Implement Subresource Integrity

Implemented response validation part of https://w3c.github.io/webappsec-subresource-integrity/. Implemented step eighteen of the main fetch. If a request has integrity metadata, then following steps are performed *Wait for response body *If the response does not have a termination reason and response does not match request’s integrity metadata, set response to a network error.# Please enter the commit message for your changes. Lines starting
2025-07-22 06:43:40 +01:00 · 2017-01-08 08:52:18 +05:30 · 2017-01-08 08:52:18 +05:30 · a3026499f4
commit a3026499f4
parent 496447a363
19 changed files with 439 additions and 260 deletions
--- a/components/script/dom/htmlscriptelement.rs
+++ b/components/script/dom/htmlscriptelement.rs
@ -40,7 +40,6 @@ use std::ascii::AsciiExt;
 use std::cell::Cell;
 use std::sync::{Arc, Mutex};
 use style::str::{HTML_SPACE_CHARACTERS, StaticStringVec};
-
 #[dom_struct]
 pub struct HTMLScriptElement {
    htmlelement: HTMLElement,
@ -221,6 +220,7 @@ impl PreInvoke for ScriptContext {}
 fn fetch_a_classic_script(script: &HTMLScriptElement,
                          url: ServoUrl,
                          cors_setting: Option<CorsSettings>,
+                          integrity_metadata: String,
                          character_encoding: EncodingRef) {
    let doc = document_from_node(script);

@ -245,6 +245,7 @@ fn fetch_a_classic_script(script: &HTMLScriptElement,
        pipeline_id: Some(script.global().pipeline_id()),
        referrer_url: Some(doc.url()),
        referrer_policy: doc.get_referrer_policy(),
+        integrity_metadata: integrity_metadata,
        .. RequestInit::default()
    };

@ -365,7 +366,13 @@ impl HTMLScriptElement {

        // TODO: Step 15: Nonce.

-        // TODO: Step 16: Parser state.
+        // Step 16: Integrity Metadata
+        let im_attribute = element.get_attribute(&ns!(), &local_name!("integrity"));
+        let integrity_val = im_attribute.r().map(|a| a.value());
+        let integrity_metadata = match integrity_val {
+            Some(ref value) => &***value,
+            None => "",
+        };

        // TODO: Step 17: environment settings object.

@ -393,7 +400,7 @@ impl HTMLScriptElement {
                };

                // Step 18.6.
-                fetch_a_classic_script(self, url, cors_setting, encoding);
+                fetch_a_classic_script(self, url, cors_setting, integrity_metadata.to_owned(), encoding);

                true
            },
@ -675,6 +682,11 @@ impl HTMLScriptElementMethods for HTMLScriptElement {
    // https://html.spec.whatwg.org/multipage/#dom-script-defer
    make_bool_setter!(SetDefer, "defer");

+    // https://html.spec.whatwg.org/multipage/#dom-script-integrity
+    make_getter!(Integrity, "integrity");
+    // https://html.spec.whatwg.org/multipage/#dom-script-integrity
+    make_setter!(SetIntegrity, "integrity");
+
    // https://html.spec.whatwg.org/multipage/#dom-script-event
    make_getter!(Event, "event");
    // https://html.spec.whatwg.org/multipage/#dom-script-event