OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_URL_REQUEST_URL_REQUEST_H_ | 5 #ifndef NET_URL_REQUEST_URL_REQUEST_H_ |
6 #define NET_URL_REQUEST_URL_REQUEST_H_ | 6 #define NET_URL_REQUEST_URL_REQUEST_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <string> | 10 #include <string> |
(...skipping 24 matching lines...) Expand all Loading... | |
35 #include "url/gurl.h" | 35 #include "url/gurl.h" |
36 | 36 |
37 namespace base { | 37 namespace base { |
38 class Value; | 38 class Value; |
39 | 39 |
40 namespace debug { | 40 namespace debug { |
41 class StackTrace; | 41 class StackTrace; |
42 } // namespace debug | 42 } // namespace debug |
43 } // namespace base | 43 } // namespace base |
44 | 44 |
45 namespace url { | |
46 class Origin; | |
47 } | |
48 | |
45 namespace net { | 49 namespace net { |
46 | 50 |
47 class ChunkedUploadDataStream; | 51 class ChunkedUploadDataStream; |
48 class CookieOptions; | 52 class CookieOptions; |
49 class HostPortPair; | 53 class HostPortPair; |
50 class IOBuffer; | 54 class IOBuffer; |
51 struct LoadTimingInfo; | 55 struct LoadTimingInfo; |
52 struct RedirectInfo; | 56 struct RedirectInfo; |
53 class SSLCertRequestInfo; | 57 class SSLCertRequestInfo; |
54 class SSLInfo; | 58 class SSLInfo; |
(...skipping 190 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
245 | 249 |
246 // The original url is the url used to initialize the request, and it may | 250 // The original url is the url used to initialize the request, and it may |
247 // differ from the url if the request was redirected. | 251 // differ from the url if the request was redirected. |
248 const GURL& original_url() const { return url_chain_.front(); } | 252 const GURL& original_url() const { return url_chain_.front(); } |
249 // The chain of urls traversed by this request. If the request had no | 253 // The chain of urls traversed by this request. If the request had no |
250 // redirects, this vector will contain one element. | 254 // redirects, this vector will contain one element. |
251 const std::vector<GURL>& url_chain() const { return url_chain_; } | 255 const std::vector<GURL>& url_chain() const { return url_chain_; } |
252 const GURL& url() const { return url_chain_.back(); } | 256 const GURL& url() const { return url_chain_.back(); } |
253 | 257 |
254 // The URL that should be consulted for the third-party cookie blocking | 258 // The URL that should be consulted for the third-party cookie blocking |
255 // policy. | 259 // policy, as defined in Section 2.1.1 and 2.1.2 of |
260 // https://tools.ietf.org/html/draft-west-first-party-cookies. | |
256 // | 261 // |
257 // WARNING: This URL must only be used for the third-party cookie blocking | 262 // WARNING: This URL must only be used for the third-party cookie blocking |
258 // policy. It MUST NEVER be used for any kind of SECURITY check. | 263 // policy. It MUST NEVER be used for any kind of SECURITY check. |
259 // | 264 // |
260 // For example, if a top-level navigation is redirected, the | 265 // For example, if a top-level navigation is redirected, the |
261 // first-party for cookies will be the URL of the first URL in the | 266 // first-party for cookies will be the URL of the first URL in the |
262 // redirect chain throughout the whole redirect. If it was used for | 267 // redirect chain throughout the whole redirect. If it was used for |
263 // a security check, an attacker might try to get around this check | 268 // a security check, an attacker might try to get around this check |
264 // by starting from some page that redirects to the | 269 // by starting from some page that redirects to the |
265 // host-to-be-attacked. | 270 // host-to-be-attacked. |
266 // | 271 // |
267 // TODO(mkwst): Convert this to a 'url::Origin'. Several callsites are using | 272 // TODO(mkwst): Convert this to a 'url::Origin'. Several callsites are using |
268 // this value as a proxy for the "top-level frame URL", which is simply | 273 // this value as a proxy for the "top-level frame URL", which is simply |
269 // incorrect and fragile. We don't need the full URL for any //net checks, | 274 // incorrect and fragile. We don't need the full URL for any //net checks, |
270 // so we should drop the pieces we don't need. | 275 // so we should drop the pieces we don't need. |
271 const GURL& first_party_for_cookies() const { | 276 const GURL& first_party_for_cookies() const { |
272 return first_party_for_cookies_; | 277 return first_party_for_cookies_; |
273 } | 278 } |
274 // This method may only be called before Start(). | 279 // This method may only be called before Start(). |
275 void set_first_party_for_cookies(const GURL& first_party_for_cookies); | 280 void set_first_party_for_cookies(const GURL& first_party_for_cookies); |
276 | 281 |
277 // The first-party URL policy to apply when updating the first party URL | 282 // The first-party URL policy to apply when updating the first party URL |
278 // during redirects. The first-party URL policy may only be changed before | 283 // during redirects. The first-party URL policy may only be changed before |
279 // Start() is called. | 284 // Start() is called. |
280 FirstPartyURLPolicy first_party_url_policy() const { | 285 FirstPartyURLPolicy first_party_url_policy() const { |
281 return first_party_url_policy_; | 286 return first_party_url_policy_; |
282 } | 287 } |
283 void set_first_party_url_policy(FirstPartyURLPolicy first_party_url_policy); | 288 void set_first_party_url_policy(FirstPartyURLPolicy first_party_url_policy); |
284 | 289 |
290 // The origin of the context which initiated the request. This is distinct | |
291 // from the "first party for cookies" discussed above in a number of ways: | |
292 // | |
293 // 1. The request's initiator does not change during a redirect. If a form | |
294 // submission from `https://example.com/` redirects through a number of | |
295 // sites | |
mmenke
2015/10/22 19:41:05
nit: Reformat
Mike West
2016/01/13 08:10:21
Yikes. Thanks!
