Source/core/html/HTMLLinkElement.cpp - Issue 954233003: Enable SRI only for same origin and CORS content.

Side by Side Diff: Source/core/html/HTMLLinkElement.cpp

Issue 954233003: Enable SRI only for same origin and CORS content. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)	2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)

3 * (C) 1999 Antti Koivisto (koivisto@kde.org)	3 * (C) 1999 Antti Koivisto (koivisto@kde.org)

4 * (C) 2001 Dirk Mueller (mueller@kde.org)	4 * (C) 2001 Dirk Mueller (mueller@kde.org)

5 * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserv ed.	5 * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserv ed.

6 * Copyright (C) 2009 Rob Buis (rwlbuis@gmail.com)	6 * Copyright (C) 2009 Rob Buis (rwlbuis@gmail.com)

7 * Copyright (C) 2011 Google Inc. All rights reserved.	7 * Copyright (C) 2011 Google Inc. All rights reserved.

8 *	8 *

9 * This library is free software; you can redistribute it and/or	9 * This library is free software; you can redistribute it and/or

10 * modify it under the terms of the GNU Library General Public	10 * modify it under the terms of the GNU Library General Public

(...skipping 491 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
502 return m_owner->document();	502 return m_owner->document();

503 }	503 }

504	504

505 void LinkStyle::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CSSStyleSheetResource* cachedStyleSheet)	505 void LinkStyle::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CSSStyleSheetResource* cachedStyleSheet)

506 {	506 {

507 if (!m_owner->inDocument()) {	507 if (!m_owner->inDocument()) {

508 ASSERT(!m_sheet);	508 ASSERT(!m_sheet);

509 return;	509 return;

510 }	510 }

511	511

512 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_owner, cachedStyleSh eet->sheetText(), KURL(KURL(), href), cachedStyleSheet->mimeType())) {	512 if (cachedStyleSheet->isCORSNeededAndFailed() && m_owner->fastHasAttribute(H TMLNames::integrityAttr)) {

513 m_loading = false;	513 document().addConsoleMessage(ConsoleMessage::create(SecurityMessageSourc e, ErrorMessageLevel, "Cannot enforce integrity on non-CORS enabled resource.")) ;
	Mike West 2015/02/26 08:44:53 Same question as I had with script: should we just Same question as I had with script: should we just allow the request? I don't think that's actually what the spec says (e.g. https://w3c.github.io/webappsec/specs/subresourceintegrity/#is-resource-eligi... returns false, so https://w3c.github.io/webappsec/specs/subresourceintegrity/#does-resource-mat... returns false in step 2. jww 2015/03/06 02:16:42 Agreed as per my response in ScriptLoader.cpp. Fix Show quoted text On 2015/02/26 08:44:53, Mike West wrote: > Same question as I had with script: should we just allow the request? I don't > think that's actually what the spec says (e.g. > https://w3c.github.io/webappsec/specs/subresourceintegrity/#is-resource-eligi... > returns false, so > https://w3c.github.io/webappsec/specs/subresourceintegrity/#does-resource-mat... > returns false in step 2. Agreed as per my response in ScriptLoader.cpp. Fixed.
514 removePendingSheet();	514 } else {

515 notifyLoadedSheetAndAllCriticalSubresources(true);	515 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_owner, cachedSty leSheet->sheetText(), KURL(KURL(), href), cachedStyleSheet->mimeType())) {

516 return;	516 m_loading = false;

	517 removePendingSheet();

	518 notifyLoadedSheetAndAllCriticalSubresources(true);

	519 return;

	520 }

517 }	521 }

518	522

519 // Completing the sheet load may cause scripts to execute.	523 // Completing the sheet load may cause scripts to execute.

520 RefPtrWillBeRawPtr<Node> protector(m_owner.get());	524 RefPtrWillBeRawPtr<Node> protector(m_owner.get());

521	525

522 CSSParserContext parserContext(m_owner->document(), 0, baseURL, charset);	526 CSSParserContext parserContext(m_owner->document(), 0, baseURL, charset);

523	527

524 if (RefPtrWillBeRawPtr<StyleSheetContents> restoredSheet = const_cast<CSSSty leSheetResource*>(cachedStyleSheet)->restoreParsedStyleSheet(parserContext)) {	528 if (RefPtrWillBeRawPtr<StyleSheetContents> restoredSheet = const_cast<CSSSty leSheetResource*>(cachedStyleSheet)->restoreParsedStyleSheet(parserContext)) {

525 ASSERT(restoredSheet->isCacheable());	529 ASSERT(restoredSheet->isCacheable());

526 ASSERT(!restoredSheet->isLoading());	530 ASSERT(!restoredSheet->isLoading());

(...skipping 225 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
752 removePendingSheet();	756 removePendingSheet();

753 }	757 }

754	758

755 DEFINE_TRACE(LinkStyle)	759 DEFINE_TRACE(LinkStyle)

756 {	760 {

757 visitor->trace(m_sheet);	761 visitor->trace(m_sheet);

758 LinkResource::trace(visitor);	762 LinkResource::trace(visitor);

759 }	763 }

760	764

761 } // namespace blink	765 } // namespace blink

OLD	NEW

« Source/core/fetch/ResourceLoader.cpp ('K') | « Source/core/fetch/ResourceLoaderHost.h ('k') | no next file » | no next file with comments »