void WorkerGlobalScope::applyContentSecurityPolicyFromVector(const Vector<CSPHeaderAndType>& headers) { if (!contentSecurityPolicy()) { RawPtr<ContentSecurityPolicy> csp = ContentSecurityPolicy::create(); setContentSecurityPolicy(csp); } for (const auto& policyAndType : headers) contentSecurityPolicy()->didReceiveHeader(policyAndType.first, policyAndType.second, ContentSecurityPolicyHeaderSourceHTTP); contentSecurityPolicy()->bindToExecutionContext(getExecutionContext()); }
void WorkerGlobalScope::importScripts(const Vector<String>& urls, ExceptionCode& ec) { ASSERT(contentSecurityPolicy()); ec = 0; Vector<URL> completedURLs; for (auto& entry : urls) { URL url = scriptExecutionContext()->completeURL(entry); if (!url.isValid()) { ec = SYNTAX_ERR; return; } completedURLs.append(WTFMove(url)); } for (auto& url : completedURLs) { Ref<WorkerScriptLoader> scriptLoader = WorkerScriptLoader::create(); scriptLoader->loadSynchronously(scriptExecutionContext(), url, AllowCrossOriginRequests); // If the fetching attempt failed, throw a NETWORK_ERR exception and abort all these steps. if (scriptLoader->failed()) { ec = NETWORK_ERR; return; } InspectorInstrumentation::scriptImported(scriptExecutionContext(), scriptLoader->identifier(), scriptLoader->script()); NakedPtr<JSC::Exception> exception; m_script->evaluate(ScriptSourceCode(scriptLoader->script(), scriptLoader->responseURL()), exception); if (exception) { m_script->setException(exception); return; } } }
void WorkerGlobalScope::importScripts(const Vector<String>& urls, ExceptionState& exceptionState) { ASSERT(contentSecurityPolicy()); ASSERT(getExecutionContext()); ExecutionContext& executionContext = *this->getExecutionContext(); Vector<KURL> completedURLs; for (const String& urlString : urls) { const KURL& url = executionContext.completeURL(urlString); if (!url.isValid()) { exceptionState.throwDOMException(SyntaxError, "The URL '" + urlString + "' is invalid."); return; } if (!contentSecurityPolicy()->allowScriptFromSource(url)) { exceptionState.throwDOMException(NetworkError, "The script at '" + url.elidedString() + "' failed to load."); return; } completedURLs.append(url); } for (const KURL& completeURL : completedURLs) { RefPtr<WorkerScriptLoader> scriptLoader(WorkerScriptLoader::create()); scriptLoader->setRequestContext(WebURLRequest::RequestContextScript); scriptLoader->loadSynchronously(executionContext, completeURL, AllowCrossOriginRequests, executionContext.securityContext().addressSpace()); // If the fetching attempt failed, throw a NetworkError exception and abort all these steps. if (scriptLoader->failed()) { exceptionState.throwDOMException(NetworkError, "The script at '" + completeURL.elidedString() + "' failed to load."); return; } InspectorInstrumentation::scriptImported(&executionContext, scriptLoader->identifier(), scriptLoader->script()); scriptLoaded(scriptLoader->script().length(), scriptLoader->cachedMetadata() ? scriptLoader->cachedMetadata()->size() : 0); RawPtr<ErrorEvent> errorEvent = nullptr; OwnPtr<Vector<char>> cachedMetaData(scriptLoader->releaseCachedMetadata()); RawPtr<CachedMetadataHandler> handler(createWorkerScriptCachedMetadataHandler(completeURL, cachedMetaData.get())); m_scriptController->evaluate(ScriptSourceCode(scriptLoader->script(), scriptLoader->responseURL()), &errorEvent, handler.get(), m_v8CacheOptions); if (errorEvent) { m_scriptController->rethrowExceptionFromImportedScript(errorEvent.release(), exceptionState); return; } } }
bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, bool didRedirect) { bool overrideContentSecurityPolicy = false; ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didRedirect ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No; switch (m_options.contentSecurityPolicyEnforcement) { case ContentSecurityPolicyEnforcement::DoNotEnforce: return true; case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective: return contentSecurityPolicy().allowChildContextFromSource(url, overrideContentSecurityPolicy, redirectResponseReceived); case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective: return contentSecurityPolicy().allowConnectToSource(url, overrideContentSecurityPolicy, redirectResponseReceived); case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective: return contentSecurityPolicy().allowScriptFromSource(url, overrideContentSecurityPolicy, redirectResponseReceived); } ASSERT_NOT_REACHED(); return false; }
WorkerContext::WorkerContext(const KURL& url, const String& userAgent, WorkerThread* thread, const String& policy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType) : m_url(url) , m_userAgent(userAgent) , m_script(adoptPtr(new WorkerScriptController(this))) , m_thread(thread) #if ENABLE(INSPECTOR) , m_workerInspectorController(adoptPtr(new WorkerInspectorController(this))) #endif , m_closing(false) , m_eventQueue(WorkerEventQueue::create(this)) { setSecurityOrigin(SecurityOrigin::create(url)); setContentSecurityPolicy(ContentSecurityPolicy::create(this)); contentSecurityPolicy()->didReceiveHeader(policy, contentSecurityPolicyType); }
