Initial Fetch integration for Subresource Integrity

Source/modules/fetch/Request.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "modules/fetch/Request.h"
 
 #include "bindings/core/v8/Dictionary.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
@@ skipping 23 matching lines @@
     DOMWrapperWorld& world = scriptState->world();
     if (world.isIsolatedWorld())
         request->setOrigin(world.isolatedWorldSecurityOrigin());
     else
         request->setOrigin(scriptState->executionContext()->securityOrigin());
     // FIXME: Set ForceOriginHeaderFlag.
     request->setSameOriginDataURLFlag(true);
     request->mutableReferrer()->setClient();
     request->setMode(original->mode());
     request->setCredentials(original->credentials());
+    request->setIntegrity(original->integrity());
     // FIXME: Set cache mode.
     // TODO(yhirano): Set redirect mode.
     return request;
 }
 
 Request* Request::createRequestWithRequestOrString(ScriptState* scriptState, Request* inputRequest, const String& inputString, const RequestInit& init, ExceptionState& exceptionState)
 {
     // "1. Let |temporaryBody| be null."
     BodyStreamBuffer* temporaryBody = nullptr;
 
@@ skipping 19 matching lines @@
     }
 
     // "3. Let |request| be |input|'s request, if |input| is a Request object,
     // and a new request otherwise."
     // "4. Set |request| to a new request whose url is |request|'s url, method
     // is |request|'s method, header list is a copy of |request|'s header list,
     // unsafe request flag is set, client is entry settings object, origin is
     // entry settings object's origin, force Origin header flag is set,
     // same-origin data URL flag is set, context is the empty string, mode is
     // |request|'s mode, credentials mode is |request|'s credentials mode,
-    // cache mode is |request|'s cache mode, and redirect mode is request's
-    // redirect mode."
+    // cache mode is |request|'s cache mode, redirect mode is request's
+    // redirect mode, and integrity metadata is |request|'s integrity metadata."
     FetchRequestData* request = createCopyOfFetchRequestDataForFetch(scriptState, inputRequest ? inputRequest->request() : FetchRequestData::create());
 
     // "5. Let |fallbackMode| be null."
     // "6. Let |fallbackCredentials| be null."
     // "7. Let |fallbackCache| be null."
     // "8. Let |fallbackRedirect| be null."
     // We don't use fallback values. We set these flags directly in below.
 
     // "9. If |input| is a string, run these substeps:"
     if (!inputRequest) {
@@ skipping 51 matching lines @@
     // |cache|."
     // TODO(yhirano): "16. If |init|'s redirect member is present and its is
     // manual, throw a TypeError."
     // TODO(yhirano): "17. Let |redirect| be |init|'s redirect member if it is
     // present, and |fallbackRedirect| otherwise."
     // TODO(yhirano): "18 If |redirect| is non-null, set |request|'s redirect
     // mode to |redirect|."
     // TODO(yhirano): "19 If |request|'s redirect mode is manual, set it to
     // follow."
 
+    // 24. If |init|'s integrity method is present, set |request|'s integrity
+    // metadata to it.
+    //
+    // (Note that the step numbering has changed rather dramaticaly so the
+    // surrounding numbers should be corrected.)

[tyoshino (SeeGerritForStatus), 2015/08/13 06:53:38]

now this step is numbered 23. it seems keeping the numbers in sync with the spec
doesn't help readability so much. just drop it?

[jww, 2015/08/13 14:32:11]

Sure, happy to. Should I remove the others at the same time?

[tyoshino (SeeGerritForStatus), 2015/08/13 15:02:31]

Leaving them unchanged, removing all, either is fine!

+    if (!init.integrity.isNull())
+        request->setIntegrity(init.integrity);
+
     // "20. If |init|'s method member is present, let |method| be it and run
     // these substeps:"
     if (!init.method.isNull()) {
         // "1. If |method| is not a method or method is a forbidden method,
         // throw a TypeError."
         if (!isValidHTTPToken(init.method)) {
             exceptionState.throwTypeError("'" + init.method + "' is not a valid HTTP method.");
             return nullptr;
         }
         if (FetchUtils::isForbiddenMethod(init.method)) {
@@ skipping 19 matching lines @@
     // "24. Empty |r|'s request's header list."
     r->m_request->headerList()->clearList();
     // "25. If |r|'s request's mode is no CORS, run these substeps:
     if (r->request()->mode() == WebURLRequest::FetchRequestModeNoCORS) {
         // "1. If |r|'s request's method is not a simple method, throw a
         // TypeError."
         if (!FetchUtils::isSimpleMethod(r->request()->method())) {
             exceptionState.throwTypeError("'" + r->request()->method() + "' is unsupported in no-cors mode.");
             return nullptr;
         }
-        // "Set |r|'s Headers object's guard to |request-no-CORS|.
+        // "2. If |request|'s integrity metadata is not the empty string, throw
+        // a TypeError."
+        if (!request->integrity().isEmpty()) {
+            exceptionState.throwTypeError("The integrity attribute is unsupported in no-cors mode.");
+            return nullptr;
+        }
+        // "3. Set |r|'s Headers object's guard to |request-no-CORS|.
         r->headers()->setGuard(Headers::RequestNoCORSGuard);
     }
     // "26. Fill |r|'s Headers object with |headers|. Rethrow any exceptions."
     if (init.headers) {
         ASSERT(init.headersDictionary.isUndefinedOrNull());
         r->headers()->fillWith(init.headers.get(), exceptionState);
     } else if (!init.headersDictionary.isUndefinedOrNull()) {
         r->headers()->fillWith(init.headersDictionary, exceptionState);
     } else {
         ASSERT(headers);
@@ skipping 240 matching lines @@
         return "omit";
     case WebURLRequest::FetchCredentialsModeSameOrigin:
         return "same-origin";
     case WebURLRequest::FetchCredentialsModeInclude:
         return "include";
     }
     ASSERT_NOT_REACHED();
     return "";
 }
 
+String Request::integrity() const
+{
+    return m_request->integrity();
+}
+
 Request* Request::clone(ExceptionState& exceptionState)
 {
     if (bodyUsed()) {
         exceptionState.throwTypeError("Request body is already used");
         return nullptr;
     }
 
     FetchRequestData* request = m_request->clone(executionContext());
     Headers* headers = Headers::create(request->headerList());
     headers->setGuard(m_headers->guard());
@@ skipping 37 matching lines @@
 }
 
 DEFINE_TRACE(Request)
 {
     Body::trace(visitor);
     visitor->trace(m_request);
     visitor->trace(m_headers);
 }
 
 } // namespace blink