OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. |
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
7 * | 7 * |
8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
(...skipping 223 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
234 m_willExecuteInOrder = true; | 234 m_willExecuteInOrder = true; |
235 contextDocument->scriptRunner()->queueScriptForExecution(this, m_resourc e, ScriptRunner::IN_ORDER_EXECUTION); | 235 contextDocument->scriptRunner()->queueScriptForExecution(this, m_resourc e, ScriptRunner::IN_ORDER_EXECUTION); |
236 m_resource->addClient(this); | 236 m_resource->addClient(this); |
237 } else if (client->hasSourceAttribute()) { | 237 } else if (client->hasSourceAttribute()) { |
238 contextDocument->scriptRunner()->queueScriptForExecution(this, m_resourc e, ScriptRunner::ASYNC_EXECUTION); | 238 contextDocument->scriptRunner()->queueScriptForExecution(this, m_resourc e, ScriptRunner::ASYNC_EXECUTION); |
239 m_resource->addClient(this); | 239 m_resource->addClient(this); |
240 } else { | 240 } else { |
241 // Reset line numbering for nested writes. | 241 // Reset line numbering for nested writes. |
242 TextPosition position = elementDocument.isInDocumentWrite() ? TextPositi on() : scriptStartPosition; | 242 TextPosition position = elementDocument.isInDocumentWrite() ? TextPositi on() : scriptStartPosition; |
243 KURL scriptURL = (!elementDocument.isInDocumentWrite() && m_parserInsert ed) ? elementDocument.url() : KURL(); | 243 KURL scriptURL = (!elementDocument.isInDocumentWrite() && m_parserInsert ed) ? elementDocument.url() : KURL(); |
244 executeScript(ScriptSourceCode(scriptContent(), scriptURL, position)); | 244 ScriptSourceCode sourceCode(scriptContent(), scriptURL, position); |
245 | |
246 executePotentiallyCrossOriginScript(sourceCode); | |
245 } | 247 } |
246 | 248 |
247 return true; | 249 return true; |
248 } | 250 } |
249 | 251 |
250 bool ScriptLoader::fetchScript(const String& sourceUrl) | 252 bool ScriptLoader::fetchScript(const String& sourceUrl) |
251 { | 253 { |
252 ASSERT(m_element); | 254 ASSERT(m_element); |
253 | 255 |
254 RefPtr<Document> elementDocument(m_element->document()); | 256 RefPtr<Document> elementDocument(m_element->document()); |
(...skipping 14 matching lines...) Expand all Loading... | |
269 request.setCharset(scriptCharset()); | 271 request.setCharset(scriptCharset()); |
270 | 272 |
271 bool isValidScriptNonce = elementDocument->contentSecurityPolicy()->allo wScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)); | 273 bool isValidScriptNonce = elementDocument->contentSecurityPolicy()->allo wScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)); |
272 if (isValidScriptNonce) | 274 if (isValidScriptNonce) |
273 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); | 275 request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); |
274 | 276 |
275 m_resource = elementDocument->fetcher()->fetchScript(request); | 277 m_resource = elementDocument->fetcher()->fetchScript(request); |
276 m_isExternalScript = true; | 278 m_isExternalScript = true; |
277 } | 279 } |
278 | 280 |
279 if (m_resource) { | 281 if (m_resource) |
280 return true; | 282 return true; |
281 } | |
282 | 283 |
283 dispatchErrorEvent(); | 284 dispatchErrorEvent(); |
284 return false; | 285 return false; |
285 } | 286 } |
286 | 287 |
287 bool isHTMLScriptLoader(Element* element) | 288 bool isHTMLScriptLoader(Element* element) |
288 { | 289 { |
289 return element->hasTagName(HTMLNames::scriptTag); | 290 return element->hasTagName(HTMLNames::scriptTag); |
290 } | 291 } |
291 | 292 |
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
355 ASSERT(resource); | 356 ASSERT(resource); |
356 if (resource->errorOccurred()) { | 357 if (resource->errorOccurred()) { |
357 dispatchErrorEvent(); | 358 dispatchErrorEvent(); |
358 } else if (!resource->wasCanceled()) { | 359 } else if (!resource->wasCanceled()) { |
359 executeScript(ScriptSourceCode(resource)); | 360 executeScript(ScriptSourceCode(resource)); |
360 dispatchLoadEvent(); | 361 dispatchLoadEvent(); |
361 } | 362 } |
362 resource->removeClient(this); | 363 resource->removeClient(this); |
363 } | 364 } |
364 | 365 |
366 bool ScriptLoader::executePotentiallyCrossOriginScript(const ScriptSourceCode& s ourceCode) | |
367 { | |
368 RefPtr<Document> elementDocument(m_element->document()); | |
369 RefPtr<Document> contextDocument = elementDocument->contextDocument().get(); | |
370 if (!contextDocument) | |
371 return true; | |
372 | |
373 if (sourceCode.resource() | |
374 && !m_element->fastGetAttribute(HTMLNames::crossoriginAttr).isNull() | |
Mike West
2013/10/29 11:00:53
Another script could alter the value while the scr
sof
2013/10/29 12:04:42
Let's do that; I found the spec text not 100% clea
| |
375 && !elementDocument->securityOrigin()->canRequest(sourceCode.resource()- >url())) { | |
376 String errorDescription; | |
377 if (!sourceCode.resource()->passesAccessControlCheck(elementDocument->se curityOrigin(), errorDescription)) { | |
378 reportCrossOriginFailure(contextDocument.get(), sourceCode.resource( )->url(), errorDescription); | |
379 return false; | |
380 } | |
381 } | |
382 executeScript(sourceCode); | |
383 return true; | |
384 } | |
385 | |
386 void ScriptLoader::reportCrossOriginFailure(Document* document, const KURL& orig inUrl, const String& errorDescription) | |
387 { | |
388 document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Script from origin '" + SecurityOrigin::create(originUrl)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription); | |
389 } | |
390 | |
365 void ScriptLoader::notifyFinished(Resource* resource) | 391 void ScriptLoader::notifyFinished(Resource* resource) |
366 { | 392 { |
367 ASSERT(!m_willBeParserExecuted); | 393 ASSERT(!m_willBeParserExecuted); |
368 | 394 |
369 RefPtr<Document> elementDocument(m_element->document()); | 395 RefPtr<Document> elementDocument(m_element->document()); |
370 RefPtr<Document> contextDocument = elementDocument->contextDocument().get(); | 396 RefPtr<Document> contextDocument = elementDocument->contextDocument().get(); |
371 if (!contextDocument) | 397 if (!contextDocument) |
372 return; | 398 return; |
373 | 399 |
374 // Resource possibly invokes this notifyFinished() more than | 400 // Resource possibly invokes this notifyFinished() more than |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
434 if (isHTMLScriptLoader(element)) | 460 if (isHTMLScriptLoader(element)) |
435 return toHTMLScriptElement(element)->loader(); | 461 return toHTMLScriptElement(element)->loader(); |
436 | 462 |
437 if (isSVGScriptLoader(element)) | 463 if (isSVGScriptLoader(element)) |
438 return toSVGScriptElement(element)->loader(); | 464 return toSVGScriptElement(element)->loader(); |
439 | 465 |
440 return 0; | 466 return 0; |
441 } | 467 } |
442 | 468 |
443 } | 469 } |
OLD | NEW |