OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. |
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
7 * | 7 * |
8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
(...skipping 24 matching lines...) Expand all Loading... | |
35 #include "core/dom/ScriptRunner.h" | 35 #include "core/dom/ScriptRunner.h" |
36 #include "core/dom/ScriptableDocumentParser.h" | 36 #include "core/dom/ScriptableDocumentParser.h" |
37 #include "core/dom/Text.h" | 37 #include "core/dom/Text.h" |
38 #include "core/fetch/FetchRequest.h" | 38 #include "core/fetch/FetchRequest.h" |
39 #include "core/fetch/ResourceFetcher.h" | 39 #include "core/fetch/ResourceFetcher.h" |
40 #include "core/fetch/ScriptResource.h" | 40 #include "core/fetch/ScriptResource.h" |
41 #include "core/html/HTMLScriptElement.h" | 41 #include "core/html/HTMLScriptElement.h" |
42 #include "core/html/imports/HTMLImport.h" | 42 #include "core/html/imports/HTMLImport.h" |
43 #include "core/html/parser/HTMLParserIdioms.h" | 43 #include "core/html/parser/HTMLParserIdioms.h" |
44 #include "core/frame/LocalFrame.h" | 44 #include "core/frame/LocalFrame.h" |
45 #include "core/frame/SubresourceIntegrity.h" | |
45 #include "core/frame/csp/ContentSecurityPolicy.h" | 46 #include "core/frame/csp/ContentSecurityPolicy.h" |
46 #include "core/inspector/ConsoleMessage.h" | 47 #include "core/inspector/ConsoleMessage.h" |
47 #include "core/svg/SVGScriptElement.h" | 48 #include "core/svg/SVGScriptElement.h" |
48 #include "platform/MIMETypeRegistry.h" | 49 #include "platform/MIMETypeRegistry.h" |
49 #include "platform/weborigin/SecurityOrigin.h" | 50 #include "platform/weborigin/SecurityOrigin.h" |
50 #include "wtf/StdLibExtras.h" | 51 #include "wtf/StdLibExtras.h" |
51 #include "wtf/text/StringBuilder.h" | 52 #include "wtf/text/StringBuilder.h" |
52 #include "wtf/text/StringHash.h" | 53 #include "wtf/text/StringHash.h" |
53 | 54 |
54 namespace blink { | 55 namespace blink { |
(...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
311 | 312 |
312 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber))) | 313 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber))) |
313 return; | 314 return; |
314 | 315 |
315 if (m_isExternalScript) { | 316 if (m_isExternalScript) { |
316 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); | 317 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); |
317 if (resource && !resource->mimeTypeAllowedByNosniff()) { | 318 if (resource && !resource->mimeTypeAllowedByNosniff()) { |
318 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); | 319 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); |
319 return; | 320 return; |
320 } | 321 } |
322 | |
323 // TODO(jww): If insecureOriginMsg is not empty after the check, Blink | |
324 // should send a console message. | |
325 String insecureOriginMsg = ""; | |
326 RefPtr<SecurityOrigin> resourceSecurityOrigin = SecurityOrigin::create(s ourceCode.resource()->url()); | |
327 if (resourceSecurityOrigin->canAccessFeatureRequiringSecureOrigin(insecu reOriginMsg) && m_element->document().securityOrigin()->canAccessFeatureRequirin gSecureOrigin(insecureOriginMsg) && m_element->fastHasAttribute(HTMLNames::integ rityAttr) && !SubresourceIntegrity::CheckSubresourceIntegrity(sourceCode.source( ), m_element->fastGetAttribute(HTMLNames::integrityAttr))) | |
Mike West
2014/09/13 03:44:31
0. This needs to be gated on the runtime flag that
jww
2014/09/15 21:20:16
Done.
| |
328 return; | |
329 | |
321 } | 330 } |
322 | 331 |
323 // FIXME: Can this be moved earlier in the function? | 332 // FIXME: Can this be moved earlier in the function? |
324 // Why are we ever attempting to execute scripts without a frame? | 333 // Why are we ever attempting to execute scripts without a frame? |
325 if (!frame) | 334 if (!frame) |
326 return; | 335 return; |
327 | 336 |
328 const bool isImportedScript = contextDocument != elementDocument; | 337 const bool isImportedScript = contextDocument != elementDocument; |
329 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 | 338 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 |
330 // with additional support for HTML imports. | 339 // with additional support for HTML imports. |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
442 if (isHTMLScriptLoader(element)) | 451 if (isHTMLScriptLoader(element)) |
443 return toHTMLScriptElement(element)->loader(); | 452 return toHTMLScriptElement(element)->loader(); |
444 | 453 |
445 if (isSVGScriptLoader(element)) | 454 if (isSVGScriptLoader(element)) |
446 return toSVGScriptElement(element)->loader(); | 455 return toSVGScriptElement(element)->loader(); |
447 | 456 |
448 return 0; | 457 return 0; |
449 } | 458 } |
450 | 459 |
451 } | 460 } |
OLD | NEW |