fix integrity cases

Author: guybedford

lib/global-eval.js

@@ -51,25 +51,68 @@ var __exec;
   // System clobbering protection (mostly for Traceur)
   var curSystem;
   var callCounter = 0;
+  function preExec(loader, load) {
+    if (callCounter++ == 0)
+      curSystem = __global.System;
+    __global.System = __global.SystemJS = loader; 
+  }
+  function postExec() {
+    if (--callCounter == 0)
+      __global.System = __global.SystemJS = curSystem;
+    curLoad = undefined;
+  }
+
   __exec = function(load) {
-    if (load.metadata.integrity)
-      throw new TypeError('Subresource integrity checking is only supported on modules with scriptLoad:true metadata or through the SystemCSP build.');
+    if ((load.metadata.integrity || load.metadata.nonce) && supportsScriptExec)
+      return scriptExec.call(this, load);
     try {
-      if (callCounter++ == 0)
-        curSystem = __global.System;
-      __global.System = __global.SystemJS = this;
+      preExec(this, load);
       curLoad = load;
       (0, eval)(getSource(load));
-      if (--callCounter == 0)
-        __global.System = __global.SystemJS = curSystem;
-      curLoad = undefined;
+      postExec();
     }
     catch(e) {
-      if (--callCounter == 0)
-        __global.System = __global.SystemJS = curSystem;
-      curLoad = undefined;
+      postExec(); 
       throw addToError(e, 'Evaluating ' + load.address);
     }
   };
 
+  var supportsScriptExec = false;
+  if (isBrowser && typeof document != 'undefined' && document.getElementsByTagName) {
+    var scripts = document.getElementsByTagName('script');
+    $__curScript = scripts[scripts.length - 1];
+
+    if (!(window.chrome && window.chrome.extension || navigator.userAgent.match(/^Node\.js/)))
+      supportsScriptExec = true;
+  }
+
+  // script execution via injecting a script tag into the page
+  // this allows CSP integrity and nonce to be set for CSP environments
+  var head;
+  function scriptExec(load) {
+    if (!head)
+      head = document.head || document.body || document.documentElement;
+
+    var script = document.createElement('script');
+    script.text = getSource(load, false);
+    var onerror = window.onerror;
+    var e;
+    window.onerror = function(_e) {
+      e = addToError(_e, 'Evaluating ' + load.address);
+    }
+    preExec(this, load);
+
+    if (load.metadata.integrity)
+      script.setAttribute('integrity', load.metadata.integrity);
+    if (load.metadata.nonce)
+      script.setAttribute('nonce', load.metadata.nonce);
+
+    head.appendChild(script);
+    head.removeChild(script);
+    postExec();
+    window.onerror = onerror;
+    if (e)
+      throw e;
+  }
+
 })();

test/test-csp-inline.html

@@ -43,7 +43,14 @@ <h2 id="qunit-userAgent"></h2>
         });
       });
 
-      asyncTest('Importing a script without a nonce', function() {
+      asyncTest('Importing a script with a bad nonce', function() {
+        System.config({
+          meta: {
+            'tests/csp/nonce2.js': {
+              nonce: 'asdf'
+            }
+          }
+        });
         System['import']('tests/csp/nonce2.js').then(function(m) {
           ok(m.nonce !== 'ab');
           start();