Use more smart pointers for ContentSecurityPolicy

https://bugs.webkit.org/show_bug.cgi?id=264261 Reviewed by Brent Fulgham. * Source/WebCore/Modules/beacon/NavigatorBeacon.cpp: (WebCore::NavigatorBeacon::sendBeacon): * Source/WebCore/Modules/fetch/FetchLoader.cpp: (WebCore::FetchLoader::start): * Source/WebCore/Modules/websockets/WebSocket.cpp: (WebCore::WebSocket::connect): * Source/WebCore/bindings/js/CachedScriptFetcher.cpp: (WebCore::CachedScriptFetcher::requestScriptWithCache const): * Source/WebCore/bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::reportViolationForUnsafeEval): * Source/WebCore/bindings/js/JSEventListener.cpp: (WebCore::JSEventListener::handleEvent): * Source/WebCore/bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::initializeJSFunction const): * Source/WebCore/bindings/js/ScriptController.cpp: (WebCore::ScriptController::initScriptForWindowProxy): (WebCore::ScriptController::protectedFrame const): (WebCore::ScriptController::executeJavaScriptURL): * Source/WebCore/bindings/js/ScriptController.h: * Source/WebCore/bindings/js/WorkerModuleScriptLoader.cpp: (WebCore::WorkerModuleScriptLoader::~WorkerModuleScriptLoader): (WebCore::WorkerModuleScriptLoader::load): (WebCore::WorkerModuleScriptLoader::protectedScriptLoader): * Source/WebCore/bindings/js/WorkerModuleScriptLoader.h: * Source/WebCore/dom/Document.cpp: (WebCore::Document::processBaseElement): (WebCore::Document::processMetaHttpEquiv): (WebCore::Document::initSecurityContext): (WebCore::Document::initContentSecurityPolicy): (WebCore::Document::applyQuickLookSandbox): * Source/WebCore/dom/Element.cpp: (WebCore::Element::hideNonceSlow): * Source/WebCore/dom/InlineStyleSheetOwner.cpp: (WebCore::InlineStyleSheetOwner::createSheet): * Source/WebCore/dom/ScriptElement.cpp: (WebCore::ScriptElement::requestClassicScript): (WebCore::ScriptElement::requestModuleScript): (WebCore::ScriptElement::requestImportMap): (WebCore::ScriptElement::executeClassicScript): (WebCore::ScriptElement::registerImportMap): * Source/WebCore/dom/StyledElement.cpp: (WebCore::StyledElement::styleAttributeChanged): * Source/WebCore/html/HTMLLinkElement.cpp: (WebCore::HTMLLinkElement::process): * Source/WebCore/html/HTMLMediaElement.cpp: (WebCore::isAllowedToLoadMediaURL): * Source/WebCore/html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::canLoadPlugInContent const): * Source/WebCore/html/HTMLTrackElement.cpp: (WebCore::HTMLTrackElement::canLoadURL): * Source/WebCore/html/parser/HTMLResourcePreloader.cpp: (WebCore::PreloadRequest::resourceRequest): * Source/WebCore/loader/DocumentThreadableLoader.cpp: (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): (WebCore::DocumentThreadableLoader::checkedContentSecurityPolicy const): * Source/WebCore/loader/DocumentThreadableLoader.h: * Source/WebCore/loader/FormSubmission.cpp: (WebCore::FormSubmission::create): * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::clear): (WebCore::FrameLoader::didBeginDocument): (WebCore::FrameLoader::checkIfFormActionAllowedByCSP const): (WebCore::FrameLoader::loadPostRequest): (WebCore::FrameLoader::loadResourceSynchronously): (WebCore::FrameLoader::continueLoadAfterNewWindowPolicy): (WebCore::createWindow): * Source/WebCore/loader/MixedContentChecker.cpp: (WebCore::MixedContentChecker::frameAndAncestorsCanDisplayInsecureContent): (WebCore::MixedContentChecker::frameAndAncestorsCanRunInsecureContent): * Source/WebCore/loader/PingLoader.cpp: (WebCore::PingLoader::loadImage): (WebCore::PingLoader::sendPing): (WebCore::PingLoader::sendViolationReport): * Source/WebCore/loader/PolicyChecker.cpp: (WebCore::isAllowedByContentSecurityPolicy): * Source/WebCore/loader/SubframeLoader.cpp: (WebCore::canLoadJavaScriptURL): (WebCore::FrameLoader::SubframeLoader::requestObject): (WebCore::FrameLoader::SubframeLoader::loadOrRedirectSubframe): * Source/WebCore/loader/WorkerThreadableLoader.cpp: (WebCore::m_contextIdentifier): * Source/WebCore/loader/appcache/ApplicationCacheHost.cpp: (WebCore::ApplicationCacheHost::shouldLoadResourceFromApplicationCache): * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const): * Source/WebCore/loader/cache/CachedResourceRequest.cpp: (WebCore::upgradeInsecureResourceRequestIfNeeded): * Source/WebCore/page/EventSource.cpp: (WebCore::EventSource::create): * Source/WebCore/page/LocalDOMWindow.cpp: (WebCore::LocalDOMWindow::setTimeout): (WebCore::LocalDOMWindow::setInterval): (WebCore::LocalDOMWindow::setLocation): * Source/WebCore/workers/AbstractWorker.cpp: (WebCore::AbstractWorker::resolveURL): * Source/WebCore/workers/Worker.cpp: (WebCore::Worker::notifyFinished): * Source/WebCore/workers/WorkerGlobalScope.cpp: (WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): (WebCore::WorkerGlobalScope::setTimeout): (WebCore::WorkerGlobalScope::setInterval): (WebCore::WorkerGlobalScope::importScripts): * Source/WebCore/workers/service/ServiceWorkerContainer.cpp: (WebCore::ServiceWorkerContainer::addRegistration): * Source/WebCore/workers/service/background-fetch/BackgroundFetchManager.cpp: (WebCore::BackgroundFetchManager::fetch): * Source/WebCore/workers/shared/SharedWorker.cpp: (WebCore::SharedWorker::create): * Source/WebCore/worklets/Worklet.cpp: (WebCore::Worklet::addModule): * Source/WebCore/xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::open): (WebCore::XMLHttpRequest::prepareToSend): * Source/WebCore/xml/XSLTProcessor.cpp: (WebCore::XSLTProcessor::createDocumentFromSource): * Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp: (WebKit::NetworkLoadChecker::checkRequest): (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy): Canonical link: https://commits.webkit.org/270359@main
WebKit · Nov 8, 2023 · e892b0c · e892b0c
1 parent cbf8b32
commit e892b0c
Show file tree

