Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(779)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/loader/TextTrackLoader.cpp

Issue 137983010: (Re)organize handling of CORS access control during resource loading. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: HTMLImportLoader no longer needs a ResourceFetcher Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/loader/TextTrackLoader.h ('k') | Source/core/xml/parser/XMLDocumentParser.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/loader/TextTrackLoader.cpp
diff --git a/Source/core/loader/TextTrackLoader.cpp b/Source/core/loader/TextTrackLoader.cpp
index 121a2b5c163d1e1ebbdfc70a1ef283ef900cfa5d..8973f07a5cb51aa7504fed0f7a438e85153e4f1d 100644
--- a/Source/core/loader/TextTrackLoader.cpp
+++ b/Source/core/loader/TextTrackLoader.cpp
@@ -82,9 +82,9 @@ void TextTrackLoader::dataReceived(Resource* resource, const char* data, int len
m_cueParser->parseBytes(data, length);
}
-void TextTrackLoader::corsPolicyPreventedLoad()
+void TextTrackLoader::corsPolicyPreventedLoad(SecurityOrigin* securityOrigin, const KURL& url)
{
- DEFINE_STATIC_LOCAL(String, consoleMessage, ("Cross-origin text track load denied by Cross-Origin Resource Sharing policy."));
+ String consoleMessage("Text track from origin '" + SecurityOrigin::create(url)->toString() + "' has been blocked from loading: Not at same origin as the document, and parent of track element does not have a 'crossorigin' attribute. Origin '" + securityOrigin->toString() + "' is therefore not allowed access.");
m_document.addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, consoleMessage);
m_state = Failed;
}
@@ -92,14 +92,6 @@ void TextTrackLoader::corsPolicyPreventedLoad()
void TextTrackLoader::notifyFinished(Resource* resource)
{
ASSERT(this->resource() == resource);
-
- if (!m_crossOriginMode.isNull()
- && !m_document.securityOrigin()->canRequest(resource->response().url())
- && !resource->passesAccessControlCheck(m_document.securityOrigin())) {
-
- corsPolicyPreventedLoad();
- }
-
if (m_state != Failed)
m_state = resource->errorOccurred() ? Failed : Finished;
@@ -119,15 +111,12 @@ bool TextTrackLoader::load(const KURL& url, const String& crossOriginMode)
FetchRequest cueRequest(ResourceRequest(m_document.completeURL(url)), FetchInitiatorTypeNames::texttrack);
if (!crossOriginMode.isNull()) {
- m_crossOriginMode = crossOriginMode;
StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- updateRequestForAccessControl(cueRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
- } else {
- // Cross-origin resources that are not suitably CORS-enabled may not load.
- if (!m_document.securityOrigin()->canRequest(url)) {
- corsPolicyPreventedLoad();
- return false;
- }
+ cueRequest.setCrossOriginAccessControl(m_document.securityOrigin(), allowCredentials);
+ } else if (!m_document.securityOrigin()->canRequest(url)) {
+ // Text track elements without 'crossorigin' set on the parent are "No CORS"; report error if not same-origin.
+ corsPolicyPreventedLoad(m_document.securityOrigin(), url);
+ return false;
}
ResourceFetcher* fetcher = m_document.fetcher();
« no previous file with comments | « Source/core/loader/TextTrackLoader.h ('k') | Source/core/xml/parser/XMLDocumentParser.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698