import changes from `dev' branch of rmottola/Arctic-Fox:

- Bug 1174323 - Disable screenClientXYConst subtest of pointerlock test on OS X. rs=KWierso (2d0db6d1b) - Bug 992096 - Implement Sub Resource Integrity [1/2]. r=baku,r=ckerschb (c30671ac0) - Bug 992096 - Implement Sub Resource Integrity [2/2]. r=ckerschb (0afc64d88) - Bug 1091883 - Added test, this is fixed by a fix to bug 1113438. r=sstamm CLOSED TREE (fd9a64b43) - Bug 1196740 - Consider redirects when looking for SRI-eligibility. r=ckerschb (5c749cdc9) - Bug 1202015 - Better document the SRI strings for translators. r=ckerschb (a7860e0fb) - Bug 1202027 - Make SRI require CORS loads for cross-origin resources. r=ckerschb (ea451323d) - bit of Bug 1202902 - Mass replace toplevel 'let' with 'var' (a6e8a587d) - Bug 1208629 - Properly support data: and blob: URIs with an integrity atribute. r=ckerschb (6b2018fe4) - Bug 1140129 - Don't clear tab title when location changes (r=Mossop) (ca1945ba8) - Bug 1073462: Send synthetic property with Content:LocationChange message. r=felipe (1aa418acf) - bug 1165017 - annotate content process URL on location change. r=mconley (cdca4fa75) - Bug 1157561 - Add webRequest-like API to Firefox (r=Mossop) (546a57822) - Bug 1163861 - Include windowID in all WebRequest notifications (r=Mossop) (c140af560) - Bug 1171248 - Add MatchPattern support to WebRequest module (r=Mossop) (b09a05658)
2026-05-26 14:18:48 +00:00 · 2021-08-17 10:04:53 +08:00
parent 36ba256882
commit ebd6e6dc19
99 changed files with 3558 additions and 67 deletions
@@ -53,9 +53,21 @@

 #include "mozilla/Attributes.h"
 #include "mozilla/unused.h"
+#include "mozilla/dom/SRICheck.h"
+#include "nsIScriptError.h"

 static PRLogModuleInfo* gCspPRLog;

+static PRLogModuleInfo*
+GetSriLog()
+{
+  static PRLogModuleInfo *gSriPRLog;
+  if (!gSriPRLog) {
+    gSriPRLog = PR_NewLogModule("SRI");
+  }
+  return gSriPRLog;
+}
+
 using namespace mozilla;
 using namespace mozilla::dom;

@@ -626,7 +638,22 @@ nsScriptLoader::ProcessScriptElement(nsIScriptElement *aElement)

    if (!request) {
      // no usable preload
-      request = new nsScriptLoadRequest(aElement, version, ourCORSMode);
+
+      SRIMetadata sriMetadata;
+      {
+        nsAutoString integrity;
+        scriptContent->GetAttr(kNameSpaceID_None, nsGkAtoms::integrity,
+                               integrity);
+        if (!integrity.IsEmpty()) {
+          MOZ_LOG(GetSriLog(), mozilla::LogLevel::Debug,
+                 ("nsScriptLoader::ProcessScriptElement, integrity=%s",
+                  NS_ConvertUTF16toUTF8(integrity).get()));
+          SRICheck::IntegrityMetadata(integrity, mDocument, &sriMetadata);
+        }
+      }
+
+      request = new nsScriptLoadRequest(aElement, version, ourCORSMode,
+                                        sriMetadata);
      request->mURI = scriptURI;
      request->mIsInline = false;
      request->mLoading = true;
@@ -740,7 +767,8 @@ nsScriptLoader::ProcessScriptElement(nsIScriptElement *aElement)
  }

  // Inline scripts ignore ther CORS mode and are always CORS_NONE
-  request = new nsScriptLoadRequest(aElement, version, CORS_NONE);
+  request = new nsScriptLoadRequest(aElement, version, CORS_NONE,
+                                    SRIMetadata()); // SRI doesn't apply
  request->mJSVersion = version;
  request->mLoading = false;
  request->mIsInline = true;
@@ -1436,8 +1464,14 @@ nsScriptLoader::OnStreamComplete(nsIStreamLoader* aLoader,
  NS_ASSERTION(request, "null request in stream complete handler");
  NS_ENSURE_TRUE(request, NS_ERROR_FAILURE);

-  nsresult rv = PrepareLoadedRequest(request, aLoader, aStatus, aStringLen,
-                                     aString);
+  nsresult rv = NS_ERROR_SRI_CORRUPT;
+  if (request->mIntegrity.IsEmpty() ||
+      NS_SUCCEEDED(SRICheck::VerifyIntegrity(request->mIntegrity, aLoader,
+                                             request->mCORSMode, aStringLen,
+                                             aString, mDocument))) {
+    rv = PrepareLoadedRequest(request, aLoader, aStatus, aStringLen, aString);
+  }
+
  if (NS_FAILED(rv)) {
    /*
     * Handle script not loading error because source was a tracking URL.
@@ -1634,6 +1668,7 @@ void
 nsScriptLoader::PreloadURI(nsIURI *aURI, const nsAString &aCharset,
                           const nsAString &aType,
                           const nsAString &aCrossOrigin,
+                           const nsAString& aIntegrity,
                           bool aScriptFromHead,
                           const mozilla::net::ReferrerPolicy aReferrerPolicy)
 {
@@ -1642,9 +1677,18 @@ nsScriptLoader::PreloadURI(nsIURI *aURI, const nsAString &aCharset,
    return;
  }

+  SRIMetadata sriMetadata;
+  if (!aIntegrity.IsEmpty()) {
+    MOZ_LOG(GetSriLog(), mozilla::LogLevel::Debug,
+           ("nsScriptLoader::PreloadURI, integrity=%s",
+            NS_ConvertUTF16toUTF8(aIntegrity).get()));
+    SRICheck::IntegrityMetadata(aIntegrity, mDocument, &sriMetadata);
+  }
+
  nsRefPtr<nsScriptLoadRequest> request =
    new nsScriptLoadRequest(nullptr, 0,
-                            Element::StringToCORSMode(aCrossOrigin));
+                            Element::StringToCORSMode(aCrossOrigin),
+                            sriMetadata);
  request->mURI = aURI;
  request->mIsInline = false;
  request->mLoading = true;