Hide file tree

Showing 47 changed files with 265 additions and 219 deletions.
diff --git a/Source/WebCore/Modules/beacon/NavigatorBeacon.cpp b/Source/WebCore/Modules/beacon/NavigatorBeacon.cpp
@@ -29,6 +29,7 @@
 #include "CachedRawResource.h"
 #include "CachedResourceLoader.h"
 #include "Document.h"
+#include "DocumentInlines.h"
 #include "DocumentLoader.h"
 #include "FrameDestructionObserverInlines.h"
 #include "HTTPParsers.h"
@@ -115,8 +116,7 @@ ExceptionOr<bool> NavigatorBeacon::sendBeacon(Document& document, const String&
     if (!document.frame())
         return false;
 
-    auto& contentSecurityPolicy = *document.contentSecurityPolicy();
-    if (!document.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy.allowConnectToSource(parsedUrl)) {
+    if (!document.shouldBypassMainWorldContentSecurityPolicy() && !document.checkedContentSecurityPolicy()->allowConnectToSource(parsedUrl)) {
         // We simulate a network error so we return true here. This is consistent with Blink.
         return true;
     }
@@ -153,7 +153,7 @@ ExceptionOr<bool> NavigatorBeacon::sendBeacon(Document& document, const String&
         }
     }
 
-    auto cachedResource = document.cachedResourceLoader().requestBeaconResource({ WTFMove(request), options });
+    auto cachedResource = document.protectedCachedResourceLoader()->requestBeaconResource({ WTFMove(request), options });
     if (!cachedResource) {
         logError(cachedResource.error());
         return false;

diff --git a/Source/WebCore/Modules/fetch/FetchLoader.cpp b/Source/WebCore/Modules/fetch/FetchLoader.cpp
@@ -97,13 +97,15 @@ void FetchLoader::start(ScriptExecutionContext& context, const FetchRequest& req
     ResourceRequest fetchRequest = request.resourceRequest();
 
     ASSERT(context.contentSecurityPolicy());
-    auto& contentSecurityPolicy = *context.contentSecurityPolicy();
+    {
+        CheckedRef contentSecurityPolicy = *context.contentSecurityPolicy();
 
