[webkit-reviews] review granted: [Bug 148363] Implement Subresource Integrity (SRI) : [Attachment 308558] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 28 11:56:20 PDT 2017 

youenn fablet <youennf at gmail.com> has granted Sam Weinig <sam at webkit.org>'s
request for review:
Bug 148363: Implement Subresource Integrity (SRI)
https://bugs.webkit.org/show_bug.cgi?id=148363

Attachment 308558: Patch

https://bugs.webkit.org/attachment.cgi?id=308558&action=review




--- Comment #27 from youenn fablet <youennf at gmail.com> ---
Comment on attachment 308558
  --> https://bugs.webkit.org/attachment.cgi?id=308558
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=308558&action=review

> Source/WebCore/Modules/fetch/FetchLoader.cpp:82
> +    options.dataBufferingPolicy = options.integrity.isEmpty() ?
DoNotBufferData : BufferData;

Do we need that change?
DTL should not send us the response before getting the full data anyway.

> Source/WebCore/bindings/js/CachedScriptFetcher.h:47
> +	   , m_integrityMetadata(integrityMetadata)

Should we try to move towards String&&?
If so, probably need to do that for all parameters.
Maybe future refactoring? Also the case for other parts of this patch.

> Source/WebCore/bindings/js/CachedScriptFetcher.h:61
> +    String integrityMetadata() { return m_integrityMetadata; }

const probably, rename it to integrity() or the other side?
But do we need it?

> Source/WebCore/bindings/js/JSDOMBindingCaller.h:99
> +}

No need for that change. Please remove it.

> Source/WebCore/dom/LoadableClassicScript.cpp:105
> +    }

I still think this is not the right place for these checks.
I don't know whether a FIXME about moving that to CachedResource/loader Level
would be useful there

> Source/WebCore/html/HTMLLinkElement.cpp:285
> +	   options.integrity = m_integrityMetadataForPendingSheetRequest;

It seems strange to do both setting this option here and keeping
m_integrityMetadataForPendingSheetRequest.

> Source/WebCore/loader/DocumentThreadableLoader.cpp:380
> +	   m_client->didReceiveData(m_resource->resourceBuffer()->data(),
m_resource->resourceBuffer()->size());

We should probably call didReceiveResponse and not
m_client->didReceiveResponse. cq- for that reason.
Can you add some cors filtering+integrity tests?

More information about the webkit-reviews mailing list