Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(122)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/ScriptLoader.cpp

Issue 353873003: Clean up usage of CSP functions (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fix to apply Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/bindings/v8/ScriptController.cpp ('k') | Source/core/dom/StyleElement.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 244 matching lines...) Expand 10 before | Expand all | Expand 10 after
255 255
256 ASSERT(!m_resource); 256 ASSERT(!m_resource);
257 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { 257 if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
258 FetchRequest request(ResourceRequest(elementDocument->completeURL(source Url)), m_element->localName()); 258 FetchRequest request(ResourceRequest(elementDocument->completeURL(source Url)), m_element->localName());
259 259
260 AtomicString crossOriginMode = m_element->fastGetAttribute(HTMLNames::cr ossoriginAttr); 260 AtomicString crossOriginMode = m_element->fastGetAttribute(HTMLNames::cr ossoriginAttr);
261 if (!crossOriginMode.isNull()) 261 if (!crossOriginMode.isNull())
262 request.setCrossOriginAccessControl(elementDocument->securityOrigin( ), crossOriginMode); 262 request.setCrossOriginAccessControl(elementDocument->securityOrigin( ), crossOriginMode);
263 request.setCharset(scriptCharset()); 263 request.setCharset(scriptCharset());
264 264
265 bool isValidScriptNonce = elementDocument->contentSecurityPolicy()->allo wScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)); 265 bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowSc riptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
266 if (isValidScriptNonce) 266 if (scriptPassesCSP)
267 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); 267 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
268 268
269 m_resource = elementDocument->fetcher()->fetchScript(request); 269 m_resource = elementDocument->fetcher()->fetchScript(request);
270 m_isExternalScript = true; 270 m_isExternalScript = true;
271 } 271 }
272 272
273 if (m_resource) 273 if (m_resource)
274 return true; 274 return true;
275 275
276 dispatchErrorEvent(); 276 dispatchErrorEvent();
(...skipping 19 matching lines...) Expand all
296 if (sourceCode.isEmpty()) 296 if (sourceCode.isEmpty())
297 return; 297 return;
298 298
299 RefPtrWillBeRawPtr<Document> elementDocument(m_element->document()); 299 RefPtrWillBeRawPtr<Document> elementDocument(m_element->document());
300 RefPtrWillBeRawPtr<Document> contextDocument = elementDocument->contextDocum ent().get(); 300 RefPtrWillBeRawPtr<Document> contextDocument = elementDocument->contextDocum ent().get();
301 if (!contextDocument) 301 if (!contextDocument)
302 return; 302 return;
303 303
304 LocalFrame* frame = contextDocument->frame(); 304 LocalFrame* frame = contextDocument->frame();
305 305
306 bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script(). shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurit yPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)) | | elementDocument->contentSecurityPolicy()->allowScriptHash(sourceCode.source()) ; 306 const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();
307 bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWo rldCSP())
308 || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonc eAttr))
309 || csp->allowScriptWithHash(sourceCode.source());
307 310
308 if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && ! elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url (), m_startLineNumber))) 311 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber)))
309 return; 312 return;
310 313
311 if (m_isExternalScript) { 314 if (m_isExternalScript) {
312 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); 315 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source();
313 if (resource && !resource->mimeTypeAllowedByNosniff()) { 316 if (resource && !resource->mimeTypeAllowedByNosniff()) {
314 contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessa geLevel, "Refused to execute script from '" + resource->url().elidedString() + " ' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."); 317 contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessa geLevel, "Refused to execute script from '" + resource->url().elidedString() + " ' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.");
315 return; 318 return;
316 } 319 }
317 } 320 }
318 321
319 if (frame) { 322 // FIXME: Can this be moved earlier in the function?
320 const bool isImportedScript = contextDocument != elementDocument; 323 // Why are we ever attempting to execute scripts without a frame?
321 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script -block step 2.3 324 if (!frame)
322 // with additional support for HTML imports. 325 return;
323 IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrem enter(m_isExternalScript || isImportedScript ? contextDocument.get() : 0);
324 326
325 if (isHTMLScriptLoader(m_element)) 327 const bool isImportedScript = contextDocument != elementDocument;
326 contextDocument->pushCurrentScript(toHTMLScriptElement(m_element)); 328 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3
329 // with additional support for HTML imports.
330 IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncremente r(m_isExternalScript || isImportedScript ? contextDocument.get() : 0);
327 331
328 AccessControlStatus corsCheck = NotSharableCrossOrigin; 332 if (isHTMLScriptLoader(m_element))
329 if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource ()->passesAccessControlCheck(m_element->document().securityOrigin()))) 333 contextDocument->pushCurrentScript(toHTMLScriptElement(m_element));
330 corsCheck = SharableCrossOrigin;
331 334
332 // Create a script from the script element node, using the script 335 AccessControlStatus corsCheck = NotSharableCrossOrigin;
333 // block's source and the script block's type. 336 if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()-> passesAccessControlCheck(m_element->document().securityOrigin())))
334 // Note: This is where the script is compiled and actually executed. 337 corsCheck = SharableCrossOrigin;
335 frame->script().executeScriptInMainWorld(sourceCode, corsCheck);
336 338
337 if (isHTMLScriptLoader(m_element)) { 339 // Create a script from the script element node, using the script
338 ASSERT(contextDocument->currentScript() == m_element); 340 // block's source and the script block's type.
339 contextDocument->popCurrentScript(); 341 // Note: This is where the script is compiled and actually executed.
340 } 342 frame->script().executeScriptInMainWorld(sourceCode, corsCheck);
343
344 if (isHTMLScriptLoader(m_element)) {
345 ASSERT(contextDocument->currentScript() == m_element);
346 contextDocument->popCurrentScript();
341 } 347 }
342 } 348 }
343 349
344 void ScriptLoader::stopLoadRequest() 350 void ScriptLoader::stopLoadRequest()
345 { 351 {
346 if (m_resource) { 352 if (m_resource) {
347 if (!m_willBeParserExecuted) 353 if (!m_willBeParserExecuted)
348 m_resource->removeClient(this); 354 m_resource->removeClient(this);
349 m_resource = 0; 355 m_resource = 0;
350 } 356 }
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after
435 if (isHTMLScriptLoader(element)) 441 if (isHTMLScriptLoader(element))
436 return toHTMLScriptElement(element)->loader(); 442 return toHTMLScriptElement(element)->loader();
437 443
438 if (isSVGScriptLoader(element)) 444 if (isSVGScriptLoader(element))
439 return toSVGScriptElement(element)->loader(); 445 return toSVGScriptElement(element)->loader();
440 446
441 return 0; 447 return 0;
442 } 448 }
443 449
444 } 450 }
OLDNEW
« no previous file with comments | « Source/bindings/v8/ScriptController.cpp ('k') | Source/core/dom/StyleElement.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698