SharableCrossOrigin; |
+ } else { |
+ CHECK(scriptSourceCode().resource()); |
+ accessControlStatus = |
+ scriptSourceCode().resource()->calculateAccessControlStatus( |
+ securityOrigin); |
+ } |
+ |
+ frame->script().executeScriptInMainWorld(scriptSourceCode(), |
+ accessControlStatus); |
+} |
+ |
+} // namespace blink |