diff options
Diffstat (limited to 'chromium/third_party/blink/renderer/core/script/script_loader.cc')
| -rw-r--r-- | chromium/third_party/blink/renderer/core/script/script_loader.cc | 86 |
1 files changed, 59 insertions, 27 deletions
diff --git a/chromium/third_party/blink/renderer/core/script/script_loader.cc b/chromium/third_party/blink/renderer/core/script/script_loader.cc index 5aad7de62b8..211d52589e8 100644 --- a/chromium/third_party/blink/renderer/core/script/script_loader.cc +++ b/chromium/third_party/blink/renderer/core/script/script_loader.cc @@ -24,6 +24,7 @@ #include "third_party/blink/renderer/core/script/script_loader.h" +#include "base/feature_list.h" #include "third_party/blink/public/common/feature_policy/feature_policy.h" #include "third_party/blink/public/common/features.h" #include "third_party/blink/public/mojom/feature_policy/feature_policy_feature.mojom-blink.h" @@ -35,6 +36,7 @@ #include "third_party/blink/renderer/core/dom/text.h" #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h" #include "third_party/blink/renderer/core/frame/local_frame.h" +#include "third_party/blink/renderer/core/html/html_document.h" #include "third_party/blink/renderer/core/html/imports/html_import.h" #include "third_party/blink/renderer/core/html/parser/html_parser_idioms.h" #include "third_party/blink/renderer/core/html_names.h" @@ -53,7 +55,9 @@ #include "third_party/blink/renderer/core/script/script_element_base.h" #include "third_party/blink/renderer/core/script/script_runner.h" #include "third_party/blink/renderer/core/svg_names.h" +#include "third_party/blink/renderer/core/trustedtypes/trusted_types_util.h" #include "third_party/blink/renderer/platform/bindings/parkable_string.h" +#include "third_party/blink/renderer/platform/heap/heap.h" #include "third_party/blink/renderer/platform/instrumentation/histogram.h" #include "third_party/blink/renderer/platform/instrumentation/use_counter.h" #include "third_party/blink/renderer/platform/loader/fetch/fetch_client_settings_object_snapshot.h" @@ -249,8 +253,8 @@ network::mojom::CredentialsMode ScriptLoader::ModuleScriptCredentialsMode( bool ShouldBlockSyncScriptForFeaturePolicy(const ScriptElementBase* element, mojom::ScriptType script_type, bool parser_inserted) { - if (element->GetDocument().GetFeaturePolicy()->IsFeatureEnabled( - mojom::FeaturePolicyFeature::kSyncScript)) { + if (element->GetDocument().IsFeatureEnabled( + mojom::blink::FeaturePolicyFeature::kSyncScript)) { return false; } @@ -289,7 +293,15 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, non_blocking_ = true; // <spec step="4">Let source text be the element's child text content.</spec> - const String source_text = element_->TextFromChildren(); + // + // Trusted Types additionally requires: + // https://w3c.github.io/webappsec-trusted-types/dist/spec/#slot-value-verification + // - Step 4: Execute the Prepare the script URL and text algorithm upon the + // script element. If that algorithm threw an error, then return. The + // script is not executed. + // - Step 5: Let source text be the element’s [[ScriptText]] internal slot + // value. + const String source_text = GetScriptText(); // <spec step="5">If the element has no src attribute, and source text is the // empty string, then return. The script is not executed.</spec> @@ -386,8 +398,7 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, // executed. [CSP]</spec> if (!element_->HasSourceAttribute() && !element_->AllowInlineScriptForCSP(element_->GetNonceForElement(), - position.line_, - element_->TextFromChildren())) { + position.line_, source_text)) { return false; } @@ -398,7 +409,7 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, // This FeaturePolicy is still in the process of being added to the spec. if (ShouldBlockSyncScriptForFeaturePolicy(element_.Get(), GetScriptType(), parser_inserted_)) { - element_document.AddConsoleMessage(ConsoleMessage::Create( + element_document.AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>( mojom::ConsoleMessageSource::kJavaScript, mojom::ConsoleMessageLevel::kError, "Synchronous