Implementation of subresource integrity attribute for secure origins.

Source/core/dom/ScriptLoader.cpp

Index: Source/core/dom/ScriptLoader.cpp
diff --git a/Source/core/dom/ScriptLoader.cpp b/Source/core/dom/ScriptLoader.cpp
index f69e0e63d362e4750b5f16bbce060813de6b7058..101eecd83f963467c77ea0fc3d5a0f7a50f8a5d9 100644
--- a/Source/core/dom/ScriptLoader.cpp
+++ b/Source/core/dom/ScriptLoader.cpp
@@ -42,6 +42,7 @@
 #include "core/html/imports/HTMLImport.h"
 #include "core/html/parser/HTMLParserIdioms.h"
 #include "core/frame/LocalFrame.h"
+#include "core/frame/SubresourceIntegrity.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/svg/SVGScriptElement.h"
@@ -318,6 +319,14 @@ void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)
             contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
             return;
         }
+
+        // TODO(jww): If insecureOriginMsg is not empty after the check, Blink
+        // should send a console message.
+        String insecureOriginMsg = "";
+        RefPtr<SecurityOrigin> resourceSecurityOrigin = SecurityOrigin::create(sourceCode.resource()->url());
+        if (resourceSecurityOrigin->canAccessFeatureRequiringSecureOrigin(insecureOriginMsg) && m_element->document().securityOrigin()->canAccessFeatureRequiringSecureOrigin(insecureOriginMsg) && m_element->fastHasAttribute(HTMLNames::integrityAttr) && !SubresourceIntegrity::CheckSubresourceIntegrity(sourceCode.source(), m_element->fastGetAttribute(HTMLNames::integrityAttr)))

[Mike West, 2014/09/13 03:44:31]

0. This needs to be gated on the runtime flag that I think I introduced way back
when I added the attribute definition.

1. Since we're going to have to do something vaguely like this for all the
elements that support integrity attributes, I think it would be good to hide
this complexity inside the CheckSubresourceIntegrity check. You could, for
example, pass in a reference to the element and do all the checks internally.

2. I don't think the second 'canAccessFeatureRequiringSecureOrigin' is correct
(also, we should rename that method to match the MIX 'authenticated origin'
terminology). You're totally right to verify that the origin in which the
element exists is authenticated, but I think you only need to check
'SecurityOrigin::isSecure' for the resource URL.

3. Please do the integrity attribute check first; there's no point in doing the
secure origin checks if there's no integrity attribute.

4. Consider splitting this up into multiple lines? :)

5. Metrics: we should measure the number of elements with integrity attributes,
and the number of passes/failures. And anything else that seems interesting.

[jww, 2014/09/15 21:20:16]

Done.
Good call. Done.
Hm, I think I see your point, but I still think we should stick with
canAccessFeatureRequiringSecureOrigin. It effectively acts as a superset of
isSecure because it also allows connections to local resources, either via the
file:// protocol or an http:// localhost URL. I spoke to palmer, and he's okay
with allowing integrity for those resources since it might be useful for
testing. Let me know if you disagree.

As for the terminology, I agree we should change it, but I think we should do it
in a separate CL, otherwise this one is going to touch a bunch of unrelated
code.
Done.
Done.
I'll start with the two basic metrics you mentioned, and we can add any more
that we come up with.

+            return;
+
     }
 
     // FIXME: Can this be moved earlier in the function?