ScriptControllerBase.cpp 4.91 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
/*
 *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
 *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
 *  Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
 *
 *  This library is free software; you can redistribute it and/or
 *  modify it under the terms of the GNU Lesser General Public
 *  License as published by the Free Software Foundation; either
 *  version 2 of the License, or (at your option) any later version.
 *
 *  This library is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 *  Lesser General Public License for more details.
 *
 *  You should have received a copy of the GNU Lesser General Public
 *  License along with this library; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */

#include "config.h"
#include "ScriptController.h"

24
#include "ContentSecurityPolicy.h"
25
#include "Document.h"
26
#include "DocumentLoader.h"
27
#include "Frame.h"
28
#include "FrameLoader.h"
29
#include "FrameLoaderClient.h"
30 31 32
#include "Page.h"
#include "ScriptSourceCode.h"
#include "ScriptValue.h"
33
#include "SecurityOrigin.h"
34
#include "Settings.h"
35
#include "UserGestureIndicator.h"
36
#include <wtf/text/TextPosition.h>
37 38 39

namespace WebCore {

40
bool ScriptController::canExecuteScripts(ReasonForCallingCanExecuteScripts reason)
41
{
42 43 44
    if (m_frame->document() && m_frame->document()->isSandboxed(SandboxScripts)) {
        // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.
        if (reason == AboutToExecuteScript)
45
            m_frame->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Blocked script execution in '" + m_frame->document()->url().stringCenterEllipsizedToLength() + "' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.");
46
        return false;
47
    }
48

49 50 51 52 53
    if (m_frame->document() && m_frame->document()->isViewSource()) {
        ASSERT(m_frame->document()->securityOrigin()->isUnique());
        return true;
    }

54
    Settings* settings = m_frame->settings();
55
    const bool allowed = m_frame->loader().client()->allowScript(settings && settings->isScriptEnabled());
56
    if (!allowed && reason == AboutToExecuteScript)
57
        m_frame->loader().client()->didNotAllowScript();
58
    return allowed;
59 60
}

61
ScriptValue ScriptController::executeScript(const String& script, bool forceUserGesture)
62
{
63
    UserGestureIndicator gestureIndicator(forceUserGesture ? DefinitelyProcessingUserGesture : PossiblyProcessingUserGesture);
64
    return executeScript(ScriptSourceCode(script, m_frame->document()->url()));
65 66
}

67
ScriptValue ScriptController::executeScript(const ScriptSourceCode& sourceCode)
68
{
69
    if (!canExecuteScripts(AboutToExecuteScript) || isPaused())
70 71
        return ScriptValue();

72 73
    RefPtr<Frame> protect(m_frame); // Script execution can destroy the frame, and thus the ScriptController.

74
    return evaluate(sourceCode);
75 76
}

77
bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocumentIfJavaScriptURL shouldReplaceDocumentIfJavaScriptURL)
78 79 80 81
{
    if (!protocolIsJavaScript(url))
        return false;

82
    if (!m_frame->page()
83
        || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame->document()->url(), eventHandlerPosition().m_line))
84 85
        return true;

86 87 88
    // We need to hold onto the Frame here because executing script can
    // destroy the frame.
    RefPtr<Frame> protector(m_frame);
89
    RefPtr<Document> ownerDocument(m_frame->document());
90

91 92
    const int javascriptSchemeLength = sizeof("javascript:") - 1;

93
    String decodedURL = decodeURLEscapeSequences(url.string());
94
    ScriptValue result = executeScript(decodedURL.substring(javascriptSchemeLength));
95

96 97 98 99 100
    // If executing script caused this frame to be removed from the page, we
    // don't want to try to replace its document!
    if (!m_frame->page())
        return true;

101
    String scriptResult;
102 103 104
    JSDOMWindowShell* shell = windowShell(mainThreadNormalWorld());
    JSC::ExecState* exec = shell->window()->globalExec();
    if (!result.getString(exec, scriptResult))
105 106 107 108 109
        return true;

    // FIXME: We should always replace the document, but doing so
    //        synchronously can cause crashes:
    //        http://bugs.webkit.org/show_bug.cgi?id=16782
110 111 112
    if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
        // We're still in a frame, so there should be a DocumentLoader.
        ASSERT(m_frame->document()->loader());
113 114 115 116
        
        // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
        // so protect it with a RefPtr.
        if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
117
            loader->writer()->replaceDocument(scriptResult, ownerDocument.get());
118
    }
119 120 121 122
    return true;
}

} // namespace WebCore