-    contentSecurityPolicy.upgradeInsecureRequestIfNeeded(fetchRequest, ContentSecurityPolicy::InsecureRequestType::Load);
+        contentSecurityPolicy->upgradeInsecureRequestIfNeeded(fetchRequest, ContentSecurityPolicy::InsecureRequestType::Load);
 
-    if (!context.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy.allowConnectToSource(fetchRequest.url())) {
-        m_client.didFail({ errorDomainWebKitInternal, 0, fetchRequest.url(), "Not allowed by ContentSecurityPolicy"_s, ResourceError::Type::AccessControl });
-        return;
+        if (!context.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy->allowConnectToSource(fetchRequest.url())) {
+            m_client.didFail({ errorDomainWebKitInternal, 0, fetchRequest.url(), "Not allowed by ContentSecurityPolicy"_s, ResourceError::Type::AccessControl });
+            return;
+        }
     }
 
     String referrer = request.internalRequestReferrer();

diff --git a/Source/WebCore/Modules/websockets/WebSocket.cpp b/Source/WebCore/Modules/websockets/WebSocket.cpp
@@ -253,9 +253,9 @@ ExceptionOr<void> WebSocket::connect(const String& url, const Vector<String>& pr
     }
 
     ASSERT(context.contentSecurityPolicy());
-    auto& contentSecurityPolicy = *context.contentSecurityPolicy();
+    CheckedRef contentSecurityPolicy = *context.contentSecurityPolicy();
 
-    contentSecurityPolicy.upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
+    contentSecurityPolicy->upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
 
     if (!portAllowed(m_url)) {
         String message;
@@ -269,7 +269,7 @@ ExceptionOr<void> WebSocket::connect(const String& url, const Vector<String>& pr
     }
 
     // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
-    if (!context.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy.allowConnectToSource(m_url)) {
+    if (!context.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy->allowConnectToSource(m_url)) {
         m_state = CLOSED;
 
         // FIXME: Should this be throwing an exception?

diff --git a/Source/WebCore/bindings/js/CachedScriptFetcher.cpp b/Source/WebCore/bindings/js/CachedScriptFetcher.cpp
@@ -31,6 +31,7 @@
 #include "ContentSecurityPolicy.h"
 #include "CrossOriginAccessControl.h"
 #include "Document.h"
+#include "DocumentInlines.h"
 #include "Settings.h"
 #include "WorkerOrWorkletGlobalScope.h"
 
@@ -52,7 +53,7 @@ CachedResourceHandle<CachedScript> CachedScriptFetcher::requestScriptWithCache(D
         return nullptr;
 
     ASSERT(document.contentSecurityPolicy());
-    bool hasKnownNonce = document.contentSecurityPolicy()->allowScriptWithNonce(m_nonce, m_isInUserAgentShadowTree);
+    bool hasKnownNonce = document.checkedContentSecurityPolicy()->allowScriptWithNonce(m_nonce, m_isInUserAgentShadowTree);
     ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
     options.contentSecurityPolicyImposition = hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
     options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
@@ -68,7 +69,7 @@ CachedResourceHandle<CachedScript> CachedScriptFetcher::requestScriptWithCache(D
     if (!m_initiatorType.isNull())
         request.setInitiatorType(m_initiatorType);
 
-    return document.cachedResourceLoader().requestScript(WTFMove(request)).value_or(nullptr);
+    return document.protectedCachedResourceLoader()->requestScript(WTFMove(request)).value_or(nullptr);
 }
 
 }
diff --git a/Source/WebCore/bindings/js/JSDOMWindowBase.cpp b/Source/WebCore/bindings/js/JSDOMWindowBase.cpp
@@ -271,12 +271,12 @@ JSC::ScriptExecutionStatus JSDOMWindowBase::scriptExecutionStatus(JSC::JSGlobalO
 void JSDOMWindowBase::reportViolationForUnsafeEval(JSGlobalObject* object, JSString* source)
 {
     const JSDOMWindowBase* thisObject = static_cast<const JSDOMWindowBase*>(object);
-    ContentSecurityPolicy* contentSecurityPolicy = nullptr;
+    CheckedPtr<ContentSecurityPolicy> contentSecurityPolicy;
     if (auto* element = thisObject->wrapped().frameElement())
         contentSecurityPolicy = element->document().contentSecurityPolicy();
 
     if (!contentSecurityPolicy) {
-        if (auto *document = thisObject->wrapped().document())
+        if (auto* document = thisObject->wrapped().document())
             contentSecurityPolicy = document->contentSecurityPolicy();
     }
 

