OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
209 } | 209 } |
210 | 210 |
211 if (!(requestURL.user().isEmpty() && requestURL.pass().isEmpty())) { | 211 if (!(requestURL.user().isEmpty() && requestURL.pass().isEmpty())) { |
212 errorDescription = "The request was redirected to a URL ('" + requestURL
.string() + "') containing userinfo, which is disallowed for cross-origin reques
ts."; | 212 errorDescription = "The request was redirected to a URL ('" + requestURL
.string() + "') containing userinfo, which is disallowed for cross-origin reques
ts."; |
213 return false; | 213 return false; |
214 } | 214 } |
215 | 215 |
216 return true; | 216 return true; |
217 } | 217 } |
218 | 218 |
219 bool CrossOriginAccessControl::handleRedirect(Resource* resource, SecurityOrigin
* securityOrigin, ResourceRequest& request, const ResourceResponse& redirectResp
onse, ResourceLoaderOptions& options, String& errorMessage) | 219 bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, Re
sourceRequest& request, const ResourceResponse& redirectResponse, StoredCredenti
als withCredentials, ResourceLoaderOptions& options, String& errorMessage) |
220 { | 220 { |
221 // http://www.w3.org/TR/cors/#redirect-steps terminology: | 221 // http://www.w3.org/TR/cors/#redirect-steps terminology: |
222 const KURL& originalURL = redirectResponse.url(); | 222 const KURL& originalURL = redirectResponse.url(); |
223 const KURL& requestURL = request.url(); | 223 const KURL& requestURL = request.url(); |
224 | 224 |
225 bool redirectCrossOrigin = !securityOrigin->canRequest(requestURL); | 225 bool redirectCrossOrigin = !securityOrigin->canRequest(requestURL); |
226 | 226 |
227 // Same-origin request URLs that redirect are allowed without checking acces
s. | 227 // Same-origin request URLs that redirect are allowed without checking acces
s. |
228 if (!securityOrigin->canRequest(originalURL)) { | 228 if (!securityOrigin->canRequest(originalURL)) { |
229 // Follow http://www.w3.org/TR/cors/#redirect-steps | 229 // Follow http://www.w3.org/TR/cors/#redirect-steps |
230 String errorDescription; | 230 String errorDescription; |
231 | 231 |
232 // Steps 3 & 4 - check if scheme and other URL restrictions hold. | 232 // Steps 3 & 4 - check if scheme and other URL restrictions hold. |
233 bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescriptio
n); | 233 bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescriptio
n); |
234 if (allowRedirect) { | 234 if (allowRedirect) { |
235 // Step 5: perform resource sharing access check. | 235 // Step 5: perform resource sharing access check. |
236 StoredCredentials withCredentials = resource->lastResourceRequest().
allowStoredCredentials() ? AllowStoredCredentials : DoNotAllowStoredCredentials; | |
237 allowRedirect = passesAccessControlCheck(redirectResponse, withCrede
ntials, securityOrigin, errorDescription); | 236 allowRedirect = passesAccessControlCheck(redirectResponse, withCrede
ntials, securityOrigin, errorDescription); |
238 if (allowRedirect) { | 237 if (allowRedirect) { |
239 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o
riginalURL); | 238 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o
riginalURL); |
240 // Step 6: if the request URL origin is not same origin as the o
riginal URL's, | 239 // Step 6: if the request URL origin is not same origin as the o
riginal URL's, |
241 // set the source origin to a globally unique identifier. | 240 // set the source origin to a globally unique identifier. |
242 if (!originalOrigin->canRequest(requestURL)) { | 241 if (!originalOrigin->canRequest(requestURL)) { |
243 options.securityOrigin = SecurityOrigin::createUnique(); | 242 options.securityOrigin = SecurityOrigin::createUnique(); |
244 securityOrigin = options.securityOrigin.get(); | 243 securityOrigin = options.securityOrigin.get(); |
245 } | 244 } |
246 } | 245 } |
(...skipping 10 matching lines...) Expand all Loading... |
257 request.setHTTPOrigin(securityOrigin->toAtomicString()); | 256 request.setHTTPOrigin(securityOrigin->toAtomicString()); |
258 // If the user didn't request credentials in the first place, update our | 257 // If the user didn't request credentials in the first place, update our |
259 // state so we neither request them nor expect they must be allowed. | 258 // state so we neither request them nor expect they must be allowed. |
260 if (options.credentialsRequested == ClientDidNotRequestCredentials) | 259 if (options.credentialsRequested == ClientDidNotRequestCredentials) |
261 options.allowCredentials = DoNotAllowStoredCredentials; | 260 options.allowCredentials = DoNotAllowStoredCredentials; |
262 } | 261 } |
263 return true; | 262 return true; |
264 } | 263 } |
265 | 264 |
266 } // namespace blink | 265 } // namespace blink |
OLD | NEW |