To fix the cross-site post submission bug.

content/renderer/render_view_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_view_impl.h"
 
 #include <algorithm>
 #include <cmath>
 
 #include "base/bind.h"
@@ skipping 167 matching lines @@
 #include "ui/gfx/point.h"
 #include "ui/gfx/rect.h"
 #include "ui/gfx/size_conversions.h"
 #include "v8/include/v8.h"
 #include "webkit/appcache/web_application_cache_host_impl.h"
 #include "webkit/base/file_path_string_conversions.h"
 #include "webkit/dom_storage/dom_storage_types.h"
 #include "webkit/glue/alt_error_page_resource_fetcher.h"
 #include "webkit/glue/dom_operations.h"
 #include "webkit/glue/glue_serialize.h"
+#include "webkit/glue/resource_request_body.h"
 #include "webkit/glue/web_intent_service_data.h"
 #include "webkit/glue/webdropdata.h"
 #include "webkit/glue/webkit_constants.h"
 #include "webkit/glue/webkit_glue.h"
 #include "webkit/glue/weburlresponse_extradata_impl.h"
 #include "webkit/gpu/webgraphicscontext3d_in_process_impl.h"
 #include "webkit/media/webmediaplayer_impl.h"
 #include "webkit/media/webmediaplayer_ms.h"
 #include "webkit/plugins/npapi/plugin_list.h"
 #include "webkit/plugins/npapi/webplugin_delegate.h"
@@ skipping 115 matching lines @@
 using WebKit::WebVector;
 using WebKit::WebView;
 using WebKit::WebWidget;
 using WebKit::WebWindowFeatures;
 using appcache::WebApplicationCacheHostImpl;
 using base::Time;
 using base::TimeDelta;
 
 using webkit_glue::AltErrorPageResourceFetcher;
 using webkit_glue::ResourceFetcher;
+using webkit_glue::ResourceRequestBody;
 using webkit_glue::WebPreferences;
 using webkit_glue::WebURLResponseExtraDataImpl;
 
 #if defined(OS_ANDROID)
 using WebKit::WebContentDetectionResult;
 using WebKit::WebFloatPoint;
 using WebKit::WebFloatRect;
 using WebKit::WebHitTestResult;
 #endif
 
@@ skipping 53 matching lines @@
   ds->redirectChain(urls);
   result->reserve(urls.size());
   for (size_t i = 0; i < urls.size(); ++i) {
     if (urls[i] != GURL(kSwappedOutURL))
       result->push_back(urls[i]);
     else
       result->push_back(blank_url);
   }
 }
 
+static scoped_refptr<ResourceRequestBody> ConstructResourceRequestBody(
+    const WebURLRequest request) {
+  if (request.httpMethod() != WebString("POST") ||
+      request.httpBody().isNull())
+    return NULL;
+
+  scoped_refptr<ResourceRequestBody> request_body = new ResourceRequestBody;
+  WebHTTPBody body = request.httpBody();
+  WebKit::WebHTTPBody::Element element;
+  for (int i=0; body.elementAt(i, element); i++) {
+    switch (element.type) {
+      case WebHTTPBody::Element::TypeData: {
+        if (!element.data.isEmpty())
+          request_body->AppendBytes(element.data.data(),
+                                    static_cast<int>(element.data.size()));
+        break;
+      }
+      case WebHTTPBody::Element::TypeFile: {
+        #if defined(OS_POSIX)
+          const FilePath::StringType kFilePath =
+              base::SysWideToNativeMB(UTF16ToWideHack(element.filePath));
+        #elif defined(OS_WIN)
+          const FilePath::StringType kFilePath =
+              UTF16ToWideHack(element.filePath);
+        #endif
+        if (element.fileLength == -1) {
+          request_body->AppendFileRange(
+              FilePath(kFilePath), 0, kuint64max, base::Time());
+        } else {
+          request_body->AppendFileRange(
+              FilePath(kFilePath),
+              static_cast<uint64>(element.fileStart),
+              static_cast<uint64>(element.fileLength),
+              base::Time::FromDoubleT(element.modificationTime));
+        }
+        break;
+      }
+      // We do not support TypeURL POST data since it not possible
+      // to make a cross-process POST navigation with this type.
+      case WebHTTPBody::Element::TypeURL: {
+        CHECK(false);
+        break;
+      }
+      // We do not support TypeBlob POST data since it not possible
+      // to make a cross-process POST navigation with this type.
+      case WebHTTPBody::Element::TypeBlob: {
+        CHECK(false);
+        break;
+      }
+      default:
+        NOTREACHED();
+    }
+  }
+  return request_body;
+}
+
 // If |data_source| is non-null and has a DocumentState associated with it,
 // the AltErrorPageResourceFetcher is reset.
 static void StopAltErrorPageFetcher(WebDataSource* data_source) {
   if (data_source) {
     DocumentState* document_state = DocumentState::FromDataSource(data_source);
     if (document_state)
       document_state->set_alt_error_page_fetcher(NULL);
   }
 }
 