diff --git a/Source/WebCore/bindings/js/JSEventListener.cpp b/Source/WebCore/bindings/js/JSEventListener.cpp
@@ -155,13 +155,14 @@ void JSEventListener::handleEvent(ScriptExecutionContext& scriptExecutionContext
         if (!window->wrapped().isCurrentlyDisplayedInFrame())
             return;
         if (wasCreatedFromMarkup()) {
-            auto* element = dynamicDowncast<Element>(*event.target());
-            if (!scriptExecutionContext.contentSecurityPolicy()->allowInlineEventHandlers(sourceURL().string(), sourcePosition().m_line, code(), element))
+            RefPtr element = dynamicDowncast<Element>(*event.target());
+            if (!scriptExecutionContext.checkedContentSecurityPolicy()->allowInlineEventHandlers(sourceURL().string(), sourcePosition().m_line, code(), element.get()))
                 return;
         }
         // FIXME: Is this check needed for other contexts?
-        auto& script = window->wrapped().frame()->script();
-        if (!script.canExecuteScripts(ReasonForCallingCanExecuteScripts::AboutToExecuteScript) || script.isPaused())
+        RefPtr frame = window->wrapped().frame();
+        CheckedRef script = frame->script();
+        if (!script->canExecuteScripts(ReasonForCallingCanExecuteScripts::AboutToExecuteScript) || script->isPaused())
             return;
     }
 

diff --git a/Source/WebCore/bindings/js/JSLazyEventListener.cpp b/Source/WebCore/bindings/js/JSLazyEventListener.cpp
@@ -116,36 +116,37 @@ JSObject* JSLazyEventListener::initializeJSFunction(ScriptExecutionContext& exec
 {
     ASSERT(is<Document>(executionContext));
 
-    auto& executionContextDocument = downcast<Document>(executionContext);
+    Ref executionContextDocument = downcast<Document>(executionContext);
 
     // As per the HTML specification [1], if this is an element's event handler, then document should be the
     // element's document. The script execution context may be different from the node's document if the
     // node's document was created by JavaScript.
     // [1] https://html.spec.whatwg.org/multipage/webappapis.html#getting-the-current-value-of-the-event-handler
-    auto& document = m_originalNode ? m_originalNode->document() : executionContextDocument;
-    if (!document.frame())
+    Ref document = m_originalNode ? m_originalNode->document() : executionContextDocument.get();
+    if (!document->frame())
         return nullptr;
 
-    auto* element =  dynamicDowncast<Element>(m_originalNode.get());
-    if (!document.contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL.string(), m_sourcePosition.m_line, m_code, element))
+    RefPtr element =  dynamicDowncast<Element>(m_originalNode.get());
+    if (!document->checkedContentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL.string(), m_sourcePosition.m_line, m_code, element.get()))
         return nullptr;
 
-    auto& script = document.frame()->script();
-    if (!script.canExecuteScripts(ReasonForCallingCanExecuteScripts::AboutToCreateEventListener) || script.isPaused())
+    RefPtr frame = document->frame();
+    CheckedRef script = frame->script();
+    if (!script->canExecuteScripts(ReasonForCallingCanExecuteScripts::AboutToCreateEventListener) || script->isPaused())
         return nullptr;
 
-    ASSERT_WITH_MESSAGE(document.settings().scriptMarkupEnabled(), "Scripting element attributes should have been stripped during parsing");
-    if (UNLIKELY(!document.settings().scriptMarkupEnabled()))
+    ASSERT_WITH_MESSAGE(document->settings().scriptMarkupEnabled(), "Scripting element attributes should have been stripped during parsing");
+    if (UNLIKELY(!document->settings().scriptMarkupEnabled()))
         return nullptr;
 
-    if (!executionContextDocument.frame())
+    if (!executionContextDocument->frame())
         return nullptr;
 
-    auto* isolatedWorld = this->isolatedWorld();
+    RefPtr isolatedWorld = this->isolatedWorld();
     if (UNLIKELY(!isolatedWorld))
         return nullptr;
 
-    auto* globalObject = toJSLocalDOMWindow(*executionContextDocument.frame(), *isolatedWorld);
+    auto* globalObject = toJSLocalDOMWindow(*executionContextDocument->protectedFrame(), *isolatedWorld);
     if (!globalObject)
         return nullptr;
 
@@ -164,7 +165,7 @@ JSObject* JSLazyEventListener::initializeJSFunction(ScriptExecutionContext& exec
 
