#include "config.h"
#include "core/dom/ScriptLoader.h"
-#include "bindings/v8/ScriptController.h"
-#include "bindings/v8/ScriptSourceCode.h"
+#include "bindings/core/v8/ScriptController.h"
+#include "bindings/core/v8/ScriptSourceCode.h"
#include "core/HTMLNames.h"
#include "core/SVGNames.h"
#include "core/dom/Document.h"
#include "core/html/parser/HTMLParserIdioms.h"
#include "core/frame/LocalFrame.h"
#include "core/frame/csp/ContentSecurityPolicy.h"
+#include "core/inspector/ConsoleMessage.h"
#include "core/svg/SVGScriptElement.h"
#include "platform/MIMETypeRegistry.h"
#include "platform/weborigin/SecurityOrigin.h"
#include "wtf/text/StringBuilder.h"
#include "wtf/text/StringHash.h"
-namespace WebCore {
+namespace blink {
ScriptLoader::ScriptLoader(Element* element, bool parserInserted, bool alreadyStarted)
: m_element(element)
m_forceAsync = true;
// FIXME: HTML5 spec says we should check that all children are either comments or empty text nodes.
- if (!client->hasSourceAttribute() && !m_element->firstChild())
+ if (!client->hasSourceAttribute() && !m_element->hasChildren())
return false;
if (!m_element->inDocument())
request.setCrossOriginAccessControl(elementDocument->securityOrigin(), crossOriginMode);
request.setCharset(scriptCharset());
- bool isValidScriptNonce = elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
- if (isValidScriptNonce)
+ bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
+ if (scriptPassesCSP)
request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
m_resource = elementDocument->fetcher()->fetchScript(request);
LocalFrame* frame = contextDocument->frame();
- bool shouldBypassMainWorldContentSecurityPolicy = (frame && frame->script().shouldBypassMainWorldContentSecurityPolicy()) || elementDocument->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)) || elementDocument->contentSecurityPolicy()->allowScriptHash(sourceCode.source());
+ const ContentSecurityPolicy* csp = elementDocument->contentSecurityPolicy();
+ bool shouldBypassMainWorldCSP = (frame && frame->script().shouldBypassMainWorldCSP())
+ || csp->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr))
+ || csp->allowScriptWithHash(sourceCode.source());
- if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url(), m_startLineNumber)))
+ if (!m_isExternalScript && (!shouldBypassMainWorldCSP && !csp->allowInlineScript(elementDocument->url(), m_startLineNumber)))
return;
if (m_isExternalScript) {
ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.resource();
if (resource && !resource->mimeTypeAllowedByNosniff()) {
- contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.");
+ contextDocument->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled."));
return;
}
}
- if (frame) {
- const bool isImportedScript = contextDocument != elementDocument;
- // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-block step 2.3
- // with additional support for HTML imports.
- IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrementer(m_isExternalScript || isImportedScript ? contextDocument.get() : 0);
+ // FIXME: Can this be moved earlier in the function?
+ // Why are we ever attempting to execute scripts without a frame?
+ if (!frame)
+ return;
+
+ const bool isImportedScript = contextDocument != elementDocument;
+ // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-block step 2.3
+ // with additional support for HTML imports.
+ IgnoreDestructiveWriteCountIncrementer ignoreDestructiveWriteCountIncrementer(m_isExternalScript || isImportedScript ? contextDocument.get() : 0);
- if (isHTMLScriptLoader(m_element))
- contextDocument->pushCurrentScript(toHTMLScriptElement(m_element));
+ if (isHTMLScriptLoader(m_element))
+ contextDocument->pushCurrentScript(toHTMLScriptElement(m_element));
- AccessControlStatus corsCheck = NotSharableCrossOrigin;
- if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()->passesAccessControlCheck(m_element->document().securityOrigin())))
- corsCheck = SharableCrossOrigin;
+ AccessControlStatus corsCheck = NotSharableCrossOrigin;
+ if (!m_isExternalScript || (sourceCode.resource() && sourceCode.resource()->passesAccessControlCheck(m_element->document().securityOrigin())))
+ corsCheck = SharableCrossOrigin;
- // Create a script from the script element node, using the script
- // block's source and the script block's type.
- // Note: This is where the script is compiled and actually executed.
- frame->script().executeScriptInMainWorld(sourceCode, corsCheck);
+ // Create a script from the script element node, using the script
+ // block's source and the script block's type.
+ // Note: This is where the script is compiled and actually executed.
+ frame->script().executeScriptInMainWorld(sourceCode, corsCheck);
- if (isHTMLScriptLoader(m_element)) {
- ASSERT(contextDocument->currentScript() == m_element);
- contextDocument->popCurrentScript();
- }
+ if (isHTMLScriptLoader(m_element)) {
+ ASSERT(contextDocument->currentScript() == m_element);
+ contextDocument->popCurrentScript();
}
}