Apply 'x-content-type-options' check to dynamically inserted script.

BUG=348581 Review URL: https://codereview.chromium.org/185593011 git-svn-id: svn://svn.chromium.org/blink/trunk@168570 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Apply 'x-content-type-options' check to dynamically inserted script.
BUG=348581 Review URL: https://codereview.chromium.org/185593011 git-svn-id: svn://svn.chromium.org/blink/trunk@168570 bbb929c8-8fbe-4397-9dbb-9b2b20218538
ed6f4545 · mkwst@chromium.org · 2c29c343 · ed6f4545 · ed6f4545 · ed6f4545
Commit ed6f4545 authored Mar 06, 2014 by mkwst@chromium.org
3 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt
+CONSOLE ERROR: Refused to execute script from 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.
+Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if the MIME type isn't scripty.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS window.scriptsSuccessfullyLoaded is 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
+<!DOCTYPE html>
+<html>
+<head>
+    <title>'X-Content-Type-Options: nosniff;' blocks scripts!</title>
+<body>
+    <script src="/js-test-resources/js-test.js"></script>
+    <script>
+        description('Check that script sent with an \'X-Content-Type-Options: nosniff\' header is correctly blocked if the MIME type isn\'t scripty.');
+        window.jsTestIsAsync = true;
+
+        window.scriptsSuccessfullyLoaded = 0;
+
+        var s = document.createElement('script');
+        s.src = './resources/script-with-header.pl?mime=application/json';
+        document.querySelector('head').appendChild(s);
+
+        window.onload = function () {
+            shouldBe('window.scriptsSuccessfullyLoaded', '0');
+            finishJSTest();
+        };
+    </script>
+</body>
+</html>
--- a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
+++ b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
@@ -308,9 +308,12 @@ void ScriptLoader::executeScript(const ScriptSourceCode& sourceCode)
    if (!m_isExternalScript && (!shouldBypassMainWorldContentSecurityPolicy && !elementDocument->contentSecurityPolicy()->allowInlineScript(elementDocument->url(), m_startLineNumber)))
        return;

-    if (m_isExternalScript && m_resource && !m_resource->mimeTypeAllowedByNosniff()) {
-        contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + m_resource->url().elidedString() + "' because its MIME type ('" + m_resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.");
-        return;
+    if (m_isExternalScript) {
+        ScriptResource* resource = m_resource ? m_resource.get() : sourceCode.resource();
+        if (resource && !resource->mimeTypeAllowedByNosniff()) {
+            contextDocument->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Refused to execute script from '" + resource->url().elidedString() + "' because its MIME type ('" + resource->mimeType() + "') is not executable, and strict MIME type checking is enabled.");
+            return;
+        }
    }

    if (frame) {