void WorkerGlobalScope::importScripts(const Vector<String>& urls, ExceptionCode& ec) { ASSERT(contentSecurityPolicy()); ec = 0; Vector<URL> completedURLs; for (auto& entry : urls) { URL url = scriptExecutionContext()->completeURL(entry); if (!url.isValid()) { ec = SYNTAX_ERR; return; } completedURLs.append(WTFMove(url)); } for (auto& url : completedURLs) { // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. bool shouldBypassMainWorldContentSecurityPolicy = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy(); if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(url, shouldBypassMainWorldContentSecurityPolicy)) { ec = NETWORK_ERR; return; } Ref<WorkerScriptLoader> scriptLoader = WorkerScriptLoader::create(); scriptLoader->loadSynchronously(scriptExecutionContext(), url, AllowCrossOriginRequests, shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective); // If the fetching attempt failed, throw a NETWORK_ERR exception and abort all these steps. if (scriptLoader->failed()) { ec = NETWORK_ERR; return; } InspectorInstrumentation::scriptImported(scriptExecutionContext(), scriptLoader->identifier(), scriptLoader->script()); NakedPtr<JSC::Exception> exception; m_script->evaluate(ScriptSourceCode(scriptLoader->script(), scriptLoader->responseURL()), exception); if (exception) { m_script->setException(exception); return; } } }
void WorkerGlobalScope::importScripts(const Vector<String>& urls, ExceptionCode& ec) { ASSERT(contentSecurityPolicy()); ec = 0; Vector<String>::const_iterator urlsEnd = urls.end(); Vector<KURL> completedURLs; for (Vector<String>::const_iterator it = urls.begin(); it != urlsEnd; ++it) { const KURL& url = scriptExecutionContext()->completeURL(*it); if (!url.isValid()) { ec = SYNTAX_ERR; return; } completedURLs.append(url); } Vector<KURL>::const_iterator end = completedURLs.end(); for (Vector<KURL>::const_iterator it = completedURLs.begin(); it != end; ++it) { RefPtr<WorkerScriptLoader> scriptLoader(WorkerScriptLoader::create()); #if PLATFORM(BLACKBERRY) scriptLoader->setTargetType(ResourceRequest::TargetIsScript); #endif scriptLoader->loadSynchronously(scriptExecutionContext(), *it, AllowCrossOriginRequests); // If the fetching attempt failed, throw a NETWORK_ERR exception and abort all these steps. if (scriptLoader->failed()) { ec = XMLHttpRequestException::NETWORK_ERR; return; } InspectorInstrumentation::scriptImported(scriptExecutionContext(), scriptLoader->identifier(), scriptLoader->script()); ScriptValue exception; m_script->evaluate(ScriptSourceCode(scriptLoader->script(), scriptLoader->responseURL()), &exception); if (!exception.hasNoValue()) { m_script->setException(exception); return; } } }
void WorkerGlobalScope::importScripts(const Vector<String>& urls, ExceptionState& es) { ASSERT(contentSecurityPolicy()); Vector<String>::const_iterator urlsEnd = urls.end(); Vector<KURL> completedURLs; for (Vector<String>::const_iterator it = urls.begin(); it != urlsEnd; ++it) { const KURL& url = executionContext()->completeURL(*it); if (!url.isValid()) { es.throwDOMException(SyntaxError, "Failed to execute 'importScripts': the URL '" + *it + "' is invalid."); return; } completedURLs.append(url); } Vector<KURL>::const_iterator end = completedURLs.end(); for (Vector<KURL>::const_iterator it = completedURLs.begin(); it != end; ++it) { RefPtr<WorkerScriptLoader> scriptLoader(WorkerScriptLoader::create()); scriptLoader->setTargetType(ResourceRequest::TargetIsScript); scriptLoader->loadSynchronously(executionContext(), *it, AllowCrossOriginRequests); // If the fetching attempt failed, throw a NetworkError exception and abort all these steps. if (scriptLoader->failed()) { es.throwDOMException(NetworkError, "Failed to execute 'importScripts': the script at '" + it->elidedString() + "' failed to load."); return; } InspectorInstrumentation::scriptImported(executionContext(), scriptLoader->identifier(), scriptLoader->script()); RefPtr<ErrorEvent> errorEvent; m_script->evaluate(ScriptSourceCode(scriptLoader->script(), scriptLoader->responseURL()), &errorEvent); if (errorEvent) { m_script->rethrowExceptionFromImportedScript(errorEvent.release()); return; } } }
void WorkerGlobalScope::applyContentSecurityPolicyFromString(const String& policy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType) { setContentSecurityPolicy(ContentSecurityPolicy::create(this)); contentSecurityPolicy()->didReceiveHeader(policy, contentSecurityPolicyType); }
void WorkerGlobalScope::applyContentSecurityPolicyFromString(const String& policy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType) { setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this)); contentSecurityPolicy()->didReceiveHeader(policy, contentSecurityPolicyType); }
void WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders) { contentSecurityPolicy()->didReceiveHeaders(contentSecurityPolicyResponseHeaders); }
void RemoteSecurityContext::resetReplicatedContentSecurityPolicy() { DCHECK(getSecurityOrigin()); setContentSecurityPolicy(ContentSecurityPolicy::create()); contentSecurityPolicy()->setupSelf(*getSecurityOrigin()); }
void RemoteSecurityContext::setReplicatedOrigin( PassRefPtr<SecurityOrigin> origin) { DCHECK(origin); setSecurityOrigin(std::move(origin)); contentSecurityPolicy()->setupSelf(*getSecurityOrigin()); }