Block execution of failed 'crossorigin' <script>s.

Source/core/dom/ScriptLoader.cpp

Index: Source/core/dom/ScriptLoader.cpp
diff --git a/Source/core/dom/ScriptLoader.cpp b/Source/core/dom/ScriptLoader.cpp
index 69e0c6555209801044ea05c7cad837ee80c5a82f..4a8695a3ea75a222552de621db50db6ecdf14661 100644
--- a/Source/core/dom/ScriptLoader.cpp
+++ b/Source/core/dom/ScriptLoader.cpp
@@ -241,7 +241,9 @@ bool ScriptLoader::prepareScript(const TextPosition& scriptStartPosition, Legacy
         // Reset line numbering for nested writes.
         TextPosition position = elementDocument.isInDocumentWrite() ? TextPosition() : scriptStartPosition;
         KURL scriptURL = (!elementDocument.isInDocumentWrite() && m_parserInserted) ? elementDocument.url() : KURL();
-        executeScript(ScriptSourceCode(scriptContent(), scriptURL, position));
+        ScriptSourceCode sourceCode(scriptContent(), scriptURL, position);
+
+        executePotentiallyCrossOriginScript(sourceCode);
     }
 
     return true;
@@ -276,9 +278,8 @@ bool ScriptLoader::fetchScript(const String& sourceUrl)
         m_isExternalScript = true;
     }
 
-    if (m_resource) {
+    if (m_resource)
         return true;
-    }
 
     dispatchErrorEvent();
     return false;
@@ -362,6 +363,31 @@ void ScriptLoader::execute(ScriptResource* resource)
     resource->removeClient(this);
 }
 
+bool ScriptLoader::executePotentiallyCrossOriginScript(const ScriptSourceCode& sourceCode)
+{
+    RefPtr<Document> elementDocument(m_element->document());
+    RefPtr<Document> contextDocument = elementDocument->contextDocument().get();
+    if (!contextDocument)
+        return true;
+
+    if (sourceCode.resource()
+        && !m_element->fastGetAttribute(HTMLNames::crossoriginAttr).isNull()

[Mike West, 2013/10/29 11:00:53]

Another script could alter the value while the script is loading, so this check
comes too late.

Perhaps we could store that cached value on the ScriptSourceCode object instead
of reading it from the DOM here? We check the crossorigin status of the script
when generating the request in ScriptLoader::fetchScript, and pass it through
the fetcher on the Request object. I believe it should therefore already be
available in the ScriptSourceCode constructor.

[sof, 2013/10/29 12:04:42]

Let's do that; I found the spec text not 100% clear about when you should sample
the state of the content attribute wrt performing the resource sharing check,
but doing it this way does reduce non-determinism.

+        && !elementDocument->securityOrigin()->canRequest(sourceCode.resource()->url())) {
+        String errorDescription;
+        if (!sourceCode.resource()->passesAccessControlCheck(elementDocument->securityOrigin(), errorDescription)) {
+            reportCrossOriginFailure(contextDocument.get(), sourceCode.resource()->url(), errorDescription);
+            return false;
+        }
+    }
+    executeScript(sourceCode);
+    return true;
+}
+
+void ScriptLoader::reportCrossOriginFailure(Document* document, const KURL& originUrl, const String& errorDescription)
+{
+    document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Script from origin '" + SecurityOrigin::create(originUrl)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription);
+}
+
 void ScriptLoader::notifyFinished(Resource* resource)
 {
     ASSERT(!m_willBeParserExecuted);