[DevTools] Show blocked requests in Network panel.

Source/core/loader/FrameFetchContext.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 329 matching lines @@
     else if (url.isLocalFile() || m_document->url().isLocalFile())
         message = "Unsafe attempt to load URL " + url.elidedString() + " from frame with URL " + m_document->url().elidedString() + ". 'file:' URLs are treated as unique security origins.\n";
     else
         message = "Unsafe attempt to load URL " + url.elidedString() + " from frame with URL " + m_document->url().elidedString() + ". Domains, protocols and ports must match.\n";
 
     frame()->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message));
 }
 
 bool FrameFetchContext::canRequest(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction) const
 {
+    class BlockedRequestInspectorNotification {

[pfeldman, 2015/09/02 02:49:21]

Why not return the enum?

[dgozman, 2015/09/02 22:59:56]

Updated.

+    public:
+        BlockedRequestInspectorNotification(LocalFrame* frame, const ResourceRequest& request, DocumentLoader* loader, const FetchInitiatorInfo& initiatorInfo)
+            : m_frame(frame)
+            , m_request(request)
+            , m_loader(loader)
+            , m_initiatorInfo(initiatorInfo)
+            , m_reason(InspectorRequestBlockedReasonNone) {}
+
+        ~BlockedRequestInspectorNotification()
+        {
+            if (m_reason != InspectorRequestBlockedReasonNone)
+                InspectorInstrumentation::didBlockRequest(m_frame, m_request, m_loader, m_initiatorInfo, m_reason);
+        }
+
+        void setReason(InspectorRequestBlockedReason reason) { m_reason = reason; }
+
+    private:
+        LocalFrame* m_frame;
+        const ResourceRequest& m_request;
+        DocumentLoader* m_loader;
+        const FetchInitiatorInfo& m_initiatorInfo;
+        InspectorRequestBlockedReason m_reason;
+
+    } inspectorNotification(frame(), resourceRequest, ensureLoaderForNotifications(), options.initiatorInfo);
+    // Note: any return from this function must call inspectorNotification.setReason.
+
     InstrumentingAgents* agents = InspectorInstrumentation::instrumentingAgentsFor(frame());
     if (agents && agents->inspectorResourceAgent()) {
-        if (agents->inspectorResourceAgent()->shouldBlockRequest(frame(), resourceRequest, ensureLoaderForNotifications(), options.initiatorInfo))
+        if (agents->inspectorResourceAgent()->shouldBlockRequest(resourceRequest)) {
+            inspectorNotification.setReason(InspectorRequestBlockedReasonInspector);
             return false;
+        }
     }
 
     SecurityOrigin* securityOrigin = options.securityOrigin.get();
     if (!securityOrigin && m_document)
         securityOrigin = m_document->securityOrigin();
 
     if (originRestriction != FetchRequest::NoOriginRestriction && securityOrigin && !securityOrigin->canDisplay(url)) {
         if (!forPreload)
             FrameLoader::reportLocalLoadFailed(frame(), url.elidedString());
         WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not allowed by SecurityOrigin::canDisplay");
+        inspectorNotification.setReason(InspectorRequestBlockedReasonOther);
         return false;
     }
 
     // Some types of resources can be loaded only from the same origin. Other
     // types of resources, like Images, Scripts, and CSS, can be loaded from
     // any URL.
     switch (type) {
     case Resource::MainResource:
     case Resource::Image:
     case Resource::CSSStyleSheet:
     case Resource::Script:
     case Resource::Font:
     case Resource::Raw:
     case Resource::LinkPrefetch:
     case Resource::LinkSubresource:
     case Resource::LinkPreload:
     case Resource::TextTrack:
     case Resource::ImportResource:
     case Resource::Media:
         // By default these types of resources can be loaded from any origin.
         // FIXME: Are we sure about Resource::Font?
         if (originRestriction == FetchRequest::RestrictToSameOrigin && !securityOrigin->canRequest(url)) {
             printAccessDeniedMessage(url);
+            inspectorNotification.setReason(InspectorRequestBlockedReasonOrigin);
             return false;
         }
         break;
     case Resource::XSLStyleSheet:
         ASSERT(RuntimeEnabledFeatures::xsltEnabled());
     case Resource::SVGDocument:
         if (!securityOrigin->canRequest(url)) {
             printAccessDeniedMessage(url);
+            inspectorNotification.setReason(InspectorRequestBlockedReasonOrigin);
             return false;
         }
         break;
     }
 
     // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
     bool shouldBypassMainWorldCSP = frame()->script().shouldBypassMainWorldCSP() || options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy;
 
     // Don't send CSP messages for preloads, we might never actually display those items.
     ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ?
         ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
 
     // As of CSP2, for requests that are the results of redirects, the match
     // algorithm should ignore the path component of the URL.
     ContentSecurityPolicy::RedirectStatus redirectStatus = resourceRequest.followedRedirect() ? ContentSecurityPolicy::DidRedirect : ContentSecurityPolicy::DidNotRedirect;
 
     // m_document can be null, but not in any of the cases where csp is actually used below.
     // ImageResourceTest.MultipartImage crashes w/o the m_document null check.
     // I believe it's the Resource::Raw case.
     const ContentSecurityPolicy* csp = m_document ? m_document->contentSecurityPolicy() : nullptr;
+    inspectorNotification.setReason(InspectorRequestBlockedReasonCSP);
 