@@ skipping 727 matching lines @@
     if (!params.extra_headers.empty()) {
       for (net::HttpUtil::HeadersIterator i(params.extra_headers.begin(),
                                             params.extra_headers.end(), "\n");
            i.GetNext(); ) {
         request.addHTTPHeaderField(WebString::fromUTF8(i.name()),
                                    WebString::fromUTF8(i.values()));
       }
     }
 
     if (params.is_post) {
-      request.setHTTPMethod(WebString::fromUTF8("POST"));
-
-      // Set post data.
       WebHTTPBody http_body;
       http_body.initialize();
-      http_body.appendData(WebData(
-          reinterpret_cast<const char*>(
-              &params.browser_initiated_post_data.front()),
-          params.browser_initiated_post_data.size()));
+      const std::vector<ResourceRequestBody::Element>* uploads =
+          params.browser_initiated_post_data->elements();
+      std::vector<ResourceRequestBody::Element>::const_iterator iter;
+      for (iter = uploads->begin(); iter != uploads->end(); ++iter) {
+        switch (iter->type()) {
+          case ResourceRequestBody::Element::TYPE_BYTES: {
+            http_body.appendData(WebData(iter->bytes(),
+                                         static_cast<int>(iter->length())));
+            break;
+          }
+          case ResourceRequestBody::Element::TYPE_FILE: {
+            #if defined(OS_POSIX)
+              WebString filePath = WideToUTF16Hack(
+                  base::SysNativeMBToWide(iter->path().value()));
+            #elif defined(OS_WIN)
+              WebString filePath = WideToUTF16Hack(iter->path().value());
+            #endif
+            http_body.appendFileRange(
+                filePath,
+                static_cast<long long>(iter->offset()),
+                static_cast<long long>(iter->length()),
+                iter->expected_modification_time().ToDoubleT());
+            break;
+          }
+          case ResourceRequestBody::Element::TYPE_FILE_FILESYSTEM: {
+            CHECK(false);
+            break;
+          }
+          case ResourceRequestBody::Element:: TYPE_BLOB: {
+            CHECK(false);
+            break;
+          }
+          default:
+            NOTREACHED();
+        }
+      }
       request.setHTTPBody(http_body);
+      request.setHTTPMethod(WebString::fromUTF8("POST"));
+      request.setHTTPHeaderField(
+          WebString::fromUTF8("Content-Type"),
+          WebString::fromUTF8(params.extra_headers));
     }
-
     main_frame->loadRequest(request);
   }
-
   // In case LoadRequest failed before DidCreateDataSource was called.
   pending_navigation_params_.reset();
 }
 
 bool RenderViewImpl::IsBackForwardToStaleEntry(
     const ViewMsg_Navigate_Params& params,
     bool is_reload) {
   // Make sure this isn't a back/forward to an entry we have already cropped
   // or replaced from our history, before the browser knew about it.  If so,
   // a new navigation has committed in the mean time, and we can ignore this.
@@ skipping 487 matching lines @@
   if (item.urlString() == WebString::fromUTF8(kSwappedOutURL))
     return;
 
