Changeset 111359 in webkit


Ignore:
Timestamp:
Mar 19, 2012 10:29:11 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

Add support for crossorigin attribute in script elements
https://bugs.webkit.org/show_bug.cgi?id=81438

Patch by Pablo Flouret <pablof@motorola.com> on 2012-03-19
Reviewed by Adam Barth.

Source/WebCore:

Works similarly to img and its crossorigin attribute. In the future it
could allow for things like showing full error messages in error
handlers, etc.

Tests: http/tests/security/script-crossorigin-loads-correctly.html

http/tests/security/script-crossorigin-loads-same-origin.html
http/tests/security/script-with-failed-cors-check-fails-to-load.html

  • dom/ScriptElement.cpp:

(WebCore::ScriptElement::ScriptElement):
(WebCore::ScriptElement::requestScript):
(WebCore::ScriptElement::notifyFinished):

  • dom/ScriptElement.h:

(ScriptElement):

  • html/HTMLScriptElement.idl:

LayoutTests:

  • http/tests/security/resources/alert-fail.js: Added.
  • http/tests/security/resources/cors-script.php: Added.
  • http/tests/security/script-crossorigin-loads-correctly-expected.txt: Added.
  • http/tests/security/script-crossorigin-loads-correctly.html: Added.
  • http/tests/security/script-crossorigin-loads-same-origin-expected.txt: Added.
  • http/tests/security/script-crossorigin-loads-same-origin.html: Added.
  • http/tests/security/script-with-failed-cors-check-fails-to-load-expected.txt: Added.
  • http/tests/security/script-with-failed-cors-check-fails-to-load.html: Added.
Location:
trunk
Files:
8 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r111351 r111359  
     12012-03-19  Pablo Flouret  <pablof@motorola.com>
     2
     3        Add support for crossorigin attribute in script elements
     4        https://bugs.webkit.org/show_bug.cgi?id=81438
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/security/resources/alert-fail.js: Added.
     9        * http/tests/security/resources/cors-script.php: Added.
     10        * http/tests/security/script-crossorigin-loads-correctly-expected.txt: Added.
     11        * http/tests/security/script-crossorigin-loads-correctly.html: Added.
     12        * http/tests/security/script-crossorigin-loads-same-origin-expected.txt: Added.
     13        * http/tests/security/script-crossorigin-loads-same-origin.html: Added.
     14        * http/tests/security/script-with-failed-cors-check-fails-to-load-expected.txt: Added.
     15        * http/tests/security/script-with-failed-cors-check-fails-to-load.html: Added.
     16
    1172012-03-19  Anders Carlsson  <andersca@apple.com>
    218
  • trunk/Source/WebCore/ChangeLog

    r111358 r111359  
     12012-03-19  Pablo Flouret  <pablof@motorola.com>
     2
     3        Add support for crossorigin attribute in script elements
     4        https://bugs.webkit.org/show_bug.cgi?id=81438
     5
     6        Reviewed by Adam Barth.
     7
     8        Works similarly to img and its crossorigin attribute. In the future it
     9        could allow for things like showing full error messages in error
     10        handlers, etc.
     11
     12        Tests: http/tests/security/script-crossorigin-loads-correctly.html
     13               http/tests/security/script-crossorigin-loads-same-origin.html
     14               http/tests/security/script-with-failed-cors-check-fails-to-load.html
     15
     16        * dom/ScriptElement.cpp:
     17        (WebCore::ScriptElement::ScriptElement):
     18        (WebCore::ScriptElement::requestScript):
     19        (WebCore::ScriptElement::notifyFinished):
     20        * dom/ScriptElement.h:
     21        (ScriptElement):
     22        * html/HTMLScriptElement.idl:
     23
    1242012-03-19  Benjamin Poulain  <benjamin@webkit.org>
    225
  • trunk/Source/WebCore/dom/ScriptElement.cpp

    r109097 r111359  
    2828#include "CachedResourceLoader.h"
    2929#include "ContentSecurityPolicy.h"
     30#include "CrossOriginAccessControl.h"
    3031#include "Document.h"
    3132#include "DocumentParser.h"
     
    4142#include "ScriptSourceCode.h"
    4243#include "ScriptValue.h"
     44#include "SecurityOrigin.h"
    4345#include "Settings.h"
    4446#include "Text.h"
     
    6668    , m_forceAsync(!parserInserted)
    6769    , m_willExecuteInOrder(false)
     70    , m_requestUsesAccessControl(false)
    6871{
    6972    ASSERT(m_element);
     
    246249    ASSERT(!m_cachedScript);
    247250    if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
    248         ResourceRequest request(m_element->document()->completeURL(sourceUrl));
     251        ResourceRequest request = ResourceRequest(m_element->document()->completeURL(sourceUrl));
     252
     253        String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr);
     254        if (!crossOriginMode.isNull()) {
     255            m_requestUsesAccessControl = true;
     256            StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
     257            updateRequestForAccessControl(request, m_element->document()->securityOrigin(), allowCredentials);
     258        }
     259
    249260        m_cachedScript = m_element->document()->cachedResourceLoader()->requestScript(request, scriptCharset());
    250261        m_isExternalScript = true;
     
    304315}
    305316
    306 void ScriptElement::notifyFinished(CachedResource* o)
     317void ScriptElement::notifyFinished(CachedResource* resource)
    307318{
    308319    ASSERT(!m_willBeParserExecuted);
    309     ASSERT_UNUSED(o, o == m_cachedScript);
     320    ASSERT_UNUSED(resource, resource == m_cachedScript);
     321
     322    if (m_requestUsesAccessControl
     323        && !m_element->document()->securityOrigin()->canRequest(m_cachedScript->response().url())
     324        && !m_cachedScript->passesAccessControlCheck(m_element->document()->securityOrigin())) {
     325
     326        dispatchErrorEvent();
     327        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Cross-origin script load denied by Cross-Origin Resource Sharing policy."));
     328        m_element->document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage);
     329        return;
     330    }
     331
    310332    if (m_willExecuteInOrder)
    311333        m_element->document()->scriptRunner()->notifyScriptReady(this, ScriptRunner::IN_ORDER_EXECUTION);
  • trunk/Source/WebCore/dom/ScriptElement.h

    r104927 r111359  
    102102    bool m_forceAsync : 1;
    103103    bool m_willExecuteInOrder : 1;
     104    bool m_requestUsesAccessControl : 1;
    104105    String m_characterEncoding;
    105106    String m_fallbackCharacterEncoding;
  • trunk/Source/WebCore/html/HTMLScriptElement.idl

    r106776 r111359  
    2929        attribute [Reflect, URL] DOMString src;
    3030        attribute [Reflect] DOMString type;
     31        attribute [Reflect] DOMString crossOrigin;
    3132    };
    3233}
Note: See TracChangeset for help on using the changeset viewer.