Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(21)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/ScriptLoader.h

Issue 47923008: Block execution of failed 'crossorigin' <script>s. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/security/script-onerror-crossorigin-same-origin-expected.txt ('k') | Source/core/dom/ScriptLoader.cpp » ('j') | Source/core/dom/ScriptLoader.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 2 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
3 * 3 *
4 * This library is free software; you can redistribute it and/or 4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Library General Public 5 * modify it under the terms of the GNU Library General Public
6 * License as published by the Free Software Foundation; either 6 * License as published by the Free Software Foundation; either
7 * version 2 of the License, or (at your option) any later version. 7 * version 2 of the License, or (at your option) any later version.
8 * 8 *
9 * This library is distributed in the hope that it will be useful, 9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
(...skipping 12 matching lines...) Expand all
23 23
24 #include "core/fetch/ResourceClient.h" 24 #include "core/fetch/ResourceClient.h"
25 #include "core/fetch/ResourcePtr.h" 25 #include "core/fetch/ResourcePtr.h"
26 #include "wtf/text/TextPosition.h" 26 #include "wtf/text/TextPosition.h"
27 #include "wtf/text/WTFString.h" 27 #include "wtf/text/WTFString.h"
28 28
29 namespace WebCore { 29 namespace WebCore {
30 30
31 class ScriptResource; 31 class ScriptResource;
32 class ContainerNode; 32 class ContainerNode;
33 class Document;
33 class Element; 34 class Element;
34 class ScriptLoaderClient; 35 class ScriptLoaderClient;
35 class ScriptSourceCode; 36 class ScriptSourceCode;
36 37
37 38
38 class ScriptLoader : private ResourceClient { 39 class ScriptLoader : private ResourceClient {
39 public: 40 public:
40 static PassOwnPtr<ScriptLoader> create(Element*, bool createdByParser, bool isEvaluated); 41 static PassOwnPtr<ScriptLoader> create(Element*, bool createdByParser, bool isEvaluated);
41 virtual ~ScriptLoader(); 42 virtual ~ScriptLoader();
42 43
43 Element* element() const { return m_element; } 44 Element* element() const { return m_element; }
44 45
45 enum LegacyTypeSupport { DisallowLegacyTypeInTypeAttribute, AllowLegacyTypeI nTypeAttribute }; 46 enum LegacyTypeSupport { DisallowLegacyTypeInTypeAttribute, AllowLegacyTypeI nTypeAttribute };
46 bool prepareScript(const TextPosition& scriptStartPosition = TextPosition::m inimumPosition(), LegacyTypeSupport = DisallowLegacyTypeInTypeAttribute); 47 bool prepareScript(const TextPosition& scriptStartPosition = TextPosition::m inimumPosition(), LegacyTypeSupport = DisallowLegacyTypeInTypeAttribute);
47 48
48 String scriptCharset() const { return m_characterEncoding; } 49 String scriptCharset() const { return m_characterEncoding; }
49 String scriptContent() const; 50 String scriptContent() const;
50 void executeScript(const ScriptSourceCode&); 51 void executeScript(const ScriptSourceCode&);
51 void execute(ScriptResource*); 52 void execute(ScriptResource*);
52 53
54 // Check if potentially cross-origin enabled script is accessible
55 // prior to execution. Returns 'false' if not accessible, signalling
56 // that callers must not dispatch load events as the cross-origin
57 // fetch failed.
58 bool executePotentiallyCrossOriginScript(const ScriptSourceCode&);
59
53 // XML parser calls these 60 // XML parser calls these
54 void dispatchLoadEvent(); 61 void dispatchLoadEvent();
55 void dispatchErrorEvent(); 62 void dispatchErrorEvent();
56 bool isScriptTypeSupported(LegacyTypeSupport) const; 63 bool isScriptTypeSupported(LegacyTypeSupport) const;
57 64
58 bool haveFiredLoadEvent() const { return m_haveFiredLoad; } 65 bool haveFiredLoadEvent() const { return m_haveFiredLoad; }
59 bool willBeParserExecuted() const { return m_willBeParserExecuted; } 66 bool willBeParserExecuted() const { return m_willBeParserExecuted; }
60 bool readyToBeParserExecuted() const { return m_readyToBeParserExecuted; } 67 bool readyToBeParserExecuted() const { return m_readyToBeParserExecuted; }
61 bool willExecuteWhenDocumentFinishedParsing() const { return m_willExecuteWh enDocumentFinishedParsing; } 68 bool willExecuteWhenDocumentFinishedParsing() const { return m_willExecuteWh enDocumentFinishedParsing; }
62 ResourcePtr<ScriptResource> resource() { return m_resource; } 69 ResourcePtr<ScriptResource> resource() { return m_resource; }
63 70
64 void setHaveFiredLoadEvent(bool haveFiredLoad) { m_haveFiredLoad = haveFired Load; } 71 void setHaveFiredLoadEvent(bool haveFiredLoad) { m_haveFiredLoad = haveFired Load; }
65 bool isParserInserted() const { return m_parserInserted; } 72 bool isParserInserted() const { return m_parserInserted; }
66 bool alreadyStarted() const { return m_alreadyStarted; } 73 bool alreadyStarted() const { return m_alreadyStarted; }
67 bool forceAsync() const { return m_forceAsync; } 74 bool forceAsync() const { return m_forceAsync; }
68 75
69 // Helper functions used by our parent classes. 76 // Helper functions used by our parent classes.
70 void didNotifySubtreeInsertionsToDocument(); 77 void didNotifySubtreeInsertionsToDocument();
71 void childrenChanged(); 78 void childrenChanged();
72 void handleSourceAttribute(const String& sourceUrl); 79 void handleSourceAttribute(const String& sourceUrl);
73 void handleAsyncAttribute(); 80 void handleAsyncAttribute();
74 81
82 static void reportCrossOriginFailure(Document*, const KURL& originUrl, const String& errorDescription);
83
75 private: 84 private:
76 ScriptLoader(Element*, bool createdByParser, bool isEvaluated); 85 ScriptLoader(Element*, bool createdByParser, bool isEvaluated);
77 86
78 bool ignoresLoadRequest() const; 87 bool ignoresLoadRequest() const;
79 bool isScriptForEventSupported() const; 88 bool isScriptForEventSupported() const;
80 89
81 bool fetchScript(const String& sourceUrl); 90 bool fetchScript(const String& sourceUrl);
82 void stopLoadRequest(); 91 void stopLoadRequest();
83 92
84 ScriptLoaderClient* client() const; 93 ScriptLoaderClient* client() const;
(...skipping 21 matching lines...) Expand all
106 115
107 inline PassOwnPtr<ScriptLoader> ScriptLoader::create(Element* element, bool crea tedByParser, bool isEvaluated) 116 inline PassOwnPtr<ScriptLoader> ScriptLoader::create(Element* element, bool crea tedByParser, bool isEvaluated)
108 { 117 {
109 return adoptPtr(new ScriptLoader(element, createdByParser, isEvaluated)); 118 return adoptPtr(new ScriptLoader(element, createdByParser, isEvaluated));
110 } 119 }
111 120
112 } 121 }
113 122
114 123
115 #endif 124 #endif
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/script-onerror-crossorigin-same-origin-expected.txt ('k') | Source/core/dom/ScriptLoader.cpp » ('j') | Source/core/dom/ScriptLoader.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698