#include "core/html/imports/HTMLImport.h"
#include "core/html/parser/HTMLParserIdioms.h"
#include "core/frame/LocalFrame.h"
+#include "core/frame/SubresourceIntegrity.h"
#include "core/frame/csp/ContentSecurityPolicy.h"
#include "core/inspector/ConsoleMessage.h"
#include "core/svg/SVGScriptElement.h"
m_characterEncoding = elementDocument.charset();
if (client->hasSourceAttribute()) {
- if (!fetchScript(client->sourceAttributeValue()))
+ FetchRequest::DeferOption defer = FetchRequest::NoDefer;
+ if (!m_parserInserted || client->asyncAttributeValue() || client->deferAttributeValue())
+ defer = FetchRequest::LazyLoad;
+ if (!fetchScript(client->sourceAttributeValue(), defer))
return false;
}
return true;
}
-bool ScriptLoader::fetchScript(const String& sourceUrl)
+bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOption defer)
{
ASSERT(m_element);
bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
if (scriptPassesCSP)
request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
+ request.setDefer(defer);
m_resource = elementDocument->fetcher()->fetchScript(request);
m_isExternalScript = true;
return isSVGScriptElement(*element);
}
-void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)
+void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode, double* compilationFinishTime)
{
ASSERT(m_alreadyStarted);
contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
return;
}
+
+ // FIXME: On failure, SRI should probably provide an error message for the console.
+ if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_element, sourceCode.source(), sourceCode.resource()->url()))
+ return;
}
// FIXME: Can this be moved earlier in the function?
// Create a script from the script element node, using the script
// block's source and the script block's type.
// Note: This is where the script is compiled and actually executed.
- frame->script().executeScriptInMainWorld(sourceCode, corsCheck);
+ frame->script().executeScriptInMainWorld(sourceCode, corsCheck, compilationFinishTime);
if (isHTMLScriptLoader(m_element)) {
ASSERT(contextDocument->currentScript() == m_element);