Block execution of failed 'crossorigin' <script>s.

Source/core/dom/ScriptLoader.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
@@ skipping 223 matching lines @@
         m_willExecuteInOrder = true;
         contextDocument->scriptRunner()->queueScriptForExecution(this, m_resource, ScriptRunner::IN_ORDER_EXECUTION);
         m_resource->addClient(this);
     } else if (client->hasSourceAttribute()) {
         contextDocument->scriptRunner()->queueScriptForExecution(this, m_resource, ScriptRunner::ASYNC_EXECUTION);
         m_resource->addClient(this);
     } else {
         // Reset line numbering for nested writes.
         TextPosition position = elementDocument.isInDocumentWrite() ? TextPosition() : scriptStartPosition;
         KURL scriptURL = (!elementDocument.isInDocumentWrite() && m_parserInserted) ? elementDocument.url() : KURL();
-        executeScript(ScriptSourceCode(scriptContent(), scriptURL, position));
+        ScriptSourceCode sourceCode(scriptContent(), scriptURL, position);
+
+        executePotentiallyCrossOriginScript(sourceCode);
     }
 
     return true;
 }
 
 bool ScriptLoader::fetchScript(const String& sourceUrl)
 {
     ASSERT(m_element);
 
     RefPtr<Document> elementDocument(m_element->document());
@@ skipping 14 matching lines @@
         request.setCharset(scriptCharset());
 
         bool isValidScriptNonce = elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
         if (isValidScriptNonce)
             request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
 
         m_resource = elementDocument->fetcher()->fetchScript(request);
         m_isExternalScript = true;
     }
 
-    if (m_resource) {
+    if (m_resource)
         return true;
-    }
 
     dispatchErrorEvent();
     return false;
 }
 
 bool isHTMLScriptLoader(Element* element)
 {
     return element->hasTagName(HTMLNames::scriptTag);
 }
 
@@ skipping 63 matching lines @@
     ASSERT(resource);
     if (resource->errorOccurred()) {
         dispatchErrorEvent();
     } else if (!resource->wasCanceled()) {
         executeScript(ScriptSourceCode(resource));
         dispatchLoadEvent();
     }
     resource->removeClient(this);
 }
 
+bool ScriptLoader::executePotentiallyCrossOriginScript(const ScriptSourceCode& sourceCode)
+{
+    RefPtr<Document> elementDocument(m_element->document());
+    RefPtr<Document> contextDocument = elementDocument->contextDocument().get();
+    if (!contextDocument)
+        return true;
+
+    if (sourceCode.resource()
+        && !m_element->fastGetAttribute(HTMLNames::crossoriginAttr).isNull()

[Mike West, 2013/10/29 11:00:53]

Another script could alter the value while the script is loading, so this check
comes too late.

Perhaps we could store that cached value on the ScriptSourceCode object instead
of reading it from the DOM here? We check the crossorigin status of the script
when generating the request in ScriptLoader::fetchScript, and pass it through
the fetcher on the Request object. I believe it should therefore already be
available in the ScriptSourceCode constructor.

[sof, 2013/10/29 12:04:42]

Let's do that; I found the spec text not 100% clear about when you should sample
the state of the content attribute wrt performing the resource sharing check,
but doing it this way does reduce non-determinism.

+        && !elementDocument->securityOrigin()->canRequest(sourceCode.resource()->url())) {
+        String errorDescription;
+        if (!sourceCode.resource()->passesAccessControlCheck(elementDocument->securityOrigin(), errorDescription)) {
+            reportCrossOriginFailure(contextDocument.get(), sourceCode.resource()->url(), errorDescription);
+            return false;
+        }
+    }
+    executeScript(sourceCode);
+    return true;
+}
+
+void ScriptLoader::reportCrossOriginFailure(Document* document, const KURL& originUrl, const String& errorDescription)
+{
+    document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Script from origin '" + SecurityOrigin::create(originUrl)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription);
+}
+
 void ScriptLoader::notifyFinished(Resource* resource)
 {
     ASSERT(!m_willBeParserExecuted);
 
     RefPtr<Document> elementDocument(m_element->document());
     RefPtr<Document> contextDocument = elementDocument->contextDocument().get();
     if (!contextDocument)
         return;
 
     // Resource possibly invokes this notifyFinished() more than
@@ skipping 59 matching lines @@
     if (isHTMLScriptLoader(element))
         return toHTMLScriptElement(element)->loader();
 
     if (isSVGScriptLoader(element))
         return toSVGScriptElement(element)->loader();
 
     return 0;
 }
 
 }