script execution is disabled by Feature Policy")); @@ -428,11 +439,13 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, IntegrityMetadataSet integrity_metadata; if (!integrity_attr.IsEmpty()) { SubresourceIntegrity::IntegrityFeatures integrity_features = - SubresourceIntegrityHelper::GetFeatures(&element_document); + SubresourceIntegrityHelper::GetFeatures( + element_document.ToExecutionContext()); SubresourceIntegrity::ReportInfo report_info; SubresourceIntegrity::ParseIntegrityAttribute( integrity_attr, integrity_features, integrity_metadata, &report_info); - SubresourceIntegrityHelper::DoReport(element_document, report_info); + SubresourceIntegrityHelper::DoReport(*element_document.ToExecutionContext(), + report_info); } // <spec step="20">Let referrer policy be the current state of the element's @@ -490,7 +503,7 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, Modulator* modulator = Modulator::From( ToScriptStateForMainWorld(context_document->GetFrame())); if (!modulator->IsAcquiringImportMaps()) { - element_document.AddConsoleMessage(ConsoleMessage::Create( + element_document.AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>( mojom::ConsoleMessageSource::kJavaScript, mojom::ConsoleMessageLevel::kError, "An import map is added after module script load was triggered.")); @@ -540,7 +553,7 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, // <spec step="24.6">Switch on the script's type:</spec> if (is_import_map) { // TODO(crbug.com/922212): Implement external import maps. - element_document.AddConsoleMessage(ConsoleMessage::Create( + element_document.AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>( mojom::ConsoleMessageSource::kJavaScript, mojom::ConsoleMessageLevel::kError, "External import maps are not yet supported.")); @@ -572,9 +585,7 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, // Fetch a classic script given url, settings object, options, classic // script CORS setting, and encoding.</spec> Document* document_for_origin = &element_document; - if (base::FeatureList::IsEnabled( - features::kHtmlImportsRequestInitiatorLock) && - element_document.ImportsController()) { + if (element_document.ImportsController()) { document_for_origin = context_document; } FetchClassicScript(url, *document_for_origin, options, cross_origin, @@ -612,7 +623,7 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, // <spec step="24.1">Let src be the value of the element's src // attribute.</spec> // - // This step is done later as ScriptElementBase::TextFromChildren(): + // This step is done later as ScriptElementBase::ChildTextContent(): // - in ScriptLoader::PrepareScript() (Step 26, 6th Clause), // - in HTMLParserScriptRunner::ProcessScriptElementInternal() // (Duplicated code of Step 26, 6th Clause), @@ -634,8 +645,8 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, // 1. Let import map parse result be the result of create an import map // parse result, given source text, base URL and settings object. [spec // text] - PendingImportMap* pending_import_map = PendingImportMap::CreateInline( - *element_, element_->TextFromChildren(), base_url); + PendingImportMap* pending_import_map = + PendingImportMap::CreateInline(*element_, source_text, base_url); // Because we currently support inline import maps only, the pending // import map is ready immediately and thus we call `register an import @@ -663,8 +674,8 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, } prepared_pending_script_ = ClassicPendingScript::CreateInline( - element_, position, base_url, element_->TextFromChildren(), - script_location_type, options); + element_, position, base_url, source_text, script_location_type, + options); // <spec step="25.2.A.2">Set the script's script to script.</spec> // @@ -690,10 +701,10 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, // <spec label="fetch-an-inline-module-script-graph" step="1">Let script // be the result of creating a JavaScript module script using source // text, settings object, base URL, and options.