Index: Source/core/dom/ScriptLoader.cpp |
diff --git a/Source/core/dom/ScriptLoader.cpp b/Source/core/dom/ScriptLoader.cpp |
index f69e0e63d362e4750b5f16bbce060813de6b7058..101eecd83f963467c77ea0fc3d5a0f7a50f8a5d9 100644 |
--- a/Source/core/dom/ScriptLoader.cpp |
+++ b/Source/core/dom/ScriptLoader.cpp |
@@ -42,6 +42,7 @@ |
#include "core/html/imports/HTMLImport.h" |
#include "core/html/parser/HTMLParserIdioms.h" |
#include "core/frame/LocalFrame.h" |
+#include "core/frame/SubresourceIntegrity.h" |
#include "core/frame/csp/ContentSecurityPolicy.h" |
#include "core/inspector/ConsoleMessage.h" |
#include "core/svg/SVGScriptElement.h" |
@@ -318,6 +319,14 @@ void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode) |
contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); |
return; |
} |
+ |
+ // TODO(jww): If insecureOriginMsg is not empty after the check, Blink |
+ // should send a console message. |
+ String insecureOriginMsg = ""; |
+ RefPtr<SecurityOrigin> resourceSecurityOrigin = SecurityOrigin::create(sourceCode.resource()->url()); |
+ if (resourceSecurityOrigin->canAccessFeatureRequiringSecureOrigin(insecureOriginMsg) && m_element->document().securityOrigin()->canAccessFeatureRequiringSecureOrigin(insecureOriginMsg) && m_element->fastHasAttribute(HTMLNames::integrityAttr) && !SubresourceIntegrity::CheckSubresourceIntegrity(sourceCode.source(), m_element->fastGetAttribute(HTMLNames::integrityAttr))) |
Mike West
2014/09/13 03:44:31
0. This needs to be gated on the runtime flag that
jww
2014/09/15 21:20:16
Done.
|
+ return; |
+ |
} |
// FIXME: Can this be moved earlier in the function? |