OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. |
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
7 * | 7 * |
8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
(...skipping 24 matching lines...) Expand all Loading... | |
35 #include "core/dom/ScriptRunner.h" | 35 #include "core/dom/ScriptRunner.h" |
36 #include "core/dom/ScriptableDocumentParser.h" | 36 #include "core/dom/ScriptableDocumentParser.h" |
37 #include "core/dom/Text.h" | 37 #include "core/dom/Text.h" |
38 #include "core/fetch/FetchRequest.h" | 38 #include "core/fetch/FetchRequest.h" |
39 #include "core/fetch/ResourceFetcher.h" | 39 #include "core/fetch/ResourceFetcher.h" |
40 #include "core/fetch/ScriptResource.h" | 40 #include "core/fetch/ScriptResource.h" |
41 #include "core/html/HTMLScriptElement.h" | 41 #include "core/html/HTMLScriptElement.h" |
42 #include "core/html/imports/HTMLImport.h" | 42 #include "core/html/imports/HTMLImport.h" |
43 #include "core/html/parser/HTMLParserIdioms.h" | 43 #include "core/html/parser/HTMLParserIdioms.h" |
44 #include "core/frame/LocalFrame.h" | 44 #include "core/frame/LocalFrame.h" |
45 #include "core/frame/SubresourceIntegrity.h" | |
45 #include "core/frame/csp/ContentSecurityPolicy.h" | 46 #include "core/frame/csp/ContentSecurityPolicy.h" |
46 #include "core/inspector/ConsoleMessage.h" | 47 #include "core/inspector/ConsoleMessage.h" |
47 #include "core/svg/SVGScriptElement.h" | 48 #include "core/svg/SVGScriptElement.h" |
48 #include "platform/MIMETypeRegistry.h" | 49 #include "platform/MIMETypeRegistry.h" |
49 #include "platform/weborigin/SecurityOrigin.h" | 50 #include "platform/weborigin/SecurityOrigin.h" |
50 #include "wtf/StdLibExtras.h" | 51 #include "wtf/StdLibExtras.h" |
51 #include "wtf/text/StringBuilder.h" | 52 #include "wtf/text/StringBuilder.h" |
52 #include "wtf/text/StringHash.h" | 53 #include "wtf/text/StringHash.h" |
53 | 54 |
54 namespace blink { | 55 namespace blink { |
(...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
311 | 312 |
312 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber))) | 313 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber))) |
313 return; | 314 return; |
314 | 315 |
315 if (m_isExternalScript) { | 316 if (m_isExternalScript) { |
316 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); | 317 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); |
317 if (resource && !resource->mimeTypeAllowedByNosniff()) { | 318 if (resource && !resource->mimeTypeAllowedByNosniff()) { |
318 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); | 319 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); |
319 return; | 320 return; |
320 } | 321 } |
322 | |
323 // TODO(jww): On failure, SRI should probably provide an error message f or the console. | |
Mike West
2014/09/16 06:45:03
nit: Blink style is '// FIXME:'. Rather than taggi
jww
2014/09/16 22:34:49
Done.
| |
324 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_element, sourceC ode.source(), sourceCode.resource()->url())) | |
Mike West
2014/09/16 06:45:03
Perhaps this could be simplified by just passing i
jww
2014/09/16 22:34:49
My thought is that we're going to do this for Styl
| |
325 return; | |
321 } | 326 } |
322 | 327 |
323 // FIXME: Can this be moved earlier in the function? | 328 // FIXME: Can this be moved earlier in the function? |
324 // Why are we ever attempting to execute scripts without a frame? | 329 // Why are we ever attempting to execute scripts without a frame? |
325 if (!frame) | 330 if (!frame) |
326 return; | 331 return; |
327 | 332 |
328 const bool isImportedScript = contextDocument != elementDocument; | 333 const bool isImportedScript = contextDocument != elementDocument; |
329 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 | 334 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 |
330 // with additional support for HTML imports. | 335 // with additional support for HTML imports. |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
442 if (isHTMLScriptLoader(element)) | 447 if (isHTMLScriptLoader(element)) |
443 return toHTMLScriptElement(element)->loader(); | 448 return toHTMLScriptElement(element)->loader(); |
444 | 449 |
445 if (isSVGScriptLoader(element)) | 450 if (isSVGScriptLoader(element)) |
446 return toSVGScriptElement(element)->loader(); | 451 return toSVGScriptElement(element)->loader(); |
447 | 452 |
448 return 0; | 453 return 0; |
449 } | 454 } |
450 | 455 |
451 } | 456 } |
OLD | NEW |