   Send(new ViewHostMsg_UpdateState(
       routing_id_, page_id_, webkit_glue::HistoryItemToString(item)));
 }
 
 void RenderViewImpl::OpenURL(WebFrame* frame,
                              const GURL& url,
                              const Referrer& referrer,
-                             WebNavigationPolicy policy) {
+                             WebNavigationPolicy policy,
+                             std::string extra_header,
+                             scoped_refptr<ResourceRequestBody>
+                                 request_body) {
   ViewHostMsg_OpenURL_Params params;
   params.url = url;
   params.referrer = referrer;
   params.disposition = NavigationPolicyToDisposition(policy);
   params.frame_id = frame->identifier();
+  params.extra_header = extra_header;
+  params.request_body = request_body;
+
   DocumentState* document_state =
       DocumentState::FromDataSource(frame->dataSource());
   params.is_cross_site_redirect =
       document_state->navigation_state()->is_redirect_in_progress();
-
   Send(new ViewHostMsg_OpenURL(routing_id_, params));
 }
 
 // WebViewDelegate ------------------------------------------------------------
 
 void RenderViewImpl::LoadNavigationErrorPage(
     WebFrame* frame,
     const WebURLRequest& failed_request,
     const WebURLError& error,
     const std::string& html,
@@ skipping 985 matching lines @@
     WebFrame* frame, const WebURLRequest& request,
     WebNavigationPolicy policy,
     const WebString& suggested_name) {
   Referrer referrer(
       GURL(request.httpHeaderField(WebString::fromUTF8("Referer"))),
       GetReferrerPolicyFromRequest(frame, request));
   if (policy == WebKit::WebNavigationPolicyDownload) {
     Send(new ViewHostMsg_DownloadUrl(routing_id_, request.url(), referrer,
                                      suggested_name));
   } else {
-    OpenURL(frame, request.url(), referrer, policy);
+    OpenURL(frame, request.url(), referrer, policy, std::string(), NULL);
   }
 }
 
 WebNavigationPolicy RenderViewImpl::decidePolicyForNavigation(
     WebFrame* frame, const WebURLRequest& request, WebNavigationType type,
     const WebNode&, WebNavigationPolicy default_policy, bool is_redirect) {
   if (request.url() != GURL(kSwappedOutURL) &&
       GetContentClient()->renderer()->HandleNavigation(frame, request, type,
                                                        default_policy,
                                                        is_redirect)) {
     return WebKit::WebNavigationPolicyIgnore;
   }
 
   Referrer referrer(
       GURL(request.httpHeaderField(WebString::fromUTF8("Referer"))),
       GetReferrerPolicyFromRequest(frame, request));
 
+  std::string header;
+  scoped_refptr<ResourceRequestBody> request_body =
+      ConstructResourceRequestBody(request);
+  if (request_body) {
+    // Extract request header information if request body exist.
+    WebString ContentType =
+        request.httpHeaderField(WebString::fromUTF8("Content-Type"));
+    header.assign(ContentType.utf8().data(), ContentType.utf8().length());
+  }
+
   if (is_swapped_out_) {
     if (request.url() != GURL(kSwappedOutURL)) {
       // Targeted links may try to navigate a swapped out frame.  Allow the
       // browser process to navigate the tab instead.  Note that it is also
       // possible for non-targeted navigations (from this view) to arrive
       // here just after we are swapped out.  It's ok to send them to the
       // browser, as long as they're for the top level frame.
       // TODO(creis): Ensure this supports targeted form submissions when
       // fixing http://crbug.com/101395.
       if (frame->parent() == NULL) {
-        OpenURL(frame, request.url(), referrer, default_policy);
+        OpenURL(frame, request.url(), referrer,
+                default_policy, header, request_body);
         return WebKit::WebNavigationPolicyIgnore;  // Suppress the load here.
       }
 
       // We should otherwise ignore in-process iframe navigations, if they
       // arrive just after we are swapped out.
       return WebKit::WebNavigationPolicyIgnore;
     }
 
     // Allow kSwappedOutURL to complete.
     return default_policy;
@@ skipping 21 matching lines @@
       command_line.HasSwitch(switches::kSitePerProcess);
   if (force_swap_due_to_flag &&
       !frame->parent() && (is_content_initiated || is_redirect)) {
     WebString origin_str = frame->document().securityOrigin().toString();
     GURL frame_url(origin_str.utf8().data());
     // TODO(cevans): revisit whether this site check is still necessary once
     // crbug.com/101395 is fixed.
     if (!net::RegistryControlledDomainService::SameDomainOrHost(frame_url,
                                                                 url) ||
         frame_url.scheme() != url.scheme()) {
-      OpenURL(frame, url, referrer, default_policy);
+      OpenURL(frame, url, referrer, default_policy, header, request_body);
       return WebKit::WebNavigationPolicyIgnore;
     }
   }
 
