Auto merge of #14865 - mrnayak:sri-fetch, r=jdm

Implement Subresource Integrity

Implemented response validation part of https://w3c.github.io/webappsec-subresource-integrity/.
Implemented step eighteen of the main fetch. If a request has integrity metadata, then following steps are performed
1) Wait for response body
2) If the response does not have a termination reason and response does not match request’s integrity metadata, set response and internalResponse to a network error.

Dependency updated: html5ever-atoms from 0.1.2 to 0.1.3. This will not completely fix #14523, It will implement changes related to response validation. Request validation algorithm implementation needs CSP.

I did not update any WPT-Test. In my local system, I found some assertion issue dependent on the order of execution of test-case. It would be helpful if someone could do "try" build on these changes to get wpt results.

r? @jdm
<!-- Please describe your changes on the following line: -->

---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors

<!-- Either: -->
- [X] There are tests for these changes

<!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/14865)
<!-- Reviewable:end -->
This commit is contained in:
bors-servo 2017-01-07 23:14:37 -08:00 committed by GitHub
commit f958dafcae
19 changed files with 439 additions and 260 deletions

View file

@ -243,16 +243,24 @@ impl HTMLLinkElement {
Some(ref value) => &***value,
None => "",
};
let mut css_parser = CssParser::new(&mq_str);
let media = parse_media_query_list(&mut css_parser);
let im_attribute = element.get_attribute(&ns!(), &local_name!("integrity"));
let integrity_val = im_attribute.r().map(|a| a.value());
let integrity_metadata = match integrity_val {
Some(ref value) => &***value,
None => "",
};
// TODO: #8085 - Don't load external stylesheets if the node's mq
// doesn't match.
let loader = StylesheetLoader::for_element(self.upcast());
loader.load(StylesheetContextSource::LinkElement {
url: url,
media: Some(media),
});
}, integrity_metadata.to_owned());
}
fn handle_favicon_url(&self, rel: &str, href: &str, sizes: &Option<String>) {
@ -328,6 +336,12 @@ impl HTMLLinkElementMethods for HTMLLinkElement {
// https://html.spec.whatwg.org/multipage/#dom-link-media
make_setter!(SetMedia, "media");
// https://html.spec.whatwg.org/multipage/#dom-link-integrity
make_getter!(Integrity, "integrity");
// https://html.spec.whatwg.org/multipage/#dom-link-integrity
make_setter!(SetIntegrity, "integrity");
// https://html.spec.whatwg.org/multipage/#dom-link-hreflang
make_getter!(Hreflang, "hreflang");

View file

@ -40,7 +40,6 @@ use std::ascii::AsciiExt;
use std::cell::Cell;
use std::sync::{Arc, Mutex};
use style::str::{HTML_SPACE_CHARACTERS, StaticStringVec};
#[dom_struct]
pub struct HTMLScriptElement {
htmlelement: HTMLElement,
@ -221,6 +220,7 @@ impl PreInvoke for ScriptContext {}
fn fetch_a_classic_script(script: &HTMLScriptElement,
url: ServoUrl,
cors_setting: Option<CorsSettings>,
integrity_metadata: String,
character_encoding: EncodingRef) {
let doc = document_from_node(script);
@ -245,6 +245,7 @@ fn fetch_a_classic_script(script: &HTMLScriptElement,
pipeline_id: Some(script.global().pipeline_id()),
referrer_url: Some(doc.url()),
referrer_policy: doc.get_referrer_policy(),
integrity_metadata: integrity_metadata,
.. RequestInit::default()
};
@ -365,7 +366,13 @@ impl HTMLScriptElement {
// TODO: Step 15: Nonce.
// TODO: Step 16: Parser state.
// Step 16: Integrity Metadata
let im_attribute = element.get_attribute(&ns!(), &local_name!("integrity"));
let integrity_val = im_attribute.r().map(|a| a.value());
let integrity_metadata = match integrity_val {
Some(ref value) => &***value,
None => "",
};
// TODO: Step 17: environment settings object.
@ -393,7 +400,7 @@ impl HTMLScriptElement {
};
// Step 18.6.
fetch_a_classic_script(self, url, cors_setting, encoding);
fetch_a_classic_script(self, url, cors_setting, integrity_metadata.to_owned(), encoding);
true
},
@ -675,6 +682,11 @@ impl HTMLScriptElementMethods for HTMLScriptElement {
// https://html.spec.whatwg.org/multipage/#dom-script-defer
make_bool_setter!(SetDefer, "defer");
// https://html.spec.whatwg.org/multipage/#dom-script-integrity
make_getter!(Integrity, "integrity");
// https://html.spec.whatwg.org/multipage/#dom-script-integrity
make_setter!(SetIntegrity, "integrity");
// https://html.spec.whatwg.org/multipage/#dom-script-event
make_getter!(Event, "event");
// https://html.spec.whatwg.org/multipage/#dom-script-event

View file

@ -11,6 +11,7 @@ interface HTMLLinkElement : HTMLElement {
attribute DOMString media;
attribute DOMString hreflang;
attribute DOMString type;
attribute DOMString integrity;
// [SameObject, PutForwards=value] readonly attribute DOMTokenList sizes;
// also has obsolete members

View file

@ -12,6 +12,7 @@ interface HTMLScriptElement : HTMLElement {
attribute DOMString? crossOrigin;
[Pure]
attribute DOMString text;
attribute DOMString integrity;
// also has obsolete members
};