Implementation of subresource integrity attribute for secure origins.

Source/core/dom/ScriptLoader.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
@@ skipping 24 matching lines @@
 #include "core/dom/ScriptRunner.h"
 #include "core/dom/ScriptableDocumentParser.h"
 #include "core/dom/Text.h"
 #include "core/fetch/FetchRequest.h"
 #include "core/fetch/ResourceFetcher.h"
 #include "core/fetch/ScriptResource.h"
 #include "core/html/HTMLScriptElement.h"
 #include "core/html/imports/HTMLImport.h"
 #include "core/html/parser/HTMLParserIdioms.h"
 #include "core/frame/LocalFrame.h"
+#include "core/frame/SubresourceIntegrity.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/svg/SVGScriptElement.h"
 #include "platform/MIMETypeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "wtf/StdLibExtras.h"
 #include "wtf/text/StringBuilder.h"
 #include "wtf/text/StringHash.h"
 
 namespace blink {
@@ skipping 256 matching lines @@
 
     if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineScript(elementDocument->url(), m_startLineNumber)))
         return;
 
     if (m_isExternalScript) {
         ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.resource();
         if (resource && !resource->mimeTypeAllowedByNosniff()) {
             contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
             return;
         }
+
+        // TODO(jww): If insecureOriginMsg is not empty after the check, Blink
+        // should send a console message.
+        String insecureOriginMsg = "";
+        RefPtr<SecurityOrigin> resourceSecurityOrigin = SecurityOrigin::create(sourceCode.resource()->url());
+        if (resourceSecurityOrigin->canAccessFeatureRequiringSecureOrigin(insecureOriginMsg) && m_element->document().securityOrigin()->canAccessFeatureRequiringSecureOrigin(insecureOriginMsg) && m_element->fastHasAttribute(HTMLNames::integrityAttr) && !SubresourceIntegrity::CheckSubresourceIntegrity(sourceCode.source(), m_element->fastGetAttribute(HTMLNames::integrityAttr)))

[Mike West, 2014/09/13 03:44:31]

0. This needs to be gated on the runtime flag that I think I introduced way back
when I added the attribute definition.

1. Since we're going to have to do something vaguely like this for all the
elements that support integrity attributes, I think it would be good to hide
this complexity inside the CheckSubresourceIntegrity check. You could, for
example, pass in a reference to the element and do all the checks internally.

2. I don't think the second 'canAccessFeatureRequiringSecureOrigin' is correct
(also, we should rename that method to match the MIX 'authenticated origin'
terminology). You're totally right to verify that the origin in which the
element exists is authenticated, but I think you only need to check
'SecurityOrigin::isSecure' for the resource URL.

3. Please do the integrity attribute check first; there's no point in doing the
secure origin checks if there's no integrity attribute.

4. Consider splitting this up into multiple lines? :)

5. Metrics: we should measure the number of elements with integrity attributes,
and the number of passes/failures. And anything else that seems interesting.

[jww, 2014/09/15 21:20:16]

Done.
Good call. Done.
Hm, I think I see your point, but I still think we should stick with
canAccessFeatureRequiringSecureOrigin. It effectively acts as a superset of
isSecure because it also allows connections to local resources, either via the
file:// protocol or an http:// localhost URL. I spoke to palmer, and he's okay
with allowing integrity for those resources since it might be useful for
testing. Let me know if you disagree.

As for the terminology, I agree we should change it, but I think we should do it
in a separate CL, otherwise this one is going to touch a bunch of unrelated
code.
Done.
Done.
I'll start with the two basic metrics you mentioned, and we can add any more
that we come up with.

+            return;
+
     }
 
     // FIXME: Can this be moved earlier in the function?
     // Why are we ever attempting to execute scripts without a frame?
     if (!frame)
         return;
 
     const bool isImportedScript = contextDocument != elementDocument;
     // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-block step 2.3
     // with additional support for HTML imports.
@@ skipping 111 matching lines @@
     if (isHTMLScriptLoader(element))
         return toHTMLScriptElement(element)->loader();
 
     if (isSVGScriptLoader(element))
         return toSVGScriptElement(element)->loader();
 
     return 0;
 }
 
 }