</spec> - ModuleScript* module_script = JSModuleScript::Create( - ParkableString(element_->TextFromChildren().Impl()), nullptr, - ScriptSourceLocationType::kInline, modulator, source_url, base_url, - options, position); + ModuleScript* module_script = + JSModuleScript::Create(ParkableString(source_text.Impl()), nullptr, + ScriptSourceLocationType::kInline, modulator, + source_url, base_url, options, position); // <spec label="fetch-an-inline-module-script-graph" step="2">If script // is null, asynchronously complete this algorithm with null, and abort @@ -710,7 +721,8 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, MakeGarbageCollected<ModulePendingScriptTreeClient>(); modulator->FetchDescendantsForInlineScript( module_script, fetch_client_settings_object_fetcher, - mojom::RequestContextType::SCRIPT, module_tree_client); + mojom::RequestContextType::SCRIPT, + network::mojom::RequestDestination::kScript, module_tree_client); prepared_pending_script_ = MakeGarbageCollected<ModulePendingScript>( element_, module_tree_client, is_external_script_); break; @@ -756,7 +768,7 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, if (GetScriptType() == mojom::ScriptType::kClassic && element_->HasSourceAttribute() && context_document->GetFrame()->ShouldForceDeferScript() && - context_document->IsHTMLDocument() && parser_inserted_ && + IsA<HTMLDocument>(context_document) && parser_inserted_ && !element_->AsyncAttributeValue()) { // In terms of ScriptLoader flags, force deferred scripts behave like // parser-blocking scripts, except that |force_deferred_| is set. @@ -848,7 +860,7 @@ bool ScriptLoader::PrepareScript(const TextPosition& script_start_position, // Check for inline script that should be force deferred. if (context_document->GetFrame()->ShouldForceDeferScript() && - context_document->IsHTMLDocument() && parser_inserted_) { + IsA<HTMLDocument>(context_document) && parser_inserted_) { force_deferred_ = true; will_be_parser_executed_ = true; return true; @@ -927,7 +939,8 @@ void ScriptLoader::FetchModuleScriptTree( auto* module_tree_client = MakeGarbageCollected<ModulePendingScriptTreeClient>(); modulator->FetchTree(url, fetch_client_settings_object_fetcher, - mojom::RequestContextType::SCRIPT, options, + mojom::RequestContextType::SCRIPT, + network::mojom::RequestDestination::kScript, options, ModuleScriptCustomFetchType::kNone, module_tree_client); prepared_pending_script_ = MakeGarbageCollected<ModulePendingScript>( element_, module_tree_client, is_external_script_); @@ -962,7 +975,9 @@ void ScriptLoader::PendingScriptFinished(PendingScript* pending_script) { // memory cache not be in the HTTPCache. So we keep |resource_keep_alive_| to // keep the resource in the memory cache. if (resource_keep_alive_ && - !resource_keep_alive_->GetResponse().IsSignedExchangeInnerResponse()) { + !resource_keep_alive_->GetResponse().IsSignedExchangeInnerResponse() && + !base::FeatureList::IsEnabled( + blink::features::kKeepScriptResourceAlive)) { resource_keep_alive_ = nullptr; } @@ -1016,4 +1031,21 @@ ScriptLoader::GetPendingScriptIfControlledByScriptRunnerForCrossDocMove() { return pending_script_; } +String ScriptLoader::GetScriptText() const { + // Step 3 of + // https://w3c.github.io/webappsec-trusted-types/dist/spec/#abstract-opdef-prepare-the-script-url-and-text + // called from § 4.1.3.3, step 4 of + // https://w3c.github.io/webappsec-trusted-types/dist/spec/#slot-value-verification + // This will return the [[ScriptText]] internal slot value after that step, + // or a null string if the the Trusted Type algorithm threw an error. + String child_text_content = element_->ChildTextContent(); + DCHECK(!child_text_content.IsNull()); + String script_text_internal_slot = element_->ScriptTextInternalSlot(); + if (child_text_content == script_text_internal_slot) + return child_text_content; + return GetStringForScriptExecution(child_text_content, + element_->GetScriptElementType(), + element_->GetDocument().ContextDocument()); +} + } // namespace blink |