     JSObject* jsFunction = constructFunctionSkippingEvalEnabledCheck(
         lexicalGlobalObject, WTFMove(code), Identifier::fromString(vm, m_functionName),
-        SourceOrigin { m_sourceURL, CachedScriptFetcher::create(document.charset()) },
+        SourceOrigin { m_sourceURL, CachedScriptFetcher::create(document->charset()) },
         m_sourceURL.string(), m_sourceTaintedOrigin, m_sourcePosition, overrideLineNumber, functionConstructorParametersEndPosition);
     if (UNLIKELY(scope.exception())) {
         reportCurrentException(lexicalGlobalObject);

diff --git a/Source/WebCore/bindings/js/ScriptController.cpp b/Source/WebCore/bindings/js/ScriptController.cpp
@@ -294,16 +294,21 @@ void ScriptController::initScriptForWindowProxy(JSWindowProxy& windowProxy)
     jsCast<JSLocalDOMWindow*>(windowProxy.window())->updateDocument();
     EXCEPTION_ASSERT_UNUSED(scope, !scope.exception());
 
-    if (Document* document = m_frame.document())
-        document->contentSecurityPolicy()->didCreateWindowProxy(windowProxy);
+    if (RefPtr document = m_frame.document())
+        document->checkedContentSecurityPolicy()->didCreateWindowProxy(windowProxy);
 
-    if (Page* page = m_frame.page()) {
+    if (CheckedPtr page = m_frame.page()) {
         windowProxy.attachDebugger(page->debugger());
         windowProxy.window()->setProfileGroup(page->group().identifier());
         windowProxy.window()->setConsoleClient(page->console());
     }
 
-    m_frame.loader().dispatchDidClearWindowObjectInWorld(world);
+    protectedFrame()->checkedLoader()->dispatchDidClearWindowObjectInWorld(world);
+}
+
+Ref<LocalFrame> ScriptController::protectedFrame() const
+{
+    return m_frame;
 }
 
 static Identifier jsValueToModuleKey(JSGlobalObject* lexicalGlobalObject, JSValue value)
@@ -811,16 +816,16 @@ void ScriptController::executeJavaScriptURL(const URL& url, RefPtr<SecurityOrigi
 {
     ASSERT(url.protocolIsJavaScript());
 
-    if (requesterSecurityOrigin && !requesterSecurityOrigin->isSameOriginDomain(m_frame.document()->securityOrigin()))
-        return;
+    // We need to hold onto the Frame here because executing script can
+    // destroy the frame.
+    Ref frame = m_frame;
+    RefPtr ownerDocument = m_frame.document();
 
-    if (!m_frame.page() || !m_frame.document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame.document()->url().string(), eventHandlerPosition().m_line, url.string(), nullptr))
+    if (requesterSecurityOrigin && !requesterSecurityOrigin->isSameOriginDomain(ownerDocument->securityOrigin()))
         return;
 
-    // We need to hold onto the Frame here because executing script can
-    // destroy the frame.
-    Ref protectedFrame { m_frame };
-    RefPtr ownerDocument { m_frame.document() };
+    if (!frame->page() || !ownerDocument->checkedContentSecurityPolicy()->allowJavaScriptURLs(ownerDocument->url().string(), eventHandlerPosition().m_line, url.string(), nullptr))
+        return;
 
     const int javascriptSchemeLength = sizeof("javascript:") - 1;
 
@@ -835,7 +840,7 @@ void ScriptController::executeJavaScriptURL(const URL& url, RefPtr<SecurityOrigi
 
     // If executing script caused this frame to be removed from the page, we
     // don't want to try to replace its document!
-    if (!m_frame.page())
+    if (!frame->page())
         return;
 
     if (!result)
@@ -853,7 +858,7 @@ void ScriptController::executeJavaScriptURL(const URL& url, RefPtr<SecurityOrigi
     //        http://bugs.webkit.org/show_bug.cgi?id=16782
     if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
         // We're still in a frame, so there should be a DocumentLoader.
-        ASSERT(m_frame.document()->loader());
+        ASSERT(ownerDocument->loader());
 
         // Signal to FrameLoader to disable navigations within this frame while replacing it with the result of executing javascript
         // FIXME: https://bugs.webkit.org/show_bug.cgi?id=200523
@@ -863,7 +868,7 @@ void ScriptController::executeJavaScriptURL(const URL& url, RefPtr<SecurityOrigi
 
