Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(83)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/ScriptLoader.cpp

Issue 954233003: Enable SRI only for same origin and CORS content. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Rebase on ToT Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-no-cors.html ('K') | « LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-no-cors-expected.txt ('k') | Source/core/fetch/Resource.h » ('j') | Source/core/frame/SubresourceIntegrityTest.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserv ed.
6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org> 6 * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 333 matching lines...) Expand 10 before | Expand all | Expand 10 after
344 if (resource && !resource->mimeTypeAllowedByNosniff()) { 344 if (resource && !resource->mimeTypeAllowedByNosniff()) {
345 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.")); 345 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
346 return; 346 return;
347 } 347 }
348 348
349 if (resource && resource->mimeType().lower().startsWith("image/")) { 349 if (resource && resource->mimeType().lower().startsWith("image/")) {
350 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable.")); 350 contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMe ssageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->u rl().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable."));
351 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript); 351 UseCounter::count(frame, UseCounter::BlockedSniffingImageToScript);
352 return; 352 return;
353 } 353 }
354
355 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_element, sourceC ode.source(), sourceCode.resource()->url(), sourceCode.resource()->mimeType()))
356 return;
357 } 354 }
358 355
359 // FIXME: Can this be moved earlier in the function? 356 // FIXME: Can this be moved earlier in the function?
360 // Why are we ever attempting to execute scripts without a frame? 357 // Why are we ever attempting to execute scripts without a frame?
361 if (!frame) 358 if (!frame)
362 return; 359 return;
363 360
364 const bool isImportedScript = contextDocument != elementDocument; 361 const bool isImportedScript = contextDocument != elementDocument;
365 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3 362 // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-blo ck step 2.3
366 // with additional support for HTML imports. 363 // with additional support for HTML imports.
367 IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncremente r(m_isExternalScript || isImportedScript ? contextDocument.get() : 0); 364 IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncremente r(m_isExternalScript || isImportedScript ? contextDocument.get() : 0);
368 365
369 if (isHTMLScriptLoader(m_element)) 366 if (isHTMLScriptLoader(m_element))
370 contextDocument->pushCurrentScript(toHTMLScriptElement(m_element)); 367 contextDocument->pushCurrentScript(toHTMLScriptElement(m_element));
371 368
372 AccessControlStatus corsCheck = NotSharableCrossOrigin; 369 AccessControlStatus corsCheck = NotSharableCrossOrigin;
373 if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()-> passesAccessControlCheck(&m_element->document(), m_element->document().securityO rigin()))) 370 if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()-> passesAccessControlCheck(&m_element->document(), m_element->document().securityO rigin())))
374 corsCheck = SharableCrossOrigin; 371 corsCheck = SharableCrossOrigin;
375 372
373 if (m_isExternalScript) {
374 const KURL resourceUrl = sourceCode.resource()->resourceRequest().url();
375 if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_element, sourceC ode.source(), sourceCode.resource()->url(), sourceCode.resource()->mimeType(), * sourceCode.resource())) {
376 return;
377 }
378 }
379
376 // Create a script from the script element node, using the script 380 // Create a script from the script element node, using the script
377 // block's source and the script block's type. 381 // block's source and the script block's type.
378 // Note: This is where the script is compiled and actually executed. 382 // Note: This is where the script is compiled and actually executed.
379 frame->script().executeScriptInMainWorld(sourceCode, corsCheck, compilationF inishTime); 383 frame->script().executeScriptInMainWorld(sourceCode, corsCheck, compilationF inishTime);
380 384
381 if (isHTMLScriptLoader(m_element)) { 385 if (isHTMLScriptLoader(m_element)) {
382 ASSERT(contextDocument->currentScript() == m_element); 386 ASSERT(contextDocument->currentScript() == m_element);
383 contextDocument->popCurrentScript(); 387 contextDocument->popCurrentScript();
384 } 388 }
385 } 389 }
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after
474 if (isHTMLScriptLoader(element)) 478 if (isHTMLScriptLoader(element))
475 return toHTMLScriptElement(element)->loader(); 479 return toHTMLScriptElement(element)->loader();
476 480
477 if (isSVGScriptLoader(element)) 481 if (isSVGScriptLoader(element))
478 return toSVGScriptElement(element)->loader(); 482 return toSVGScriptElement(element)->loader();
479 483
480 return 0; 484 return 0;
481 } 485 }
482 486
483 } // namespace blink 487 } // namespace blink
OLDNEW
« LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-no-cors.html ('K') | « LayoutTests/http/tests/security/subresourceIntegrity/subresource-integrity-style-no-cors-expected.txt ('k') | Source/core/fetch/Resource.h » ('j') | Source/core/frame/SubresourceIntegrityTest.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698