   // If the browser is interested, then give it a chance to look at the request.
   if (is_content_initiated) {
     bool browser_handles_request =
         renderer_preferences_.browser_handles_non_local_top_level_requests &&
         IsNonLocalTopLevelNavigation(url, frame, type);
     if (!browser_handles_request) {
       browser_handles_request =
           renderer_preferences_.browser_handles_all_top_level_requests &&
           IsTopLevelNavigation(frame);
     }
 
     if (browser_handles_request) {
       // Reset these counters as the RenderView could be reused for the next
       // navigation.
       page_id_ = -1;
       last_page_id_sent_to_browser_ = -1;
-      OpenURL(frame, url, referrer, default_policy);
+      OpenURL(frame, url, referrer, default_policy, header, request_body);
       return WebKit::WebNavigationPolicyIgnore;  // Suppress the load here.
     }
   }
 
   // Use the frame's original request's URL rather than the document's URL for
   // subsequent checks.  For a popup, the document's URL may become the opener
   // window's URL if the opener has called document.write().
   // See http://crbug.com/93517.
   GURL old_url(frame->dataSource()->request().url());
 
@@ skipping 39 matching lines @@
       if (is_initial_navigation && source_url.is_empty() && frame->opener())
         source_url = frame->opener()->top()->document().url();
       DCHECK(!source_url.is_empty());
       should_fork = !source_url.SchemeIs(chrome::kFileScheme);
     }
 
     if (!should_fork) {
       // Give the embedder a chance.
       // For now, we skip this for POST submissions.  This is because
       // http://crbug.com/101395 is more likely to cause compatibility issues
-      // with hosted apps and extensions than WebUI pages.  We will remove this
-      // check when cross-process POST submissions are supported.
-      if (request.httpMethod() == "GET") {
+      // with hosted apps and extensions than WebUI pages.
         should_fork = GetContentClient()->renderer()->ShouldFork(
             frame, url, is_initial_navigation, &send_referrer);
-      }
     }
 
     if (should_fork) {
-      OpenURL(
-          frame, url, send_referrer ? referrer : Referrer(), default_policy);
+      OpenURL(frame, url, send_referrer ? referrer : Referrer(),
+              default_policy, header, request_body);
       return WebKit::WebNavigationPolicyIgnore;  // Suppress the load here.
     }
   }
 
   // Detect when a page is "forking" a new tab that can be safely rendered in
   // its own process.  This is done by sites like Gmail that try to open links
   // in new windows without script connections back to the original page.  We
   // treat such cases as browser navigations (in which we will create a new
   // renderer for a cross-site navigation), rather than WebKit navigations.
   //
@@ skipping 18 matching lines @@
       frame->parent() == NULL &&
       // Must not have issued the request from this page.
       is_content_initiated &&
       // Must be targeted at the current tab.
       default_policy == WebKit::WebNavigationPolicyCurrentTab &&
       // Must be a JavaScript navigation, which appears as "other".
       type == WebKit::WebNavigationTypeOther;
 
   if (is_fork) {
     // Open the URL via the browser, not via WebKit.
-    OpenURL(frame, url, Referrer(), default_policy);
+    OpenURL(frame, url, Referrer(), default_policy, header, request_body);
     return WebKit::WebNavigationPolicyIgnore;
   }
 
   return default_policy;
 }
 
 bool RenderViewImpl::canHandleRequest(
     WebFrame* frame, const WebURLRequest& request) {
   // We allow WebKit to think that everything can be handled even though
   // browser-side we limit what we load.
@@ skipping 3552 matching lines @@
 }
 #endif
 
 void RenderViewImpl::OnReleaseDisambiguationPopupDIB(
     TransportDIB::Handle dib_handle) {
   TransportDIB* dib = TransportDIB::CreateWithHandle(dib_handle);
   RenderProcess::current()->ReleaseTransportDIB(dib);
 }
 
 }  // namespace content