Block execution of failed 'crossorigin' <script>s.

Source/core/fetch/ResourceFetcher.cpp

 /*
     Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
     Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
     Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
     Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
     Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
 
     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Library General Public
     License as published by the Free Software Foundation; either
@@ skipping 514 matching lines @@
     // folks block insecure content with a CSP policy, they don't get a warning.
     // They'll still get a warning in the console about CSP blocking the load.
 
     // FIXME: Should we consider forPreload here?
     if (!checkInsecureContent(type, url, options.mixedContentBlockingTreatment))
         return false;
 
     return true;
 }
 
-bool ResourceFetcher::canAccess(Resource* resource)
+bool ResourceFetcher::canAccess(Resource* resource, bool isPotentiallyCORSEnabled)
 {
     // Redirects can change the response URL different from one of request.
     if (!canRequest(resource->type(), resource->response().url(), resource->options(), false))
         return false;
 
     String error;
     switch (resource->type()) {
     case Resource::Script:
     case Resource::ImportResource:
-        if (resource->options().requestOriginPolicy == PotentiallyCrossOriginEnabled
+        if (isPotentiallyCORSEnabled

[abarth-chromium, 2013/11/14 16:34:48]

What's the reason for this part of the change?  What's wrong with looking at the
resource's options?  Is the issue that a single resource might be requested with
different options?  If so, does that mean we need to rip requestOriginPolicy out
of the options struct?

[sof, 2013/11/14 17:12:03]

Yes, that's why. See the test
LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-2.html
for an example.

There are two remaining uses of requestOriginPolicy - style resource loading +
XSLT. I didn't investigate if removal was possible, but it struck my mind as a
desirable outcome of this change. (I could certainly investigate separately.)

             && !m_document->securityOrigin()->canRequest(resource->response().url())
             && !resource->passesAccessControlCheck(m_document->securityOrigin(), error)) {
             if (frame() && frame()->document())
                 frame()->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Script from origin '" + SecurityOrigin::create(resource->response().url())->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + error);
             return false;
         }
 
         break;
     default:
         ASSERT_NOT_REACHED(); // FIXME: generalize to non-script resources
@@ skipping 771 matching lines @@
 }
 #endif
 
 const ResourceLoaderOptions& ResourceFetcher::defaultResourceOptions()
 {
     DEFINE_STATIC_LOCAL(ResourceLoaderOptions, options, (SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck, CheckContentSecurityPolicy, UseDefaultOriginRestrictionsForType, DocumentContext));
     return options;
 }
 
 }