Source/core/fetch/ResourceFetcher.cpp - Issue 149643003: Improve handling of CORS redirects for some resource loads.

Side by Side Diff: Source/core/fetch/ResourceFetcher.cpp

Issue 149643003: Improve handling of CORS redirects for some resource loads. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Track source origin via ResourceLoaderOptions.securityOrigin Created 6 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)	2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)

3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)	3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)

4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)	4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)

5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.	5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.

6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/	6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/

7	7

8 This library is free software; you can redistribute it and/or	8 This library is free software; you can redistribute it and/or

9 modify it under the terms of the GNU Library General Public	9 modify it under the terms of the GNU Library General Public

10 License as published by the Free Software Foundation; either	10 License as published by the Free Software Foundation; either

(...skipping 13 matching lines...) Expand all Loading...
24 pages from the web. It has a memory cache for these objects.	24 pages from the web. It has a memory cache for these objects.

25 */	25 */

26	26

27 #include "config.h"	27 #include "config.h"

28 #include "core/fetch/ResourceFetcher.h"	28 #include "core/fetch/ResourceFetcher.h"

29	29

30 #include "RuntimeEnabledFeatures.h"	30 #include "RuntimeEnabledFeatures.h"

31 #include "bindings/v8/ScriptController.h"	31 #include "bindings/v8/ScriptController.h"

32 #include "core/dom/Document.h"	32 #include "core/dom/Document.h"

33 #include "core/fetch/CSSStyleSheetResource.h"	33 #include "core/fetch/CSSStyleSheetResource.h"

	34 #include "core/fetch/CrossOriginAccessControl.h"

34 #include "core/fetch/DocumentResource.h"	35 #include "core/fetch/DocumentResource.h"

35 #include "core/fetch/FetchContext.h"	36 #include "core/fetch/FetchContext.h"

36 #include "core/fetch/FontResource.h"	37 #include "core/fetch/FontResource.h"

37 #include "core/fetch/ImageResource.h"	38 #include "core/fetch/ImageResource.h"

38 #include "core/fetch/MemoryCache.h"	39 #include "core/fetch/MemoryCache.h"

39 #include "core/fetch/RawResource.h"	40 #include "core/fetch/RawResource.h"

40 #include "core/fetch/ResourceLoader.h"	41 #include "core/fetch/ResourceLoader.h"

41 #include "core/fetch/ResourceLoaderSet.h"	42 #include "core/fetch/ResourceLoaderSet.h"

42 #include "core/fetch/ScriptResource.h"	43 #include "core/fetch/ScriptResource.h"

43 #include "core/fetch/ShaderResource.h"	44 #include "core/fetch/ShaderResource.h"

(...skipping 499 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
543 // folks block insecure content with a CSP policy, they don't get a warning.	544 // folks block insecure content with a CSP policy, they don't get a warning.

544 // They'll still get a warning in the console about CSP blocking the load.	545 // They'll still get a warning in the console about CSP blocking the load.

545	546

546 // FIXME: Should we consider forPreload here?	547 // FIXME: Should we consider forPreload here?

547 if (!checkInsecureContent(type, url, options.mixedContentBlockingTreatment))	548 if (!checkInsecureContent(type, url, options.mixedContentBlockingTreatment))

548 return false;	549 return false;

549	550

550 return true;	551 return true;

551 }	552 }

552	553

553 bool ResourceFetcher::canAccessResource(Resource* resource, const KURL& url) con st	554 bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sour ceOrigin, const KURL& url) const

554 {	555 {

555 // Redirects can change the response URL different from one of request.	556 // Redirects can change the response URL different from one of request.

556 if (!canRequest(resource->type(), url, resource->options(), false, FetchRequ est::UseDefaultOriginRestrictionForType))	557 if (!canRequest(resource->type(), url, resource->options(), false, FetchRequ est::UseDefaultOriginRestrictionForType))

557 return false;	558 return false;

558	559

559 if (!document() \|\| document()->securityOrigin()->canRequest(url))	560 if (!sourceOrigin && document())

	561 sourceOrigin = document()->securityOrigin();

	562

	563 if (!sourceOrigin \|\| sourceOrigin->canRequest(url))

560 return true;	564 return true;

561	565

562 String errorDescription;	566 String errorDescription;

563 if (!resource->passesAccessControlCheck(document()->securityOrigin(), errorD escription)) {	567 if (!resource->passesAccessControlCheck(sourceOrigin, errorDescription)) {

564 if (frame() && frame()->document()) {	568 if (frame() && frame()->document()) {

565 String resourceType = Resource::resourceTypeToString(resource->type( ), resource->options().initiatorInfo);	569 String resourceType = Resource::resourceTypeToString(resource->type( ), resource->options().initiatorInfo);

566 frame()->document()->addConsoleMessage(JSMessageSource, ErrorMessage Level, resourceType + " from origin '" + SecurityOrigin::create(url)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription);	570 frame()->document()->addConsoleMessage(JSMessageSource, ErrorMessage Level, resourceType + " from origin '" + SecurityOrigin::create(url)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription);

567 }	571 }

568 return false;	572 return false;

569 }	573 }

570 return true;	574 return true;

