Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(79)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/SubresourceIntegrity.cpp

Issue 803773002: SRI: Remove the restriction to HTTPS documents and resources. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | Source/core/frame/SubresourceIntegrityTest.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "config.h" 5 #include "config.h"
6 #include "core/frame/SubresourceIntegrity.h" 6 #include "core/frame/SubresourceIntegrity.h"
7 7
8 #include "core/HTMLNames.h" 8 #include "core/HTMLNames.h"
9 #include "core/dom/Document.h" 9 #include "core/dom/Document.h"
10 #include "core/dom/Element.h" 10 #include "core/dom/Element.h"
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after
80 bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, con st String& source, const KURL& resourceUrl) 80 bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, con st String& source, const KURL& resourceUrl)
81 { 81 {
82 if (!RuntimeEnabledFeatures::subresourceIntegrityEnabled()) 82 if (!RuntimeEnabledFeatures::subresourceIntegrityEnabled())
83 return true; 83 return true;
84 84
85 if (!element.fastHasAttribute(HTMLNames::integrityAttr)) 85 if (!element.fastHasAttribute(HTMLNames::integrityAttr))
86 return true; 86 return true;
87 87
88 Document& document = element.document(); 88 Document& document = element.document();
89 89
90 // Instead of just checking SecurityOrigin::isSecure on resourceUrl, this
91 // checks canAccessFeatureRequiringSecureOrigin so that file:// protocols
92 // and localhost resources can be allowed. These may be useful for testing
93 // and are allowed for features requiring authenticated origins, so Chrome
94 // allows them here.
95 String insecureOriginMsg = "";
96 RefPtr<SecurityOrigin> resourceSecurityOrigin = SecurityOrigin::create(resou rceUrl);
97 if (!document.securityOrigin()->canAccessFeatureRequiringSecureOrigin(insecu reOriginMsg)) {
98 UseCounter::count(document, UseCounter::SRIElementWithIntegrityAttribute AndInsecureOrigin);
jww 2014/12/16 03:36:35 If this CL eventually lands, we should deprecate t
99 // FIXME: This console message should probably utilize
100 // inesecureOriginMsg to give a more helpful message to the user.
101 logErrorToConsole("The 'integrity' attribute may only be used in documen ts in secure origins.", document);
102 return false;
103 }
104 if (!resourceSecurityOrigin->canAccessFeatureRequiringSecureOrigin(insecureO riginMsg)) {
105 UseCounter::count(document, UseCounter::SRIElementWithIntegrityAttribute AndInsecureResource);
106 logErrorToConsole("The 'integrity' attribute may only be used with resou rces on secure origins.", document);
107 return false;
108 }
109
110 String integrity; 90 String integrity;
111 HashAlgorithm algorithm; 91 HashAlgorithm algorithm;
112 String attribute = element.fastGetAttribute(HTMLNames::integrityAttr); 92 String attribute = element.fastGetAttribute(HTMLNames::integrityAttr);
113 if (!parseIntegrityAttribute(attribute, integrity, algorithm, document)) { 93 if (!parseIntegrityAttribute(attribute, integrity, algorithm, document)) {
114 // An error is logged to the console during parsing; we don't need to lo g one here. 94 // An error is logged to the console during parsing; we don't need to lo g one here.
115 UseCounter::count(document, UseCounter::SRIElementWithUnparsableIntegrit yAttribute); 95 UseCounter::count(document, UseCounter::SRIElementWithUnparsableIntegrit yAttribute);
116 return false; 96 return false;
117 } 97 }
118 98
119 Vector<char> hashVector; 99 Vector<char> hashVector;
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after
232 logErrorToConsole("Error parsing 'integrity' attribute ('" + attribute + "'). The digest must be a valid, base64-encoded value.", document); 212 logErrorToConsole("Error parsing 'integrity' attribute ('" + attribute + "'). The digest must be a valid, base64-encoded value.", document);
233 return false; 213 return false;
234 } 214 }
235 215
236 // FIXME: Parse params in order to get content type (e.g. "?ct=application/j avascript") 216 // FIXME: Parse params in order to get content type (e.g. "?ct=application/j avascript")
237 217
238 return true; 218 return true;
239 } 219 }
240 220
241 } // namespace blink 221 } // namespace blink
OLDNEW
« no previous file with comments | « no previous file | Source/core/frame/SubresourceIntegrityTest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698