         // DocumentWriter::replaceDocumentWithResultOfExecutingJavascriptURL can cause the DocumentLoader to get deref'ed and possible destroyed,
         // so protect it with a RefPtr.
-        if (RefPtr<DocumentLoader> loader = m_frame.document()->loader()) {
+        if (RefPtr loader = ownerDocument->loader()) {
             loader->writer().replaceDocumentWithResultOfExecutingJavascriptURL(scriptResult, ownerDocument.get());
             didReplaceDocument = true;
         }

diff --git a/Source/WebCore/bindings/js/ScriptController.h b/Source/WebCore/bindings/js/ScriptController.h
@@ -187,6 +187,8 @@ class ScriptController : public CanMakeWeakPtr<ScriptController>, public CanMake
     WEBCORE_EXPORT WindowProxy& windowProxy();
     WEBCORE_EXPORT JSWindowProxy& jsWindowProxy(DOMWrapperWorld&);
 
+    Ref<LocalFrame> protectedFrame() const;
+
     LocalFrame& m_frame;
     const URL* m_sourceURL { nullptr };
 

diff --git a/Source/WebCore/bindings/js/WorkerModuleScriptLoader.cpp b/Source/WebCore/bindings/js/WorkerModuleScriptLoader.cpp
@@ -56,7 +56,7 @@ WorkerModuleScriptLoader::WorkerModuleScriptLoader(ModuleScriptLoaderClient& cli
 
 WorkerModuleScriptLoader::~WorkerModuleScriptLoader()
 {
-    m_scriptLoader->cancel();
+    protectedScriptLoader()->cancel();
 }
 
 void WorkerModuleScriptLoader::load(ScriptExecutionContext& context, URL&& sourceURL)
@@ -89,7 +89,7 @@ void WorkerModuleScriptLoader::load(ScriptExecutionContext& context, URL&& sourc
     bool cspCheckFailed = false;
     ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement = ContentSecurityPolicyEnforcement::DoNotEnforce;
     if (!context.shouldBypassMainWorldContentSecurityPolicy()) {
-        auto* contentSecurityPolicy = context.contentSecurityPolicy();
+        CheckedPtr contentSecurityPolicy = context.contentSecurityPolicy();
         if (fetchOptions.destination == FetchOptions::Destination::Script) {
             cspCheckFailed = contentSecurityPolicy && !contentSecurityPolicy->allowScriptFromSource(m_sourceURL);
             contentSecurityPolicyEnforcement = ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective;
@@ -100,7 +100,7 @@ void WorkerModuleScriptLoader::load(ScriptExecutionContext& context, URL&& sourc
     }
 
     if (cspCheckFailed) {
-        m_scriptLoader->notifyError();
+        protectedScriptLoader()->notifyError();
         ASSERT(!m_failed);
         notifyFinished();
         ASSERT(m_failed);
@@ -114,7 +114,12 @@ void WorkerModuleScriptLoader::load(ScriptExecutionContext& context, URL&& sourc
             fetchOptions.mode = FetchOptions::Mode::SameOrigin;
     }
 
-    m_scriptLoader->loadAsynchronously(context, WTFMove(request), WorkerScriptLoader::Source::ModuleScript, WTFMove(fetchOptions), contentSecurityPolicyEnforcement, ServiceWorkersMode::All, *this, taskMode());
+    protectedScriptLoader()->loadAsynchronously(context, WTFMove(request), WorkerScriptLoader::Source::ModuleScript, WTFMove(fetchOptions), contentSecurityPolicyEnforcement, ServiceWorkersMode::All, *this, taskMode());
+}
+
+Ref<WorkerScriptLoader> WorkerModuleScriptLoader::protectedScriptLoader()
+{
+    return m_scriptLoader;
 }
 
 ReferrerPolicy WorkerModuleScriptLoader::referrerPolicy()

diff --git a/Source/WebCore/bindings/js/WorkerModuleScriptLoader.h b/Source/WebCore/bindings/js/WorkerModuleScriptLoader.h
@@ -53,6 +53,7 @@ class WorkerModuleScriptLoader final : public ModuleScriptLoader, private Worker
     void load(ScriptExecutionContext&, URL&& sourceURL);
 
     WorkerScriptLoader& scriptLoader() { return m_scriptLoader.get(); }
+    Ref<WorkerScriptLoader> protectedScriptLoader();
 
     static String taskMode();
     ReferrerPolicy referrerPolicy();