Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(278)

Side by Side Diff: Source/core/dom/ScriptLoader.cpp

Issue 566083003: Implementation of subresource integrity attribute for secure origins. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Many improvements, closer to standard Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 24 matching lines...) Expand all
35 #include "core/dom/ScriptRunner.h" 35 #include "core/dom/ScriptRunner.h"
36 #include "core/dom/ScriptableDocumentParser.h" 36 #include "core/dom/ScriptableDocumentParser.h"
37 #include "core/dom/Text.h" 37 #include "core/dom/Text.h"
38 #include "core/fetch/FetchRequest.h" 38 #include "core/fetch/FetchRequest.h"
39 #include "core/fetch/ResourceFetcher.h" 39 #include "core/fetch/ResourceFetcher.h"
40 #include "core/fetch/ScriptResource.h" 40 #include "core/fetch/ScriptResource.h"
41 #include "core/html/HTMLScriptElement.h" 41 #include "core/html/HTMLScriptElement.h"
42 #include "core/html/imports/HTMLImport.h" 42 #include "core/html/imports/HTMLImport.h"
43 #include "core/html/parser/HTMLParserIdioms.h" 43 #include "core/html/parser/HTMLParserIdioms.h"
44 #include "core/frame/LocalFrame.h" 44 #include "core/frame/LocalFrame.h"
45 #include "core/frame/SubresourceIntegrity.h"
45 #include "core/frame/csp/ContentSecurityPolicy.h" 46 #include "core/frame/csp/ContentSecurityPolicy.h"
46 #include "core/inspector/ConsoleMessage.h" 47 #include "core/inspector/ConsoleMessage.h"
47 #include "core/svg/SVGScriptElement.h" 48 #include "core/svg/SVGScriptElement.h"
48 #include "platform/MIMETypeRegistry.h" 49 #include "platform/MIMETypeRegistry.h"
49 #include "platform/weborigin/SecurityOrigin.h" 50 #include "platform/weborigin/SecurityOrigin.h"
50 #include "wtf/StdLibExtras.h" 51 #include "wtf/StdLibExtras.h"
51 #include "wtf/text/StringBuilder.h" 52 #include "wtf/text/StringBuilder.h"
52 #include "wtf/text/StringHash.h" 53 #include "wtf/text/StringHash.h"
53 54
54 namespace blink { 55 namespace blink {
(...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after
311 312
312 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber))) 313 if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineSc ript(elementDocument->url(), m_startLineNumber)))
313 return; 314 return;
314 315
315 if (m_isExternalScript) { 316 if (m_isExternalScript) {
316 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source(); 317 ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.re source();
317 if (resource && !resource->mimeTypeAllowedByNosniff()) { 318 if (resource && !resource->mimeTypeAllowedByNosniff()) {
318 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); 319 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
319 return; 320 return;
320 } 321 }
322
323 // TODO(jww): On failure, SRI should probably provide an error message f or the console.
Mike West 2014/09/16 06:45:03 nit: Blink style is '// FIXME:'. Rather than taggi
jww 2014/09/16 22:34:49 Done.
324 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_element, sourceC ode.source(), sourceCode.resource()->url()))
Mike West 2014/09/16 06:45:03 Perhaps this could be simplified by just passing i
jww 2014/09/16 22:34:49 My thought is that we're going to do this for Styl
325 return;
321 } 326 }
322 327
323 // FIXME: Can this be moved earlier in the function? 328 // FIXME: Can this be moved earlier in the function?
324 // Why are we ever attempting to execute scripts without a frame? 329 // Why are we ever attempting to execute scripts without a frame?
325 if (!frame) 330 if (!frame)
326 return; 331 return;
327 332
328 const bool isImportedScript = contextDocument != elementDocument; 333 const bool isImportedScript = contextDocument != elementDocument;
329 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 334 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3
330 // with additional support for HTML imports. 335 // with additional support for HTML imports.
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after
442 if (isHTMLScriptLoader(element)) 447 if (isHTMLScriptLoader(element))
443 return toHTMLScriptElement(element)->loader(); 448 return toHTMLScriptElement(element)->loader();
444 449
445 if (isSVGScriptLoader(element)) 450 if (isSVGScriptLoader(element))
446 return toSVGScriptElement(element)->loader(); 451 return toSVGScriptElement(element)->loader();
447 452
448 return 0; 453 return 0;
449 } 454 }
450 455
451 } 456 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698