OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 200 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
211 } | 211 } |
212 | 212 |
213 if (!(requestURL.user().isEmpty() && requestURL.pass().isEmpty())) { | 213 if (!(requestURL.user().isEmpty() && requestURL.pass().isEmpty())) { |
214 errorDescription = "The request was redirected to a URL ('" + requestURL
.string() + "') containing userinfo, which is disallowed for cross-origin reques
ts."; | 214 errorDescription = "The request was redirected to a URL ('" + requestURL
.string() + "') containing userinfo, which is disallowed for cross-origin reques
ts."; |
215 return false; | 215 return false; |
216 } | 216 } |
217 | 217 |
218 return true; | 218 return true; |
219 } | 219 } |
220 | 220 |
221 bool CrossOriginAccessControl::handleRedirect(ExecutionContext* context, Resourc
e* resource, SecurityOrigin* securityOrigin, ResourceRequest& request, const Res
ourceResponse& redirectResponse, ResourceLoaderOptions& options, String& errorMe
ssage) | 221 bool CrossOriginAccessControl::handleRedirect(ExecutionContext* context, Securit
yOrigin* securityOrigin, ResourceRequest& request, const ResourceResponse& redir
ectResponse, StoredCredentials withCredentials, ResourceLoaderOptions& options,
String& errorMessage) |
222 { | 222 { |
223 // http://www.w3.org/TR/cors/#redirect-steps terminology: | 223 // http://www.w3.org/TR/cors/#redirect-steps terminology: |
224 const KURL& originalURL = redirectResponse.url(); | 224 const KURL& originalURL = redirectResponse.url(); |
225 const KURL& requestURL = request.url(); | 225 const KURL& requestURL = request.url(); |
226 | 226 |
227 bool redirectCrossOrigin = !securityOrigin->canRequest(requestURL); | 227 bool redirectCrossOrigin = !securityOrigin->canRequest(requestURL); |
228 | 228 |
229 // Same-origin request URLs that redirect are allowed without checking acces
s. | 229 // Same-origin request URLs that redirect are allowed without checking acces
s. |
230 if (!securityOrigin->canRequest(originalURL)) { | 230 if (!securityOrigin->canRequest(originalURL)) { |
231 // Follow http://www.w3.org/TR/cors/#redirect-steps | 231 // Follow http://www.w3.org/TR/cors/#redirect-steps |
232 String errorDescription; | 232 String errorDescription; |
233 | 233 |
234 // Steps 3 & 4 - check if scheme and other URL restrictions hold. | 234 // Steps 3 & 4 - check if scheme and other URL restrictions hold. |
235 bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescriptio
n); | 235 bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescriptio
n); |
236 if (allowRedirect) { | 236 if (allowRedirect) { |
237 // Step 5: perform resource sharing access check. | 237 // Step 5: perform resource sharing access check. |
238 StoredCredentials withCredentials = resource->lastResourceRequest().
allowStoredCredentials() ? AllowStoredCredentials : DoNotAllowStoredCredentials; | |
239 allowRedirect = passesAccessControlCheck(context, redirectResponse,
withCredentials, securityOrigin, errorDescription); | 238 allowRedirect = passesAccessControlCheck(context, redirectResponse,
withCredentials, securityOrigin, errorDescription); |
240 if (allowRedirect) { | 239 if (allowRedirect) { |
241 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o
riginalURL); | 240 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o
riginalURL); |
242 // Step 6: if the request URL origin is not same origin as the o
riginal URL's, | 241 // Step 6: if the request URL origin is not same origin as the o
riginal URL's, |
243 // set the source origin to a globally unique identifier. | 242 // set the source origin to a globally unique identifier. |
244 if (!originalOrigin->canRequest(requestURL)) { | 243 if (!originalOrigin->canRequest(requestURL)) { |
245 options.securityOrigin = SecurityOrigin::createUnique(); | 244 options.securityOrigin = SecurityOrigin::createUnique(); |
246 securityOrigin = options.securityOrigin.get(); | 245 securityOrigin = options.securityOrigin.get(); |
247 } | 246 } |
248 } | 247 } |
(...skipping 10 matching lines...) Expand all Loading... |
259 request.setHTTPOrigin(securityOrigin->toAtomicString()); | 258 request.setHTTPOrigin(securityOrigin->toAtomicString()); |
260 // If the user didn't request credentials in the first place, update our | 259 // If the user didn't request credentials in the first place, update our |
261 // state so we neither request them nor expect they must be allowed. | 260 // state so we neither request them nor expect they must be allowed. |
262 if (options.credentialsRequested == ClientDidNotRequestCredentials) | 261 if (options.credentialsRequested == ClientDidNotRequestCredentials) |
263 options.allowCredentials = DoNotAllowStoredCredentials; | 262 options.allowCredentials = DoNotAllowStoredCredentials; |
264 } | 263 } |
265 return true; | 264 return true; |
266 } | 265 } |
267 | 266 |
268 } // namespace blink | 267 } // namespace blink |
OLD | NEW |