bool ScriptElement::requestScript(const String& sourceUrl)
{
RefPtr<Document> originalDocument = m_element->document();
if (!m_element->dispatchBeforeLoadEvent(sourceUrl))
return false;
if (!m_element->inDocument() || m_element->document() != originalDocument)
return false;
if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_startLineNumber, m_element->document()->completeURL(sourceUrl)))
return false;
ASSERT(!m_cachedScript);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
CachedResourceRequest request(ResourceRequest(m_element->document()->completeURL(sourceUrl)));
String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull()) {
m_requestUsesAccessControl = true;
StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
updateRequestForAccessControl(request.mutableResourceRequest(), m_element->document()->securityOrigin(), allowCredentials);
}
request.setCharset(scriptCharset());
request.setInitiator(element());
m_cachedScript = m_element->document()->cachedResourceLoader()->requestScript(request);
m_isExternalScript = true;
}
if (m_cachedScript) {
return true;
}
dispatchErrorEvent();
return false;
}
bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOption defer)
{
ASSERT(m_element);
RefPtrWillBeRawPtr<Document> elementDocument(m_element->document());
if (!m_element->inDocument() || m_element->document() != elementDocument)
return false;
ASSERT(!m_resource);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
FetchRequest request(ResourceRequest(elementDocument->completeURL(sourceUrl)), m_element->localName());
AtomicString crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull())
request.setCrossOriginAccessControl(elementDocument->securityOrigin(), crossOriginMode);
request.setCharset(scriptCharset());
bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
if (scriptPassesCSP)
request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
request.setDefer(defer);
m_resource = elementDocument->fetcher()->fetchScript(request);
m_isExternalScript = true;
}
if (m_resource)
return true;
dispatchErrorEvent();
return false;
}
void ScriptElementData::requestScript(const String& sourceUrl)
{
Document* document = m_element->document();
// FIXME: Eventually we'd like to evaluate scripts which are inserted into a
// viewless document but this'll do for now.
// See http://bugs.webkit.org/show_bug.cgi?id=5727
if (!document->frame())
return;
ASSERT(!m_cachedScript);
m_cachedScript = document->docLoader()->requestScript(sourceUrl, scriptCharset());
// m_createdByParser is never reset - always resied at the initial value set while parsing.
// m_evaluated is left untouched as well to avoid script reexecution, if a <script> element
// is removed and reappended to the document.
m_firedLoad = false;
if (m_cachedScript) {
m_cachedScript->addClient(this);
return;
}
m_scriptElement->dispatchErrorEvent();
}
bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOption defer)
{
DCHECK(m_element);
Document* elementDocument = &(m_element->document());
if (!m_element->inShadowIncludingDocument() || m_element->document() != elementDocument)
return false;
DCHECK(!m_resource);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
FetchRequest request(ResourceRequest(elementDocument->completeURL(sourceUrl)), m_element->localName());
CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_element->fastGetAttribute(HTMLNames::crossoriginAttr));
if (crossOrigin != CrossOriginAttributeNotSet)
request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(), crossOrigin);
request.setCharset(scriptCharset());
// Skip fetch-related CSP checks if dynamically injected script is whitelisted and this script is not parser-inserted.
bool scriptPassesCSPDynamic = (!isParserInserted() && elementDocument->contentSecurityPolicy()->allowDynamic());
request.setContentSecurityPolicyNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
if (scriptPassesCSPDynamic) {
UseCounter::count(elementDocument->frame(), UseCounter::ScriptPassesCSPDynamic);
request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
}
request.setDefer(defer);
String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityAttr);
if (!integrityAttr.isEmpty()) {
IntegrityMetadataSet metadataSet;
SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadataSet, elementDocument);
request.setIntegrityMetadata(metadataSet);
}
m_resource = ScriptResource::fetch(request, elementDocument->fetcher());
m_isExternalScript = true;
}
if (m_resource)
return true;
dispatchErrorEvent();
return false;
}
bool ScriptLoader::fetchScript(const String& sourceUrl, FetchRequest::DeferOption defer)
{
ASSERT(m_element);
RefPtrWillBeRawPtr<Document> elementDocument(m_element->document());
if (!m_element->inDocument() || m_element->document() != elementDocument)
return false;
ASSERT(!m_resource);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
FetchRequest request(ResourceRequest(elementDocument->completeURL(sourceUrl)), m_element->localName());
CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(m_element->fastGetAttribute(HTMLNames::crossoriginAttr));
if (crossOrigin != CrossOriginAttributeNotSet)
