bool ScriptElement::requestScript(const String& sourceUrl) { RefPtr<Document> originalDocument = m_element->document(); if (!m_element->dispatchBeforeLoadEvent(sourceUrl)) return false; if (!m_element->inDocument() || m_element->document() != originalDocument) return false; if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_startLineNumber, m_element->document()->completeURL(sourceUrl))) return false; ASSERT(!m_cachedScript); if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { CachedResourceRequest request(ResourceRequest(m_element->document()->completeURL(sourceUrl))); String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr); if (!crossOriginMode.isNull()) { m_requestUsesAccessControl = true; StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; updateRequestForAccessControl(request.mutableResourceRequest(), m_element->document()->securityOrigin(), allowCredentials); } request.setCharset(scriptCharset()); request.setInitiator(element()); m_cachedScript = m_element->document()->cachedResourceLoader()->requestScript(request); m_isExternalScript = true; } if (m_cachedScript) { return true; } dispatchErrorEvent(); return false; }
bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOption defer) { ASSERT(m_element); RefPtrWillBeRawPtr<Document> elementDocument(m_element->document()); if (!m_element->inDocument() || m_element->document() != elementDocument) return false; ASSERT(!m_resource); if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { FetchRequest request(ResourceRequest(elementDocument->completeURL(sourceUrl)), m_element->localName()); AtomicString crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr); if (!crossOriginMode.isNull()) request.setCrossOriginAccessControl(elementDocument->securityOrigin(), crossOriginMode); request.setCharset(scriptCharset()); bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)); if (scriptPassesCSP) request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); request.setDefer(defer); m_resource = elementDocument->fetcher()->fetchScript(request); m_isExternalScript = true; } if (m_resource) return true; dispatchErrorEvent(); return false; }
void ScriptElementData::requestScript(const String& sourceUrl) { Document* document = m_element->document(); // FIXME: Eventually we'd like to evaluate scripts which are inserted into a // viewless document but this'll do for now. // See http://bugs.webkit.org/show_bug.cgi?id=5727 if (!document->frame()) return; ASSERT(!m_cachedScript); m_cachedScript = document->docLoader()->requestScript(sourceUrl, scriptCharset()); // m_createdByParser is never reset - always resied at the initial value set while parsing. // m_evaluated is left untouched as well to avoid script reexecution, if a <script> element // is removed and reappended to the document. m_firedLoad = false; if (m_cachedScript) { m_cachedScript->addClient(this); return; } m_scriptElement->dispatchErrorEvent(); }
bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOption defer) { DCHECK(m_element); Document* elementDocument = &(m_element->document()); if (!m_element->inShadowIncludingDocument() || m_element->document() != elementDocument) return false; DCHECK(!m_resource); if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { FetchRequest request(ResourceRequest(elementDocument->completeURL(sourceUrl)), m_element->localName()); CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_element->fastGetAttribute(HTMLNames::crossoriginAttr)); if (crossOrigin != CrossOriginAttributeNotSet) request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(), crossOrigin); request.setCharset(scriptCharset()); // Skip fetch-related CSP checks if dynamically injected script is whitelisted and this script is not parser-inserted. bool scriptPassesCSPDynamic = (!isParserInserted() && elementDocument->contentSecurityPolicy()->allowDynamic()); request.setContentSecurityPolicyNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)); if (scriptPassesCSPDynamic) { UseCounter::count(elementDocument->frame(), UseCounter::ScriptPassesCSPDynamic); request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); } request.setDefer(defer); String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityAttr); if (!integrityAttr.isEmpty()) { IntegrityMetadataSet metadataSet; SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadataSet, elementDocument); request.setIntegrityMetadata(metadataSet); } m_resource = ScriptResource::fetch(request, elementDocument->fetcher()); m_isExternalScript = true; } if (m_resource) return true; dispatchErrorEvent(); return false; }
bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOption defer) { ASSERT(m_element); RefPtrWillBeRawPtr<Document> elementDocument(m_element->document()); if (!m_element->inDocument() || m_element->document() != elementDocument) return false; ASSERT(!m_resource); if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { FetchRequest request(ResourceRequest(elementDocument->completeURL(sourceUrl)), m_element->localName()); CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_element->fastGetAttribute(HTMLNames::crossoriginAttr)); if (crossOrigin != CrossOriginAttributeNotSet) request.setCrossOriginAccessControl(elementDocument->securityOrigin(), crossOrigin); request.setCharset(scriptCharset()); bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr)); if (scriptPassesCSP) request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy); request.setDefer(defer); String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityAttr); IntegrityMetadataSet metadataSet; if (!integrityAttr.isEmpty()) { SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadataSet, elementDocument.get()); request.setIntegrityMetadata(metadataSet); } m_resource = ScriptResource::fetch(request, elementDocument->fetcher()); if (m_resource && !integrityAttr.isEmpty()) m_resource->setIntegrityMetadata(metadataSet); m_isExternalScript = true; } if (m_resource) return true; dispatchErrorEvent(); return false; }
CachedResourceHandle<CachedScript> ScriptElement::requestScriptWithCache(const URL& sourceURL, const String& nonceAttribute) { Document& document = m_element.document(); auto* settings = document.settings(); if (settings && !settings->isScriptEnabled()) return nullptr; ASSERT(document.contentSecurityPolicy()); bool hasKnownNonce = document.contentSecurityPolicy()->allowScriptWithNonce(nonceAttribute, m_element.isInUserAgentShadowTree()); ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions(); options.contentSecurityPolicyImposition = hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck; CachedResourceRequest request(ResourceRequest(sourceURL), options); request.setAsPotentiallyCrossOrigin(m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr), document); request.upgradeInsecureRequestIfNeeded(document); request.setCharset(scriptCharset()); request.setInitiator(&element()); return document.cachedResourceLoader().requestScript(WTFMove(request)); }
bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOption defer) { DCHECK(m_element); Document* elementDocument = &(m_element->document()); if (!m_element->isConnected() || m_element->document() != elementDocument) return false; DCHECK(!m_resource); if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { FetchRequest request( ResourceRequest(elementDocument->completeURL(sourceUrl)), m_element->localName()); CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue( m_element->fastGetAttribute(HTMLNames::crossoriginAttr)); if (crossOrigin != CrossOriginAttributeNotSet) request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(), crossOrigin); request.setCharset(scriptCharset()); if (ContentSecurityPolicy::isNonceableElement(m_element.get())) { request.setContentSecurityPolicyNonce( m_element->fastGetAttribute(HTMLNames::nonceAttr)); } request.setParserDisposition(isParserInserted() ? ParserInserted : NotParserInserted); request.setDefer(defer); String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityAttr); if (!integrityAttr.isEmpty()) { IntegrityMetadataSet metadataSet; SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadataSet, elementDocument); request.setIntegrityMetadata(metadataSet); } if (m_documentWriteIntervention == DocumentWriteIntervention::FetchDocWrittenScriptDeferIdle) { request.mutableResourceRequest().setHTTPHeaderField( "Intervention", "<https://www.chromestatus.com/feature/5718547946799104>"); } m_resource = ScriptResource::fetch(request, elementDocument->fetcher()); m_isExternalScript = true; } if (!m_resource) { dispatchErrorEvent(); return false; } if (m_createdDuringDocumentWrite && m_resource->resourceRequest().getCachePolicy() == WebCachePolicy::ReturnCacheDataDontLoad) { m_documentWriteIntervention = DocumentWriteIntervention::DoNotFetchDocWrittenScript; } return true; }
bool ScriptElement::requestScript(const String& sourceUrl) { RefPtr<Document> originalDocument = m_element->document(); if (!m_element->dispatchBeforeLoadEvent(sourceUrl)) return false; if (!m_element->inDocument() || m_element->document() != originalDocument) return false; ASSERT(!m_cachedScript); if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) { ResourceRequest request(m_element->document()->completeURL(sourceUrl)); m_cachedScript = m_element->document()->cachedResourceLoader()->requestScript(request, scriptCharset()); m_isExternalScript = true; } if (m_cachedScript) { return true; } dispatchErrorEvent(); return false; }
bool ScriptElement::requestScript(const String& sourceUrl) { if (!m_element->document()->contentSecurityPolicy()->canLoadExternalScriptFromSrc(sourceUrl)) return false; RefPtr<Document> originalDocument = m_element->document(); if (!m_element->dispatchBeforeLoadEvent(sourceUrl)) return false; if (!m_element->inDocument() || m_element->document() != originalDocument) return false; ASSERT(!m_cachedScript); // FIXME: If sourceUrl is empty, we should dispatchErrorEvent(). m_cachedScript = m_element->document()->cachedResourceLoader()->requestScript(sourceUrl, scriptCharset()); m_isExternalScript = true; if (m_cachedScript) return true; dispatchErrorEvent(); return false; }