1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
6 #include "core/frame/SubresourceIntegrity.h"
8 #include "core/HTMLNames.h"
9 #include "core/dom/Document.h"
10 #include "core/dom/Element.h"
11 #include "core/frame/UseCounter.h"
12 #include "platform/Crypto.h"
13 #include "platform/ParsingUtilities.h"
14 #include "platform/RuntimeEnabledFeatures.h"
15 #include "platform/weborigin/KURL.h"
16 #include "platform/weborigin/SecurityOrigin.h"
17 #include "public/platform/WebCrypto.h"
18 #include "public/platform/WebCryptoAlgorithm.h"
19 #include "wtf/ASCIICType.h"
20 #include "wtf/text/Base64.h"
21 #include "wtf/text/StringUTF8Adaptor.h"
22 #include "wtf/text/WTFString.h"
26 // FIXME: This should probably use common functions with ContentSecurityPolicy.
27 static bool isIntegrityCharacter(UChar c)
29 // Check if it's a base64 encoded value.
30 return isASCIIAlphanumeric(c) || c == '+' || c == '/' || c == '=';
33 static bool DigestsEqual(const DigestValue& digest1, const DigestValue& digest2)
35 if (digest1.size() != digest2.size())
38 for (size_t i = 0; i < digest1.size(); i++) {
39 if (digest1[i] != digest2[i])
46 // FIXME: If CheckSubresourceIntegrity fails, Blink should create a console
47 // message to alert the developer of the failure.
48 bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, const String& source, const KURL& resourceUrl)
50 if (!RuntimeEnabledFeatures::subresourceIntegrityEnabled())
53 if (!element.fastHasAttribute(HTMLNames::integrityAttr))
56 // FIXME: If insecureOriginMsg is not empty after the check, Blink
57 // should send a console message.
59 // Instead of just checking SecurityOrigin::isSecure on resourceUrl, this
60 // checks canAccessFeatureRequiringSecureOrigin so that file:// protocols
61 // and localhost resources can be allowed. These may be useful for testing
62 // and are allowed for features requiring authenticated origins, so Chrome
64 String insecureOriginMsg = "";
65 RefPtr<SecurityOrigin> resourceSecurityOrigin = SecurityOrigin::create(resourceUrl);
66 if (!element.document().securityOrigin()->canAccessFeatureRequiringSecureOrigin(insecureOriginMsg)) {
67 UseCounter::count(element.document(), UseCounter::SRIElementWithIntegrityAttributeAndInsecureOrigin);
70 if (!resourceSecurityOrigin->canAccessFeatureRequiringSecureOrigin(insecureOriginMsg)) {
71 UseCounter::count(element.document(), UseCounter::SRIElementWithIntegrityAttributeAndInsecureResource);
76 HashAlgorithm algorithm;
77 if (!parseIntegrityAttribute(element.fastGetAttribute(HTMLNames::integrityAttr), integrity, algorithm)) {
78 UseCounter::count(element.document(), UseCounter::SRIElementWithUnparsableIntegrityAttribute);
82 Vector<char> hashVector;
83 base64Decode(integrity, hashVector);
85 StringUTF8Adaptor normalizedSource(source, StringUTF8Adaptor::Normalize, WTF::EntitiesForUnencodables);
88 bool digestSuccess = computeDigest(algorithm, normalizedSource.data(), normalizedSource.length(), digest);
91 DigestValue convertedHashVector;
92 convertedHashVector.append(reinterpret_cast<uint8_t*>(hashVector.data()), hashVector.size());
93 if (DigestsEqual(digest, convertedHashVector)) {
94 UseCounter::count(element.document(), UseCounter::SRIElementWithMatchingIntegrityAttribute);
99 UseCounter::count(element.document(), UseCounter::SRIElementWithNonMatchingIntegrityAttribute);
103 bool SubresourceIntegrity::parseIntegrityAttribute(const String& attribute, String& integrity, HashAlgorithm& algorithm)
105 DEFINE_STATIC_LOCAL(const String, integrityPrefix, ("ni://"));
106 // Any additions or subtractions from this struct should also modify the
107 // respective entries in the kAlgorithmMap array in checkDigest().
108 static const struct {
110 HashAlgorithm algorithm;
111 } kSupportedPrefixes[] = {
112 { "sha256", HashAlgorithmSha256 },
113 { "sha384", HashAlgorithmSha384 },
114 { "sha512", HashAlgorithmSha512 }
116 Vector<UChar> characters;
117 attribute.stripWhiteSpace().appendTo(characters);
118 UChar* begin = characters.data();
119 UChar* end = characters.end();
121 if (characters.size() < 1)
124 if (!equalIgnoringCase(integrityPrefix.characters8(), begin, integrityPrefix.length()))
127 const UChar* algorithmStart = begin + integrityPrefix.length();
128 const UChar* algorithmEnd = algorithmStart;
130 skipUntil<UChar>(algorithmEnd, end, ';');
132 // Instead of this sizeof() calculation to get the length of this array,
133 // it would be preferable to use WTF_ARRAY_LENGTH for simplicity and to
134 // guarantee a compile time calculation. Unfortunately, on some
135 // compliers, the call to WTF_ARRAY_LENGTH fails on arrays of anonymous
136 // stucts, so, for now, it is necessary to resort to this sizeof
139 size_t kSupportedPrefixesLength = sizeof(kSupportedPrefixes) / sizeof(kSupportedPrefixes[0]);
140 for (; i < kSupportedPrefixesLength; i++) {
141 if (equalIgnoringCase(kSupportedPrefixes[i].prefix, algorithmStart, strlen(kSupportedPrefixes[i].prefix))) {
142 algorithm = kSupportedPrefixes[i].algorithm;
147 if (i == kSupportedPrefixesLength)
150 const UChar* integrityStart = algorithmEnd;
151 if (!skipExactly<UChar>(integrityStart, end, ';'))
154 const UChar* integrityEnd = integrityStart;
155 skipWhile<UChar, isIntegrityCharacter>(integrityEnd, end);
156 if (integrityEnd != end)
159 integrity = String(integrityStart, integrityEnd - integrityStart);