571 }	575 }

572	576

573 bool ResourceFetcher::shouldLoadNewResource(Resource::Type type) const	577 bool ResourceFetcher::shouldLoadNewResource(Resource::Type type) const

(...skipping 725 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1299 if (Frame* frame = this->frame())	1303 if (Frame* frame = this->frame())

1300 return frame->page()->defersLoading();	1304 return frame->page()->defersLoading();

1301 return false;	1305 return false;

1302 }	1306 }

1303	1307

1304 bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const	1308 bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const

1305 {	1309 {

1306 return this == possibleOwner;	1310 return this == possibleOwner;

1307 }	1311 }

1308	1312

1309 bool ResourceFetcher::shouldRequest(Resource* resource, const ResourceRequest& r equest, const ResourceLoaderOptions& options)	1313 bool ResourceFetcher::canAccessRedirect(Resource* resource, ResourceRequest& req uest, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options)
	abarth-chromium 2014/01/31 23:42:40 The logic you're adding to this function looks way The logic you're adding to this function looks way too complicated. Is this really what the spec says? Can you write the code in a way that machines the spec line-by-line and cites each step in the spec? sof 2014/02/01 14:39:19 I've tried to address this by factoring out the re Show quoted text On 2014/01/31 23:42:40, abarth wrote: > The logic you're adding to this function looks way too complicated. Is this > really what the spec says? Can you write the code in a way that machines the > spec line-by-line and cites each step in the spec? I've tried to address this by factoring out the redirect steps into a separate helper, including spec cross-references. Easier to comprehend/reconciliate? More can be done to unify that method with the redirect steps that the DocumentThreadableLoader performs. I would like to address that, but as follow-on work.
1310 {	1314 {

1311 if (!canRequest(resource->type(), request.url(), options, false, FetchReques t::UseDefaultOriginRestrictionForType))	1315 if (!canRequest(resource->type(), request.url(), options, false, FetchReques t::UseDefaultOriginRestrictionForType))

1312 return false;	1316 return false;

	1317 if (options.corsEnabled == IsCORSEnabled) {

	1318 const KURL& redirectUrl = redirectResponse.url();

	1319 String errorDescription;

	1320 bool canRedirect = checkCrossOriginAccessRedirectionUrl(request.url(), e rrorDescription);

	1321 if (canRedirect) {

	1322 SecurityOrigin* sourceOrigin = options.securityOrigin.get();

	1323 if (!sourceOrigin && document())

	1324 sourceOrigin = document()->securityOrigin();

	1325 if (!sourceOrigin)

	1326 return false;

	1327

	1328 bool redirectOutOfOrigin = !sourceOrigin->canRequest(request.url());

	1329 if (!sourceOrigin->canRequest(redirectUrl)) {

	1330 // The request to the redirect URL was cross-origin; perform acc ess check.

	1331 StoredCredentials withCredentials = resource->resourceRequest(). allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials;

	1332 canRedirect = passesAccessControlCheck(redirectResponse, withCre dentials, sourceOrigin, errorDescription);

	1333 if (canRedirect && redirectOutOfOrigin) {

	1334 // If allowed to redirect to another origin, the 'source ori gin'

	1335 // becomes a globally unique origin.

	1336 options.securityOrigin = SecurityOrigin::createUnique();

	1337 sourceOrigin = options.securityOrigin.get();

	1338 }

	1339 }

	1340 // Add Origin: if redirecting out of origin.

	1341 if (canRedirect && redirectOutOfOrigin) {

	1342 request.clearHTTPOrigin();

	1343 request.setHTTPOrigin(sourceOrigin->toAtomicString());

	1344 }

	1345 }

	1346 if (!canRedirect) {

	1347 if (frame() && frame()->document()) {

	1348 frame()->document()->addConsoleMessage(JSMessageSource, ErrorMes sageLevel, "Redirect to origin '" + SecurityOrigin::create(redirectUrl)->toStrin g() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription);

	1349 }

	1350 return false;

	1351 }

	1352 }

1313 if (resource->type() == Resource::Image && shouldDeferImageLoad(request.url( )))	1353 if (resource->type() == Resource::Image && shouldDeferImageLoad(request.url( )))

1314 return false;	1354 return false;

1315 return true;	1355 return true;

1316 }	1356 }

1317	1357

1318 void ResourceFetcher::refResourceLoaderHost()	1358 void ResourceFetcher::refResourceLoaderHost()

1319 {	1359 {

1320 ref();	1360 ref();

1321 }	1361 }

1322	1362

(...skipping 84 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1407 case Revalidate:	1447 case Revalidate:

1408 ++m_revalidateCount;	1448 ++m_revalidateCount;

1409 return;	1449 return;

1410 case Use:	1450 case Use:

1411 ++m_useCount;	1451 ++m_useCount;

1412 return;	1452 return;

1413 }	1453 }

1414 }	1454 }

1415	1455

1416 }	1456 }

OLD	NEW

« Source/core/fetch/CrossOriginAccessControl.h ('K') | « Source/core/fetch/ResourceFetcher.h ('k') | Source/core/fetch/ResourceLoader.cpp » ('j') | no next file with comments »