Chromium Code Reviews Chromium Code Reviews
Issue 1665533003:
Set the request mode and the credentials mode of FetchEvent in the service worker correctly. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 174 // recorded here. | 174 // recorded here. |
| 175 // - ThreadableLoader w/ non-GET request is only created from javascript | 175 // - ThreadableLoader w/ non-GET request is only created from javascript |
| 176 // initiated fetch. | 176 // initiated fetch. |
| 177 // - Some non-script initiated fetches such as WorkerScriptLoader also use | 177 // - Some non-script initiated fetches such as WorkerScriptLoader also use |
| 178 // ThreadableLoader, but they are guaranteed to use GET method. | 178 // ThreadableLoader, but they are guaranteed to use GET method. |
| 179 if (request.httpMethod() != HTTPNames::GET) { | 179 if (request.httpMethod() != HTTPNames::GET) { |
| 180 if (Page* page = document.page()) | 180 if (Page* page = document.page()) |
| 181 page->chromeClient().didObserveNonGetFetchFromScript(); | 181 page->chromeClient().didObserveNonGetFetchFromScript(); |
| 182 } | 182 } |
| 183 | 183 |
| 184 // If the fetch request will be handled by the ServiceWorker, the | |
| 185 // FetchRequestMode of the request must be FetchRequestModeCORS or | |
| 186 // FetchRequestModeCORSWithForcedPreflight. Otherwise the ServiceWorker can | |
| 187 // return a opaque response which is from the other origin site and the | |
| 188 // script in the page can read the content. | |
| 189 // | |
| 190 // We assume that ServiceWorker is skipped for sync requests and unsupported | 184 // We assume that ServiceWorker is skipped for sync requests and unsupported |
| 191 // protocol requests by content/ code. | 185 // protocol requests by content/ code. |
| 192 if (m_async && !request.skipServiceWorker() && SchemeRegistry::shouldTreatUR LSchemeAsAllowingServiceWorkers(request.url().protocol()) && document.fetcher()- >isControlledByServiceWorker()) { | 186 if (m_async && !request.skipServiceWorker() && SchemeRegistry::shouldTreatUR LSchemeAsAllowingServiceWorkers(request.url().protocol()) && document.fetcher()- >isControlledByServiceWorker()) { |
| 193 ResourceRequest newRequest(request); | 187 ResourceRequest newRequest(request); |
| 194 // FetchRequestMode should be set by the caller. But the expected value | 188 const WebURLRequest::RequestContext requestContext(request.requestContex t()); |
| 195 // of FetchRequestMode is not speced yet except for XHR. So we set here. | 189 if (requestContext != WebURLRequest::RequestContextFetch) { |
| 196 // FIXME: When we support fetch API in document, this value should not | 190 // When the request context is not "fetch", |
| 197 // be overridden here. | 191 // |crossOriginRequestPolicy| represents the fetch request mode, |
| 198 if (options.preflightPolicy == ForcePreflight) | 192 // and |credentialsRequested| represents the fetch credentials mode. |
| 199 newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORSWi thForcedPreflight); | 193 // So we set those flags here so that we can see the correct request |
| 200 else | 194 // mode and credentials mode in the service worker's fetch event |
| 201 newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORS); | 195 // handler. |
| 202 | 196 switch (m_options.crossOriginRequestPolicy) { |
| 203 m_fallbackRequestForServiceWorker = ResourceRequest(request); | 197 case DenyCrossOriginRequests: |
| 204 m_fallbackRequestForServiceWorker.setSkipServiceWorker(true); | 198 newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeSa meOrigin); |
| 199 break; | |
| 200 case UseAccessControl: | |
| 201 if (options.preflightPolicy == ForcePreflight) | |
| 202 newRequest.setFetchRequestMode(WebURLRequest::FetchRequestMo deCORSWithForcedPreflight); | |
| 203 else | |
| 204 newRequest.setFetchRequestMode(WebURLRequest::FetchRequestMo deCORS); | |
| 205 break; | |
| 206 case AllowCrossOriginRequests: | |
| 207 // No-CORS requests are allowed only for those contexts. | |
| 208 RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(requestContext == WebUR LRequest::RequestContextAudio || requestContext == WebURLRequest::RequestContext Video || requestContext == WebURLRequest::RequestContextObject || requestContext == WebURLRequest::RequestContextFavicon || requestContext == WebURLRequest::Req uestContextImage || requestContext == WebURLRequest::RequestContextScript); | |