| |
296 // before landing on `https://not-example.com/`, the initiator for each of | |
297 // those requests will be `https://example.com/`. | |
298 // | |
299 // 2. The request's initiator is the origin of the frame or worker which made | |
300 // the request, even for top-level navigations. That is, if | |
301 // `https://example.com/`'s form submission is made in the top-level frame, | |
302 // the first party for cookies would be the target URL's origin. The | |
303 // initiator remains `https://example.com/`. | |
304 // | |
305 // This value is used to perform the cross-origin check specified in Section | |
306 // 4.3 of https://tools.ietf.org/html/draft-west-first-party-cookies. | |
mmenke
2015/10/22 19:41:05
Thanks for the detailed description!
| |
307 const url::Origin& initiator() const { return initiator_; } | |
308 // This method may only be called before Start(). | |
309 void set_initiator(const url::Origin& initiator); | |
310 | |
285 // The request method, as an uppercase string. "GET" is the default value. | 311 // The request method, as an uppercase string. "GET" is the default value. |
286 // The request method may only be changed before Start() is called and | 312 // The request method may only be changed before Start() is called and |
287 // should only be assigned an uppercase value. | 313 // should only be assigned an uppercase value. |
288 const std::string& method() const { return method_; } | 314 const std::string& method() const { return method_; } |
289 void set_method(const std::string& method); | 315 void set_method(const std::string& method); |
290 | 316 |
317 // True if the request method is "safe" (per section 4.2.1 of RFC 7231). | |
318 bool IsMethodSafe() const; | |
319 | |
291 // The referrer URL for the request. This header may actually be suppressed | 320 // The referrer URL for the request. This header may actually be suppressed |
292 // from the underlying network request for security reasons (e.g., a HTTPS | 321 // from the underlying network request for security reasons (e.g., a HTTPS |
293 // URL will not be sent as the referrer for a HTTP request). The referrer | 322 // URL will not be sent as the referrer for a HTTP request). The referrer |
294 // may only be changed before Start() is called. | 323 // may only be changed before Start() is called. |
295 const std::string& referrer() const { return referrer_; } | 324 const std::string& referrer() const { return referrer_; } |
296 // Referrer is sanitized to remove URL fragment, user name and password. | 325 // Referrer is sanitized to remove URL fragment, user name and password. |
297 void SetReferrer(const std::string& referrer); | 326 void SetReferrer(const std::string& referrer); |
298 | 327 |
299 // The referrer policy to apply when updating the referrer during redirects. | 328 // The referrer policy to apply when updating the referrer during redirects. |
300 // The referrer policy may only be changed before Start() is called. | 329 // The referrer policy may only be changed before Start() is called. |
(...skipping 451 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
752 BoundNetLog net_log_; | 781 BoundNetLog net_log_; |
753 | 782 |
754 scoped_refptr<URLRequestJob> job_; | 783 scoped_refptr<URLRequestJob> job_; |
755 scoped_ptr<UploadDataStream> upload_data_stream_; | 784 scoped_ptr<UploadDataStream> upload_data_stream_; |
756 // TODO(mmenke): Make whether or not an upload is chunked transparent to the | 785 // TODO(mmenke): Make whether or not an upload is chunked transparent to the |
757 // URLRequest. | 786 // URLRequest. |
758 ChunkedUploadDataStream* upload_chunked_data_stream_; | 787 ChunkedUploadDataStream* upload_chunked_data_stream_; |
759 | 788 |
760 std::vector<GURL> url_chain_; | 789 std::vector<GURL> url_chain_; |
761 GURL first_party_for_cookies_; | 790 GURL first_party_for_cookies_; |
791 url::Origin initiator_; | |
762 GURL delegate_redirect_url_; | 792 GURL delegate_redirect_url_; |
763 std::string method_; // "GET", "POST", etc. Should be all uppercase. | 793 std::string method_; // "GET", "POST", etc. Should be all uppercase. |
764 std::string referrer_; | 794 std::string referrer_; |
765 ReferrerPolicy referrer_policy_; | 795 ReferrerPolicy referrer_policy_; |
766 FirstPartyURLPolicy first_party_url_policy_; | 796 FirstPartyURLPolicy first_party_url_policy_; |
767 HttpRequestHeaders extra_request_headers_; | 797 HttpRequestHeaders extra_request_headers_; |
768 int load_flags_; // Flags indicating the request type for the load; | 798 int load_flags_; // Flags indicating the request type for the load; |
769 // expected values are LOAD_* enums above. | 799 // expected values are LOAD_* enums above. |
770 | 800 |
771 // Never access methods of the |delegate_| directly. Always use the | 801 // Never access methods of the |delegate_| directly. Always use the |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
854 HostPortPair proxy_server_; | 884 HostPortPair proxy_server_; |
855 | 885 |
856 scoped_ptr<const base::debug::StackTrace> stack_trace_; | 886 scoped_ptr<const base::debug::StackTrace> stack_trace_; |
857 | 887 |
858 DISALLOW_COPY_AND_ASSIGN(URLRequest); | 888 DISALLOW_COPY_AND_ASSIGN(URLRequest); |
859 }; | 889 }; |
860 | 890 |
861 } // namespace net | 891 } // namespace net |
862 | 892 |
863 #endif // NET_URL_REQUEST_URL_REQUEST_H_ | 893 #endif // NET_URL_REQUEST_URL_REQUEST_H_ |
OLD | NEW |