     // FIXME: This would be cleaner if moved this switch into an allowFromSource()
     // helper on this object which took a Resource::Type, then this block would
     // collapse to about 10 lines for handling Raw and Script special cases.
     switch (type) {
     case Resource::XSLStyleSheet:
         ASSERT(RuntimeEnabledFeatures::xsltEnabled());
         ASSERT(ContentSecurityPolicy::isScriptResource(resourceRequest));
         if (!shouldBypassMainWorldCSP && !csp->allowScriptFromSource(url, redirectStatus, cspReporting))
             return false;
@@ skipping 31 matching lines @@
     case Resource::LinkPrefetch:
     case Resource::LinkSubresource:
     case Resource::LinkPreload:
         break;
     case Resource::Media:
     case Resource::TextTrack:
         ASSERT(ContentSecurityPolicy::isMediaResource(resourceRequest));
         if (!shouldBypassMainWorldCSP && !csp->allowMediaFromSource(url, redirectStatus, cspReporting))
             return false;
 
-        if (!frame()->loader().client()->allowMedia(url))
+        if (!frame()->loader().client()->allowMedia(url)) {
+            inspectorNotification.setReason(InspectorRequestBlockedReasonOther);
             return false;
+        }
         break;
     }
 
     // SVG Images have unique security rules that prevent all subresource requests
     // except for data urls.
-    if (type != Resource::MainResource && frame()->chromeClient().isSVGImageChromeClient() && !url.protocolIsData())
+    if (type != Resource::MainResource && frame()->chromeClient().isSVGImageChromeClient() && !url.protocolIsData()) {
+        inspectorNotification.setReason(InspectorRequestBlockedReasonOrigin);
         return false;
+    }
 
     // FIXME: Once we use RequestContext for CSP (http://crbug.com/390497), remove this extra check.
     if (resourceRequest.requestContext() == WebURLRequest::RequestContextManifest) {
-        if (!shouldBypassMainWorldCSP && !csp->allowManifestFromSource(url, redirectStatus, cspReporting))
+        if (!shouldBypassMainWorldCSP && !csp->allowManifestFromSource(url, redirectStatus, cspReporting)) {
+            inspectorNotification.setReason(InspectorRequestBlockedReasonCSP);
             return false;
+        }
     }
 
     // Measure the number of legacy URL schemes ('ftp://') and the number of embedded-credential
     // ('http://user:password@...') resources embedded as subresources. in the hopes that we can
     // block them at some point in the future.
     if (resourceRequest.frameType() != WebURLRequest::FrameTypeTopLevel) {
         ASSERT(frame()->document());
         if (SchemeRegistry::shouldTreatURLSchemeAsLegacy(url.protocol()) && !SchemeRegistry::shouldTreatURLSchemeAsLegacy(frame()->document()->securityOrigin()->protocol()))
             UseCounter::count(frame()->document(), UseCounter::LegacyProtocolEmbeddedAsSubresource);
         if (!url.user().isEmpty() || !url.pass().isEmpty())
             UseCounter::count(frame()->document(), UseCounter::RequestedSubresourceWithEmbeddedCredentials);
     }
 
     // Measure the number of pages that load resources after a redirect
     // when a CSP is active, to see if implementing CSP
     // 'unsafe-redirect' is feasible.
     if (csp && csp->isActive() && resourceRequest.frameType() != WebURLRequest::FrameTypeTopLevel && resourceRequest.frameType() != WebURLRequest::FrameTypeAuxiliary && redirectStatus == ContentSecurityPolicy::DidRedirect) {
         ASSERT(frame()->document());
         UseCounter::count(frame()->document(), UseCounter::ResourceLoadedAfterRedirectWithCSP);
     }
 
     // Last of all, check for mixed content. We do this last so that when
     // folks block mixed content with a CSP policy, they don't get a warning.
     // They'll still get a warning in the console about CSP blocking the load.
     MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ?
         MixedContentChecker::SuppressReport : MixedContentChecker::SendReport;
-    return !MixedContentChecker::shouldBlockFetch(MixedContentChecker::effectiveFrameForFrameType(frame(), resourceRequest.frameType()), resourceRequest, url, mixedContentReporting);
+    if (MixedContentChecker::shouldBlockFetch(MixedContentChecker::effectiveFrameForFrameType(frame(), resourceRequest.frameType()), resourceRequest, url, mixedContentReporting)) {
+        inspectorNotification.setReason(InspectorRequestBlockedReasonMixedContent);
+        return false;
+    }
+
+    inspectorNotification.setReason(InspectorRequestBlockedReasonNone);
+    return true;
 }
 
 bool FrameFetchContext::isControlledByServiceWorker() const
 {
     ASSERT(m_documentLoader || frame()->loader().documentLoader());
     if (m_documentLoader)
         return frame()->loader().client()->isControlledByServiceWorker(*m_documentLoader);
     // m_documentLoader is null while loading resources from an HTML import.
     // In such cases whether the request is controlled by ServiceWorker or not
     // is determined by the document loader of the frame.
@@ skipping 168 matching lines @@
 
 
 DEFINE_TRACE(FrameFetchContext)
 {
     visitor->trace(m_document);
     visitor->trace(m_documentLoader);
     FetchContext::trace(visitor);
 }
 
 } // namespace blink