request.setCrossOriginAccessControl(elementDocument->securityOrigin(), crossOrigin);
request.setCharset(scriptCharset());
bool scriptPassesCSP = elementDocument->contentSecurityPolicy()->allowScriptWithNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr));
if (scriptPassesCSP)
request.setContentSecurityCheck(DoNotCheckContentSecurityPolicy);
request.setDefer(defer);
String integrityAttr = m_element->fastGetAttribute(HTMLNames::integrityAttr);
IntegrityMetadataSet metadataSet;
if (!integrityAttr.isEmpty()) {
SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadataSet, elementDocument.get());
request.setIntegrityMetadata(metadataSet);
}
m_resource = ScriptResource::fetch(request, elementDocument->fetcher());
if (m_resource && !integrityAttr.isEmpty())
m_resource->setIntegrityMetadata(metadataSet);
m_isExternalScript = true;
}
if (m_resource)
return true;
dispatchErrorEvent();
return false;
}
CachedResourceHandle<CachedScript> ScriptElement::requestScriptWithCache(const URL& sourceURL, const String& nonceAttribute)
{
Document& document = m_element.document();
auto* settings = document.settings();
if (settings && !settings->isScriptEnabled())
return nullptr;
ASSERT(document.contentSecurityPolicy());
bool hasKnownNonce = document.contentSecurityPolicy()->allowScriptWithNonce(nonceAttribute, m_element.isInUserAgentShadowTree());
ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
options.contentSecurityPolicyImposition = hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
CachedResourceRequest request(ResourceRequest(sourceURL), options);
request.setAsPotentiallyCrossOrigin(m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr), document);
request.upgradeInsecureRequestIfNeeded(document);
request.setCharset(scriptCharset());
request.setInitiator(&element());
return document.cachedResourceLoader().requestScript(WTFMove(request));
}
bool ScriptLoader::fetchScript(const String& sourceUrl,
FetchRequest::DeferOption defer) {
DCHECK(m_element);
Document* elementDocument = &(m_element->document());
if (!m_element->isConnected() || m_element->document() != elementDocument)
return false;
DCHECK(!m_resource);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
FetchRequest request(
ResourceRequest(elementDocument->completeURL(sourceUrl)),
m_element->localName());
CrossOriginAttributeValue crossOrigin = crossOriginAttributeValue(
m_element->fastGetAttribute(HTMLNames::crossoriginAttr));
if (crossOrigin != CrossOriginAttributeNotSet)
request.setCrossOriginAccessControl(elementDocument->getSecurityOrigin(),
crossOrigin);
request.setCharset(scriptCharset());
if (ContentSecurityPolicy::isNonceableElement(m_element.get())) {
request.setContentSecurityPolicyNonce(
m_element->fastGetAttribute(HTMLNames::nonceAttr));
}
request.setParserDisposition(isParserInserted() ? ParserInserted
: NotParserInserted);
request.setDefer(defer);
String integrityAttr =
m_element->fastGetAttribute(HTMLNames::integrityAttr);
if (!integrityAttr.isEmpty()) {
IntegrityMetadataSet metadataSet;
SubresourceIntegrity::parseIntegrityAttribute(integrityAttr, metadataSet,
elementDocument);
request.setIntegrityMetadata(metadataSet);
}
if (m_documentWriteIntervention ==
DocumentWriteIntervention::FetchDocWrittenScriptDeferIdle) {
request.mutableResourceRequest().setHTTPHeaderField(
"Intervention",
"<https://www.chromestatus.com/feature/5718547946799104>");
}
m_resource = ScriptResource::fetch(request, elementDocument->fetcher());
m_isExternalScript = true;
}
if (!m_resource) {
dispatchErrorEvent();
return false;
}
if (m_createdDuringDocumentWrite &&
m_resource->resourceRequest().getCachePolicy() ==
WebCachePolicy::ReturnCacheDataDontLoad) {
m_documentWriteIntervention =
DocumentWriteIntervention::DoNotFetchDocWrittenScript;
}
return true;
}
bool ScriptElement::requestScript(const String& sourceUrl)
{
RefPtr<Document> originalDocument = m_element->document();
if (!m_element->dispatchBeforeLoadEvent(sourceUrl))
return false;
if (!m_element->inDocument() || m_element->document() != originalDocument)
return false;
ASSERT(!m_cachedScript);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
ResourceRequest request(m_element->document()->completeURL(sourceUrl));
m_cachedScript = m_element->document()->cachedResourceLoader()->requestScript(request, scriptCharset());
m_isExternalScript = true;
}
if (m_cachedScript) {
return true;
}
dispatchErrorEvent();
return false;
}
bool ScriptElement::requestScript(const String& sourceUrl)
{
if (!m_element->document()->contentSecurityPolicy()->canLoadExternalScriptFromSrc(sourceUrl))
return false;
RefPtr<Document> originalDocument = m_element->document();
if (!m_element->dispatchBeforeLoadEvent(sourceUrl))
return false;
if (!m_element->inDocument() || m_element->document() != originalDocument)
return false;
ASSERT(!m_cachedScript);
// FIXME: If sourceUrl is empty, we should dispatchErrorEvent().
m_cachedScript = m_element->document()->cachedResourceLoader()->requestScript(sourceUrl, scriptCharset());
m_isExternalScript = true;
if (m_cachedScript)
return true;
dispatchErrorEvent();
return false;
}
