Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(743)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/dom/ScriptLoader.cpp

Issue 353873003: Clean up usage of CSP functions (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fix to apply Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/bindings/v8/ScriptController.cpp ('k') | Source/core/dom/StyleElement.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/dom/ScriptLoader.cpp
diff --git a/Source/core/dom/ScriptLoader.cpp b/Source/core/dom/ScriptLoader.cpp
index e5b9a3be4bbb4bf97415f6e9dd11fad32571616d..e82455733ba303d29199c7dce749545897a59e9a 100644
--- a/Source/core/dom/ScriptLoader.cpp
+++ b/Source/core/dom/ScriptLoader.cpp
@@ -262,8 +262,8 @@ bool ScriptLoader::fetchScript(const String& sourceUrl)
request.setCrossOriginAccessControl(elementDocument->securityOrigin(), crossOriginMode);
request.setCharset(scriptCharset());
- bool isValidScriptNonce = elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
- if (isValidScriptNonce)
+ bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
+ if (scriptPassesCSP)
request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
m_resource = elementDocument->fetcher()->fetchScript(request);
@@ -303,9 +303,12 @@ void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)
LocalFrame* frame = contextDocument->frame();
- bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script().shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)) || elementDocument->contentSecurityPolicy()->allowScriptHash(sourceCode.source());
+ const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();
+ bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWorldCSP())
+ || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr))
+ || csp->allowScriptWithHash(sourceCode.source());
- if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url(), m_startLineNumber)))
+ if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineScript(elementDocument->url(), m_startLineNumber)))
return;
if (m_isExternalScript) {
@@ -316,28 +319,31 @@ void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)
}
}
- if (frame) {
- const bool isImportedScript = contextDocument != elementDocument;
- // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-block step 2.3
- // with additional support for HTML imports.
- IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrementer(m_isExternalScript || isImportedScript ? contextDocument.get() : 0);
+ // FIXME: Can this be moved earlier in the function?
+ // Why are we ever attempting to execute scripts without a frame?
+ if (!frame)
+ return;
+
+ const bool isImportedScript = contextDocument != elementDocument;
+ // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-block step 2.3
+ // with additional support for HTML imports.
+ IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrementer(m_isExternalScript || isImportedScript ? contextDocument.get() : 0);
- if (isHTMLScriptLoader(m_element))
- contextDocument->pushCurrentScript(toHTMLScriptElement(m_element));
+ if (isHTMLScriptLoader(m_element))
+ contextDocument->pushCurrentScript(toHTMLScriptElement(m_element));
- AccessControlStatus corsCheck = NotSharableCrossOrigin;
- if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()->passesAccessControlCheck(m_element->document().securityOrigin())))
- corsCheck = SharableCrossOrigin;
+ AccessControlStatus corsCheck = NotSharableCrossOrigin;
+ if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()->passesAccessControlCheck(m_element->document().securityOrigin())))
+ corsCheck = SharableCrossOrigin;
- // Create a script from the script element node, using the script
- // block's source and the script block's type.
- // Note: This is where the script is compiled and actually executed.
- frame->script().executeScriptInMainWorld(sourceCode, corsCheck);
+ // Create a script from the script element node, using the script
+ // block's source and the script block's type.
+ // Note: This is where the script is compiled and actually executed.
+ frame->script().executeScriptInMainWorld(sourceCode, corsCheck);
- if (isHTMLScriptLoader(m_element)) {
- ASSERT(contextDocument->currentScript() == m_element);
- contextDocument->popCurrentScript();
- }
+ if (isHTMLScriptLoader(m_element)) {
+ ASSERT(contextDocument->currentScript() == m_element);
+ contextDocument->popCurrentScript();
}
}
« no previous file with comments | « Source/bindings/v8/ScriptController.cpp ('k') | Source/core/dom/StyleElement.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698