Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(232)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/fetch/CrossOriginAccessControl.cpp

Issue 1213343002: Rename variables in redirect handling code for readability (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 5 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | Source/core/fetch/ResourceFetcher.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after
209 } 209 }
210 210
211 if (!(requestURL.user().isEmpty() && requestURL.pass().isEmpty())) { 211 if (!(requestURL.user().isEmpty() && requestURL.pass().isEmpty())) {
212 errorDescription = "The request was redirected to a URL ('" + requestURL .string() + "') containing userinfo, which is disallowed for cross-origin reques ts."; 212 errorDescription = "The request was redirected to a URL ('" + requestURL .string() + "') containing userinfo, which is disallowed for cross-origin reques ts.";
213 return false; 213 return false;
214 } 214 }
215 215
216 return true; 216 return true;
217 } 217 }
218 218
219 bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, Re sourceRequest& request, const ResourceResponse& redirectResponse, StoredCredenti als withCredentials, ResourceLoaderOptions& options, String& errorMessage) 219 bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, Re sourceRequest& newRequest, const ResourceResponse& redirectResponse, StoredCrede ntials withCredentials, ResourceLoaderOptions& options, String& errorMessage)
220 { 220 {
221 // http://www.w3.org/TR/cors/#redirect-steps terminology: 221 // http://www.w3.org/TR/cors/#redirect-steps terminology:
222 const KURL& originalURL = redirectResponse.url(); 222 const KURL& originalURL = redirectResponse.url();
223 const KURL& requestURL = request.url(); 223 const KURL& newURL = newRequest.url();
224 224
225 bool redirectCrossOrigin = !securityOrigin->canRequest(requestURL); 225 bool redirectCrossOrigin = !securityOrigin->canRequest(newURL);
226 226
227 // Same-origin request URLs that redirect are allowed without checking acces s. 227 // Same-origin request URLs that redirect are allowed without checking acces s.
228 if (!securityOrigin->canRequest(originalURL)) { 228 if (!securityOrigin->canRequest(originalURL)) {
229 // Follow http://www.w3.org/TR/cors/#redirect-steps 229 // Follow http://www.w3.org/TR/cors/#redirect-steps
230 String errorDescription; 230 String errorDescription;
231 231
232 // Steps 3 & 4 - check if scheme and other URL restrictions hold. 232 // Steps 3 & 4 - check if scheme and other URL restrictions hold.
233 bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescriptio n); 233 bool allowRedirect = isLegalRedirectLocation(newURL, errorDescription);
234 if (allowRedirect) { 234 if (allowRedirect) {
235 // Step 5: perform resource sharing access check. 235 // Step 5: perform resource sharing access check.
236 allowRedirect = passesAccessControlCheck(redirectResponse, withCrede ntials, securityOrigin, errorDescription); 236 allowRedirect = passesAccessControlCheck(redirectResponse, withCrede ntials, securityOrigin, errorDescription);
237 if (allowRedirect) { 237 if (allowRedirect) {
238 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o riginalURL); 238 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o riginalURL);
239 // Step 6: if the request URL origin is not same origin as the o riginal URL's, 239 // Step 6: if the request URL origin is not same origin as the o riginal URL's,
240 // set the source origin to a globally unique identifier. 240 // set the source origin to a globally unique identifier.
241 if (!originalOrigin->canRequest(requestURL)) { 241 if (!originalOrigin->canRequest(newURL)) {
242 options.securityOrigin = SecurityOrigin::createUnique(); 242 options.securityOrigin = SecurityOrigin::createUnique();
243 securityOrigin = options.securityOrigin.get(); 243 securityOrigin = options.securityOrigin.get();
244 } 244 }
245 } 245 }
246 } 246 }
247 if (!allowRedirect) { 247 if (!allowRedirect) {
248 const String& originalOrigin = SecurityOrigin::create(originalURL)-> toString(); 248 const String& originalOrigin = SecurityOrigin::create(originalURL)-> toString();
249 errorMessage = "Redirect at origin '" + originalOrigin + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescript ion; 249 errorMessage = "Redirect at origin '" + originalOrigin + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescript ion;
250 return false; 250 return false;
251 } 251 }
252 } 252 }
253 if (redirectCrossOrigin) { 253 if (redirectCrossOrigin) {
254 // If now to a different origin, update/set Origin:. 254 // If now to a different origin, update/set Origin:.
255 request.clearHTTPOrigin(); 255 newRequest.clearHTTPOrigin();
256 request.setHTTPOrigin(securityOrigin->toAtomicString()); 256 newRequest.setHTTPOrigin(securityOrigin->toAtomicString());
257 // If the user didn't request credentials in the first place, update our 257 // If the user didn't request credentials in the first place, update our
258 // state so we neither request them nor expect they must be allowed. 258 // state so we neither request them nor expect they must be allowed.
259 if (options.credentialsRequested == ClientDidNotRequestCredentials) 259 if (options.credentialsRequested == ClientDidNotRequestCredentials)
260 options.allowCredentials = DoNotAllowStoredCredentials; 260 options.allowCredentials = DoNotAllowStoredCredentials;
261 } 261 }
262 return true; 262 return true;
263 } 263 }
264 264
265 } // namespace blink 265 } // namespace blink
OLDNEW
« no previous file with comments | « no previous file | Source/core/fetch/ResourceFetcher.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698