Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(507)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/fetch/ResourceLoader.cpp

Issue 137983010: (Re)organize handling of CORS access control during resource loading. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: HTMLImportLoader no longer needs a ResourceFetcher Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/fetch/ResourceLoader.h ('k') | Source/core/fetch/ResourceLoaderHost.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/fetch/ResourceLoader.cpp
diff --git a/Source/core/fetch/ResourceLoader.cpp b/Source/core/fetch/ResourceLoader.cpp
index 319580f8543dd73f02e2b44fa4c6513c90027646..1ad15e7919e908f23367c022ecdaba8afc063e31 100644
--- a/Source/core/fetch/ResourceLoader.cpp
+++ b/Source/core/fetch/ResourceLoader.cpp
@@ -293,6 +293,12 @@ void ResourceLoader::didSendData(blink::WebURLLoader*, unsigned long long bytesS
m_resource->didSendData(bytesSent, totalBytesToBeSent);
}
+bool ResourceLoader::responseNeedsAccessControlCheck() const
+{
+ // If the fetch was (potentially) CORS enabled, an access control check of the response is required.
+ return m_options.corsEnabled == IsCORSEnabled;
+}
+
void ResourceLoader::didReceiveResponse(blink::WebURLLoader*, const blink::WebURLResponse& response)
{
ASSERT(!response.isNull());
@@ -304,14 +310,24 @@ void ResourceLoader::didReceiveResponse(blink::WebURLLoader*, const blink::WebUR
RELEASE_ASSERT(isMultipartPayload || isValidStateTransition);
m_connectionState = ConnectionStateReceivedResponse;
+ const ResourceResponse& resourceResponse = response.toResourceResponse();
+
+ if (responseNeedsAccessControlCheck()) {
+ m_resource->setResponse(resourceResponse);
+ if (!m_host->canAccessResource(m_resource, response.url())) {
+ cancel();
+ return;
+ }
+ }
+
// Reference the object in this method since the additional processing can do
// anything including removing the last reference to this object.
RefPtr<ResourceLoader> protect(this);
- m_resource->responseReceived(response.toResourceResponse());
+ m_resource->responseReceived(resourceResponse);
if (m_state == Terminated)
return;
- m_host->didReceiveResponse(m_resource, response.toResourceResponse());
+ m_host->didReceiveResponse(m_resource, resourceResponse);
if (response.toResourceResponse().isMultipart()) {
// We don't count multiParts in a ResourceFetcher's request count
« no previous file with comments | « Source/core/fetch/ResourceLoader.h ('k') | Source/core/fetch/ResourceLoaderHost.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698