Chromium Code Reviews Chromium Code Reviews
Issue 954233003:
Enable SRI only for same origin and CORS content. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
| 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
| 4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
| 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. | 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. |
| 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> | 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> |
| 7 * | 7 * |
| 8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
| 9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
| 10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
| (...skipping 333 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 344 if (resource && !resource->mimeTypeAllowedByNosniff()) { | 344 if (resource && !resource->mimeTypeAllowedByNosniff()) { |
| 345 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); | 345 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); |
| 346 return; | 346 return; |
| 347 } | 347 } |
| 348 | 348 |
| 349 if (resource && resource->mimeType().lower().startsWith("image/")) { | 349 if (resource && resource->mimeType().lower().startsWith("image/")) { |
| 350 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable.")); | 350 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable.")); |
| 351 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); | 351 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); |
| 352 return; | 352 return; |
| 353 } | 353 } |
| 354 | |
| 355 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_element, sourceC ode.source(), sourceCode.resource()->url(), sourceCode.resource()->mimeType())) | |
| 356 return; | |
| 357 } | 354 } |
| 358 | 355 |
| 359 // FIXME: Can this be moved earlier in the function? | 356 // FIXME: Can this be moved earlier in the function? |
| 360 // Why are we ever attempting to execute scripts without a frame? | 357 // Why are we ever attempting to execute scripts without a frame? |
| 361 if (!frame) | 358 if (!frame) |
| 362 return; | 359 return; |
| 363 | 360 |
| 364 const bool isImportedScript = contextDocument != elementDocument; | 361 const bool isImportedScript = contextDocument != elementDocument; |
| 365 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 | 362 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 |
| 366 // with additional support for HTML imports. | 363 // with additional support for HTML imports. |
| 367 IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncremente r(m_isExternalScript || isImportedScript ? contextDocument.get() : 0); | 364 IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncremente r(m_isExternalScript || isImportedScript ? contextDocument.get() : 0); |
| 368 | 365 |
| 369 if (isHTMLScriptLoader(m_element)) | 366 if (isHTMLScriptLoader(m_element)) |
| 370 contextDocument->pushCurrentScript(toHTMLScriptElement(m_element)); | 367 contextDocument->pushCurrentScript(toHTMLScriptElement(m_element)); |
| 371 | 368 |
| 372 AccessControlStatus corsCheck = NotSharableCrossOrigin; | 369 AccessControlStatus corsCheck = NotSharableCrossOrigin; |
| 373 if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()-> passesAccessControlCheck(&m_element->document(), m_element->document().securityO rigin()))) | 370 if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()-> passesAccessControlCheck(&m_element->document(), m_element->document().securityO rigin()))) |
| 374 corsCheck = SharableCrossOrigin; | 371 corsCheck = SharableCrossOrigin; |
| 375 | 372 |
| 373 if (m_isExternalScript) { | |
| 374 bool canRequest = m_element->document().securityOrigin()->canRequest(sou rceCode.resource()->resourceRequest().url()); | |
| 375 if (!canRequest && corsCheck == NotSharableCrossOrigin && m_element->fas tHasAttribute(HTMLNames::integrityAttr)) { | |
| 376 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Cannot enforce integrity on non-CORS enabled re source.")); | |
|
Mike West
2015/02/26 08:44:52
So we continue loading the resource if the CORS ch
jww
2015/03/06 02:16:42
You're right, I misread the algorithm (as you poin
| |
| 377 } else if ((canRequest || corsCheck == SharableCrossOrigin) && !Subresou rceIntegrity::CheckSubresourceIntegrity(*m_element, sourceCode.source(), sourceC ode.resource()->url(), sourceCode.resource()->mimeType())) { | |
| 378 return; | |
| 379 } | |
| 380 } | |
| 381 | |
| 376 // Create a script from the script element node, using the script | 382 // Create a script from the script element node, using the script |
| 377 // block's source and the script block's type. | 383 // block's source and the script block's type. |
| 378 // Note: This is where the script is compiled and actually executed. | 384 // Note: This is where the script is compiled and actually executed. |
| 379 frame->script().executeScriptInMainWorld(sourceCode, corsCheck, compilationF inishTime); | 385 frame->script().executeScriptInMainWorld(sourceCode, corsCheck, compilationF inishTime); |
| 380 | 386 |
| 381 if (isHTMLScriptLoader(m_element)) { | 387 if (isHTMLScriptLoader(m_element)) { |
| 382 ASSERT(contextDocument->currentScript() == m_element); | 388 ASSERT(contextDocument->currentScript() == m_element); |
| 383 contextDocument->popCurrentScript(); | 389 contextDocument->popCurrentScript(); |
| 384 } | 390 } |
| 385 } | 391 } |
| (...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 474 if (isHTMLScriptLoader(element)) | 480 if (isHTMLScriptLoader(element)) |
| 475 return toHTMLScriptElement(element)->loader(); | 481 return toHTMLScriptElement(element)->loader(); |
| 476 | 482 |
| 477 if (isSVGScriptLoader(element)) | 483 if (isSVGScriptLoader(element)) |
| 478 return toSVGScriptElement(element)->loader(); | 484 return toSVGScriptElement(element)->loader(); |
| 479 | 485 |
| 480 return 0; | 486 return 0; |
| 481 } | 487 } |
| 482 | 488 |
| 483 } // namespace blink | 489 } // namespace blink |
| OLD | NEW |
