jochen at chromium.org
Tue Mar 19 15:12:32 PDT 2013
On Tue, Mar 19, 2013 at 2:50 PM, Geoffrey Garen <ggaren at apple.com> wrote:
> Hi Jochen.
> Adam also cited the Chromium WebKit
>> allowScriptFromSource/didNotAllowScript API.
>> From looking at how it hooks into WebCore, it appears to require the
>> decision to execute a script to be dynamic, even when scripting is
>> generally disabled.
> We implement a rule system (called content settings) where script
> execution (but also e.g. cookies) can be controlled depending on the
> security origin of the frame, and the security origin of the main frame.
> This allows for allow scripts from the main frame's security origin to run,
> while third-party scripts are blocked.
> To clarify, do you expect both allowScriptFromSource and didNotAllowScript
> but allowScriptFromSource returns true, do you expect the script to execute
> or not?
What can happen is that in ScriptElement::prepareScript() the call to
canExecuteScript (which calls allowScript internally) returns false. In
that case, we don't load the external script, and so allowScriptFromSource
is not invoked. didNotAllowScript however was already invoked by
canExecuteScript after allowScript returned false.
Does that answer your question?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev