Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(783)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/SubresourceIntegrity.cpp

Issue 954233003: Enable SRI only for same origin and CORS content. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fixed test failures Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Source/core/frame/SubresourceIntegrity.h ('k') | Source/core/frame/SubresourceIntegrityTest.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "config.h" 5 #include "config.h"
6 #include "core/frame/SubresourceIntegrity.h" 6 #include "core/frame/SubresourceIntegrity.h"
7 7
8 #include "core/HTMLNames.h" 8 #include "core/HTMLNames.h"
9 #include "core/dom/Document.h" 9 #include "core/dom/Document.h"
10 #include "core/dom/Element.h" 10 #include "core/dom/Element.h"
11 #include "core/fetch/Resource.h"
11 #include "core/frame/ConsoleTypes.h" 12 #include "core/frame/ConsoleTypes.h"
12 #include "core/frame/UseCounter.h" 13 #include "core/frame/UseCounter.h"
13 #include "core/inspector/ConsoleMessage.h" 14 #include "core/inspector/ConsoleMessage.h"
14 #include "platform/Crypto.h" 15 #include "platform/Crypto.h"
15 #include "platform/ParsingUtilities.h" 16 #include "platform/ParsingUtilities.h"
16 #include "platform/RuntimeEnabledFeatures.h" 17 #include "platform/RuntimeEnabledFeatures.h"
17 #include "platform/weborigin/KURL.h" 18 #include "platform/weborigin/KURL.h"
18 #include "platform/weborigin/SecurityOrigin.h" 19 #include "platform/weborigin/SecurityOrigin.h"
19 #include "public/platform/WebCrypto.h" 20 #include "public/platform/WebCrypto.h"
20 #include "public/platform/WebCryptoAlgorithm.h" 21 #include "public/platform/WebCryptoAlgorithm.h"
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after
75 ASSERT_NOT_REACHED(); 76 ASSERT_NOT_REACHED();
76 return String(); 77 return String();
77 } 78 }
78 79
79 static String digestToString(const DigestValue& digest) 80 static String digestToString(const DigestValue& digest)
80 { 81 {
81 // We always output base64url encoded data, even though we use base64 intern ally. 82 // We always output base64url encoded data, even though we use base64 intern ally.
82 return base64URLEncode(reinterpret_cast<const char*>(digest.data()), digest. size(), Base64DoNotInsertLFs); 83 return base64URLEncode(reinterpret_cast<const char*>(digest.data()), digest. size(), Base64DoNotInsertLFs);
83 } 84 }
84 85
85 bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, con st String& source, const KURL& resourceUrl, const String& resourceType) 86 bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, con st String& source, const KURL& resourceUrl, const String& resourceType, const Re source& resource)
86 { 87 {
87 if (!RuntimeEnabledFeatures::subresourceIntegrityEnabled()) 88 if (!RuntimeEnabledFeatures::subresourceIntegrityEnabled())
88 return true; 89 return true;
89 90
90 if (!element.fastHasAttribute(HTMLNames::integrityAttr)) 91 if (!element.fastHasAttribute(HTMLNames::integrityAttr))
91 return true; 92 return true;
92 93
93 Document& document = element.document(); 94 Document& document = element.document();
94 95
96 if (!resource.isEligibleForIntegrityCheck(&document)) {
97 logErrorToConsole("Subresource Integrity: The resource '" + resourceUrl. elidedString() + "' has an integrity attribute, but the resource requires CORS t o be enabled to check the integrity, and it is not. The resource has been blocke d.", document);
98 return false;
99 }
100
95 String integrity; 101 String integrity;
96 HashAlgorithm algorithm; 102 HashAlgorithm algorithm;
97 String type; 103 String type;
98 String attribute = element.fastGetAttribute(HTMLNames::integrityAttr); 104 String attribute = element.fastGetAttribute(HTMLNames::integrityAttr);
99 if (!parseIntegrityAttribute(attribute, integrity, algorithm, type, document )) { 105 if (!parseIntegrityAttribute(attribute, integrity, algorithm, type, document )) {
100 // An error is logged to the console during parsing; we don't need to lo g one here. 106 // An error is logged to the console during parsing; we don't need to lo g one here.
101 UseCounter::count(document, UseCounter::SRIElementWithUnparsableIntegrit yAttribute); 107 UseCounter::count(document, UseCounter::SRIElementWithUnparsableIntegrit yAttribute);
102 return false; 108 return false;
103 } 109 }
104 110
(...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after
271 277
272 if (!parseMimeType(position, end, type)) { 278 if (!parseMimeType(position, end, type)) {
273 logErrorToConsole("Error parsing 'integrity' attribute ('" + attribute + "'). The content type could not be parsed.", document); 279 logErrorToConsole("Error parsing 'integrity' attribute ('" + attribute + "'). The content type could not be parsed.", document);
274 return false; 280 return false;
275 } 281 }
276 282
277 return true; 283 return true;
278 } 284 }
279 285
280 } // namespace blink 286 } // namespace blink
OLDNEW
« no previous file with comments | « Source/core/frame/SubresourceIntegrity.h ('k') | Source/core/frame/SubresourceIntegrityTest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698