Index: Source/core/dom/ScriptLoader.cpp |
diff --git a/Source/core/dom/ScriptLoader.cpp b/Source/core/dom/ScriptLoader.cpp |
index 69e0c6555209801044ea05c7cad837ee80c5a82f..4a8695a3ea75a222552de621db50db6ecdf14661 100644 |
--- a/Source/core/dom/ScriptLoader.cpp |
+++ b/Source/core/dom/ScriptLoader.cpp |
@@ -241,7 +241,9 @@ bool ScriptLoader::prepareScript(const TextPosition& scriptStartPosition, Legacy |
// Reset line numbering for nested writes. |
TextPosition position = elementDocument.isInDocumentWrite() ? TextPosition() : scriptStartPosition; |
KURL scriptURL = (!elementDocument.isInDocumentWrite() && m_parserInserted) ? elementDocument.url() : KURL(); |
- executeScript(ScriptSourceCode(scriptContent(), scriptURL, position)); |
+ ScriptSourceCode sourceCode(scriptContent(), scriptURL, position); |
+ |
+ executePotentiallyCrossOriginScript(sourceCode); |
} |
return true; |
@@ -276,9 +278,8 @@ bool ScriptLoader::fetchScript(const String& sourceUrl) |
m_isExternalScript = true; |
} |
- if (m_resource) { |
+ if (m_resource) |
return true; |
- } |
dispatchErrorEvent(); |
return false; |
@@ -362,6 +363,31 @@ void ScriptLoader::execute(ScriptResource* resource) |
resource->removeClient(this); |
} |
+bool ScriptLoader::executePotentiallyCrossOriginScript(const ScriptSourceCode& sourceCode) |
+{ |
+ RefPtr<Document> elementDocument(m_element->document()); |
+ RefPtr<Document> contextDocument = elementDocument->contextDocument().get(); |
+ if (!contextDocument) |
+ return true; |
+ |
+ if (sourceCode.resource() |
+ && !m_element->fastGetAttribute(HTMLNames::crossoriginAttr).isNull() |
Mike West
2013/10/29 11:00:53
Another script could alter the value while the scr
sof
2013/10/29 12:04:42
Let's do that; I found the spec text not 100% clea
|
+ && !elementDocument->securityOrigin()->canRequest(sourceCode.resource()->url())) { |
+ String errorDescription; |
+ if (!sourceCode.resource()->passesAccessControlCheck(elementDocument->securityOrigin(), errorDescription)) { |
+ reportCrossOriginFailure(contextDocument.get(), sourceCode.resource()->url(), errorDescription); |
+ return false; |
+ } |
+ } |
+ executeScript(sourceCode); |
+ return true; |
+} |
+ |
+void ScriptLoader::reportCrossOriginFailure(Document* document, const KURL& originUrl, const String& errorDescription) |
+{ |
+ document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Script from origin '" + SecurityOrigin::create(originUrl)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription); |
+} |
+ |
void ScriptLoader::notifyFinished(Resource* resource) |
{ |
ASSERT(!m_willBeParserExecuted); |