Implement Subresource Integrity

Implemented response validation part of
https://w3c.github.io/webappsec-subresource-integrity/.
Implemented step eighteen of the main fetch. If a request has integrity
metadata, then following steps are performed
*Wait for response body
*If the response does not have a termination reason and response does not
match request’s integrity metadata, set response to a
network error.# Please enter the commit message for your changes. Lines starting
This commit is contained in:
mrnayak 2017-01-08 08:52:18 +05:30
parent 496447a363
commit a3026499f4
19 changed files with 439 additions and 260 deletions

View file

@ -243,16 +243,24 @@ impl HTMLLinkElement {
Some(ref value) => &***value,
None => "",
};
let mut css_parser = CssParser::new(&mq_str);
let media = parse_media_query_list(&mut css_parser);
let im_attribute = element.get_attribute(&ns!(), &local_name!("integrity"));
let integrity_val = im_attribute.r().map(|a| a.value());
let integrity_metadata = match integrity_val {
Some(ref value) => &***value,
None => "",
};
// TODO: #8085 - Don't load external stylesheets if the node's mq
// doesn't match.
let loader = StylesheetLoader::for_element(self.upcast());
loader.load(StylesheetContextSource::LinkElement {
url: url,
media: Some(media),
});
}, integrity_metadata.to_owned());
}
fn handle_favicon_url(&self, rel: &str, href: &str, sizes: &Option<String>) {
@ -328,6 +336,12 @@ impl HTMLLinkElementMethods for HTMLLinkElement {
// https://html.spec.whatwg.org/multipage/#dom-link-media
make_setter!(SetMedia, "media");
// https://html.spec.whatwg.org/multipage/#dom-link-integrity
make_getter!(Integrity, "integrity");
// https://html.spec.whatwg.org/multipage/#dom-link-integrity
make_setter!(SetIntegrity, "integrity");
// https://html.spec.whatwg.org/multipage/#dom-link-hreflang
make_getter!(Hreflang, "hreflang");

View file

@ -40,7 +40,6 @@ use std::ascii::AsciiExt;
use std::cell::Cell;
use std::sync::{Arc, Mutex};
use style::str::{HTML_SPACE_CHARACTERS, StaticStringVec};
#[dom_struct]
pub struct HTMLScriptElement {
htmlelement: HTMLElement,
@ -221,6 +220,7 @@ impl PreInvoke for ScriptContext {}
fn fetch_a_classic_script(script: &HTMLScriptElement,
url: ServoUrl,
cors_setting: Option<CorsSettings>,
integrity_metadata: String,
character_encoding: EncodingRef) {
let doc = document_from_node(script);
@ -245,6 +245,7 @@ fn fetch_a_classic_script(script: &HTMLScriptElement,
pipeline_id: Some(script.global().pipeline_id()),
referrer_url: Some(doc.url()),
referrer_policy: doc.get_referrer_policy(),
integrity_metadata: integrity_metadata,
.. RequestInit::default()
};
@ -365,7 +366,13 @@ impl HTMLScriptElement {
// TODO: Step 15: Nonce.
// TODO: Step 16: Parser state.
// Step 16: Integrity Metadata
let im_attribute = element.get_attribute(&ns!(), &local_name!("integrity"));
let integrity_val = im_attribute.r().map(|a| a.value());
let integrity_metadata = match integrity_val {
Some(ref value) => &***value,
None => "",
};
// TODO: Step 17: environment settings object.
@ -393,7 +400,7 @@ impl HTMLScriptElement {
};
// Step 18.6.
fetch_a_classic_script(self, url, cors_setting, encoding);
fetch_a_classic_script(self, url, cors_setting, integrity_metadata.to_owned(), encoding);
true
},
@ -675,6 +682,11 @@ impl HTMLScriptElementMethods for HTMLScriptElement {
// https://html.spec.whatwg.org/multipage/#dom-script-defer
make_bool_setter!(SetDefer, "defer");
// https://html.spec.whatwg.org/multipage/#dom-script-integrity
make_getter!(Integrity, "integrity");
// https://html.spec.whatwg.org/multipage/#dom-script-integrity
make_setter!(SetIntegrity, "integrity");
// https://html.spec.whatwg.org/multipage/#dom-script-event
make_getter!(Event, "event");
// https://html.spec.whatwg.org/multipage/#dom-script-event

View file

@ -11,6 +11,7 @@ interface HTMLLinkElement : HTMLElement {
attribute DOMString media;
attribute DOMString hreflang;
attribute DOMString type;
attribute DOMString integrity;
// [SameObject, PutForwards=value] readonly attribute DOMTokenList sizes;
// also has obsolete members

View file

@ -12,6 +12,7 @@ interface HTMLScriptElement : HTMLElement {
attribute DOMString? crossOrigin;
[Pure]
attribute DOMString text;
attribute DOMString integrity;
// also has obsolete members
};

View file

@ -193,7 +193,7 @@ impl<'a> StylesheetLoader<'a> {
}
impl<'a> StylesheetLoader<'a> {
pub fn load(&self, source: StylesheetContextSource) {
pub fn load(&self, source: StylesheetContextSource, integrity_metadata: String) {
let url = source.url();
let document = document_from_node(self.elem);
let context = Arc::new(Mutex::new(StylesheetContext {
@ -234,6 +234,7 @@ impl<'a> StylesheetLoader<'a> {
pipeline_id: Some(self.elem.global().pipeline_id()),
referrer_url: Some(document.url()),
referrer_policy: referrer_policy,
integrity_metadata: integrity_metadata,
.. RequestInit::default()
};
@ -243,6 +244,6 @@ impl<'a> StylesheetLoader<'a> {
impl<'a> StyleStylesheetLoader for StylesheetLoader<'a> {
fn request_stylesheet(&self, import: &Arc<RwLock<ImportRule>>) {
self.load(StylesheetContextSource::Import(import.clone()))
self.load(StylesheetContextSource::Import(import.clone()), "".to_owned())
}
}