diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-13 15:05:36 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-14 10:33:47 +0000 |
commit | e684a3455bcc29a6e3e66a004e352dea4e1141e7 (patch) | |
tree | d55b4003bde34d7d05f558f02cfd82b2a66a7aac /chromium/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc | |
parent | 2b94bfe47ccb6c08047959d1c26e392919550e86 (diff) | |
download | qtwebengine-chromium-e684a3455bcc29a6e3e66a004e352dea4e1141e7.tar.gz |
BASELINE: Update Chromium to 72.0.3626.110 and Ninja to 1.9.0
Change-Id: Ic57220b00ecc929a893c91f5cc552f5d3e99e922
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc')
-rw-r--r-- | chromium/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc | 48 |
1 files changed, 20 insertions, 28 deletions
diff --git a/chromium/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc b/chromium/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc index c3bc43524af..d3eaed46e86 100644 --- a/chromium/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc +++ b/chromium/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc @@ -56,17 +56,21 @@ const WebFeature kTextXmlFeatures[2][2] = { // Helper function to decide what to do with with a given mime type. This takes // - a mime type -// - inputs that affect the decision (is_same_origin, is_worker_global_scope). +// - inputs that affect the decision (is_same_origin, mime_type_check_mode). // // The return value determines whether this mime should be allowed or blocked. // Additionally, warn returns whether we should log a console warning about // expected future blocking of this resource. 'counter' determines which -// Use counter should be used to count this. +// Use counter should be used to count this. 'is_worker_global_scope' is used +// for choosing 'counter' value. bool AllowMimeTypeAsScript(const String& mime_type, bool same_origin, + AllowedByNosniff::MimeTypeCheck mime_type_check_mode, bool is_worker_global_scope, bool& warn, WebFeature& counter) { + using MimeTypeCheck = AllowedByNosniff::MimeTypeCheck; + // The common case: A proper JavaScript MIME type if (MIMETypeRegistry::IsSupportedJavaScriptMIMEType(mime_type)) return true; @@ -94,7 +98,7 @@ bool AllowMimeTypeAsScript(const String& mime_type, // we still wish to accept them (or log them using UseCounter, or add a // deprecation warning to the console). - if (!is_worker_global_scope && + if (mime_type_check_mode == MimeTypeCheck::kLax && mime_type.StartsWithIgnoringASCIICase("text/") && MIMETypeRegistry::IsLegacySupportedJavaScriptLanguage( mime_type.Substring(5))) { @@ -116,22 +120,25 @@ bool AllowMimeTypeAsScript(const String& mime_type, // Depending on RuntimeEnabledFeatures, we'll allow, allow-but-warn, or block // these types when we're in a worker. - bool allow = !is_worker_global_scope || + bool allow = mime_type_check_mode == MimeTypeCheck::kLax || !RuntimeEnabledFeatures::WorkerNosniffBlockEnabled(); - warn = allow && is_worker_global_scope && + warn = allow && mime_type_check_mode == MimeTypeCheck::kStrict && RuntimeEnabledFeatures::WorkerNosniffWarnEnabled(); return allow; } -bool MimeTypeAsScriptImpl(ExecutionContext* execution_context, - const ResourceResponse& response, - bool is_worker_global_scope) { +} // namespace + +bool AllowedByNosniff::MimeTypeAsScript(ExecutionContext* execution_context, + const ResourceResponse& response, + MimeTypeCheck mime_type_check_mode) { // The content type is really only meaningful for the http:-family & data // schemes. bool is_http_family_or_data = response.Url().ProtocolIsInHTTPFamily() || response.Url().ProtocolIsData(); if (!is_http_family_or_data && - response.Url().LastPathComponent().EndsWith(".js")) { + (response.Url().LastPathComponent().EndsWith(".js") || + response.Url().LastPathComponent().EndsWith(".mjs"))) { return true; } @@ -139,7 +146,7 @@ bool MimeTypeAsScriptImpl(ExecutionContext* execution_context, // Allowed by nosniff? if (!(ParseContentTypeOptionsHeader(response.HttpHeaderField( - HTTPNames::X_Content_Type_Options)) != kContentTypeOptionsNosniff || + http_names::kXContentTypeOptions)) != kContentTypeOptionsNosniff || MIMETypeRegistry::IsSupportedJavaScriptMIMEType(mime_type))) { execution_context->AddConsoleMessage(ConsoleMessage::Create( kSecurityMessageSource, kErrorMessageLevel, @@ -163,8 +170,9 @@ bool MimeTypeAsScriptImpl(ExecutionContext* execution_context, const WebFeature kWebFeatureNone = WebFeature::kNumberOfFeatures; bool warn = false; WebFeature counter = kWebFeatureNone; - bool allow = AllowMimeTypeAsScript(mime_type, same_origin, - is_worker_global_scope, warn, counter); + bool allow = AllowMimeTypeAsScript( + mime_type, same_origin, mime_type_check_mode, + execution_context->IsWorkerGlobalScope(), warn, counter); // These record usages for two MIME types (without subtypes), per same/cross // origin. @@ -191,20 +199,4 @@ bool MimeTypeAsScriptImpl(ExecutionContext* execution_context, return allow; } -} // namespace - -bool AllowedByNosniff::MimeTypeAsScript(ExecutionContext* execution_context, - const ResourceResponse& response) { - return MimeTypeAsScriptImpl(execution_context, response, - execution_context->IsWorkerGlobalScope()); -} - -bool AllowedByNosniff::MimeTypeAsScriptForTesting( - ExecutionContext* execution_context, - const ResourceResponse& response, - bool is_worker_global_scope) { - return MimeTypeAsScriptImpl(execution_context, response, - is_worker_global_scope); -} - } // namespace blink |