| 209 newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeNo CORS); | |
| 210 break; | |
| 211 } | |
| 212 if (m_resourceLoaderOptions.allowCredentials == AllowStoredCredentia ls) | |
| 213 newRequest.setFetchCredentialsMode(WebURLRequest::FetchCredentia lsModeInclude); | |
| 214 else | |
| 215 newRequest.setFetchCredentialsMode(WebURLRequest::FetchCredentia lsModeSameOrigin); | |
| 216 } | |
| 217 if (newRequest.fetchRequestMode() == WebURLRequest::FetchRequestModeCORS || newRequest.fetchRequestMode() == WebURLRequest::FetchRequestModeCORSWithForc edPreflight) { | |
| 218 m_fallbackRequestForServiceWorker = ResourceRequest(request); | |
| 219 m_fallbackRequestForServiceWorker.setSkipServiceWorker(true); | |
| 220 } | |
| 205 | 221 |
| 206 loadRequest(newRequest, m_resourceLoaderOptions); | 222 loadRequest(newRequest, m_resourceLoaderOptions); |
| 207 return; | 223 return; |
| 208 } | 224 } |
| 209 | 225 |
| 210 dispatchInitialRequest(request); | 226 dispatchInitialRequest(request); |
| 211 // |this| may be dead here in async mode. | 227 // |this| may be dead here in async mode. |
| 212 } | 228 } |
| 213 | 229 |
| 214 void DocumentThreadableLoader::dispatchInitialRequest(const ResourceRequest& req uest) | 230 void DocumentThreadableLoader::dispatchInitialRequest(const ResourceRequest& req uest) |
| (...skipping 371 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 586 ASSERT(m_client); | 602 ASSERT(m_client); |
| 587 | 603 |
| 588 if (!m_actualRequest.isNull()) { | 604 if (!m_actualRequest.isNull()) { |
| 589 reportResponseReceived(identifier, response); | 605 reportResponseReceived(identifier, response); |
| 590 handlePreflightResponse(response); | 606 handlePreflightResponse(response); |
| 591 // |this| may be dead here in async mode. | 607 // |this| may be dead here in async mode. |
| 592 return; | 608 return; |
| 593 } | 609 } |
| 594 | 610 |
| 595 if (response.wasFetchedViaServiceWorker()) { | 611 if (response.wasFetchedViaServiceWorker()) { |
| 596 // It's still possible to reach here with null m_fallbackRequestForServi ceWorker | |
| 597 // if the request was for main resource loading (i.e. for SharedWorker), for which | |
| 598 // we create DocumentLoader before the controller ServiceWorker is set. | |
| 599 ASSERT(!m_fallbackRequestForServiceWorker.isNull() || m_requestContext = = WebURLRequest::RequestContextSharedWorker); | |
|
tyoshino (SeeGerritForStatus)
2016/02/04 14:45:26
Did this become removable as a result of the chang
horo
2016/02/05 02:28:20
m_fallbackRequestForServiceWorker is set only when
| |
| 600 if (response.wasFallbackRequiredByServiceWorker()) { | 612 if (response.wasFallbackRequiredByServiceWorker()) { |
| 601 // At this point we must have m_fallbackRequestForServiceWorker. | 613 // At this point we must have m_fallbackRequestForServiceWorker. |
| 602 // (For SharedWorker the request won't be CORS or CORS-with-prefligh t, | 614 // (For SharedWorker the request won't be CORS or CORS-with-prefligh t, |
| 603 // therefore fallback-to-network is handled in the browser process | 615 // therefore fallback-to-network is handled in the browser process |
| 604 // when the ServiceWorker does not call respondWith().) | 616 // when the ServiceWorker does not call respondWith().) |
| 605 ASSERT(!m_fallbackRequestForServiceWorker.isNull()); | 617 ASSERT(!m_fallbackRequestForServiceWorker.isNull()); |
| 606 reportResponseReceived(identifier, response); | 618 reportResponseReceived(identifier, response); |
| 607 loadFallbackRequestForServiceWorker(); | 619 loadFallbackRequestForServiceWorker(); |
| 608 // |this| may be dead here in async mode. | 620 // |this| may be dead here in async mode. |
| 609 return; | 621 return; |
| (...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 894 return m_securityOrigin ? m_securityOrigin.get() : document().securityOrigin (); | 906 return m_securityOrigin ? m_securityOrigin.get() : document().securityOrigin (); |
| 895 } | 907 } |
| 896 | 908 |
| 897 Document& DocumentThreadableLoader::document() const | 909 Document& DocumentThreadableLoader::document() const |
| 898 { | 910 { |
| 899 ASSERT(m_document); | 911 ASSERT(m_document); |
| 900 return *m_document; | 912 return *m_document; |
| 901 } | 913 } |
| 902 | 914 |
| 903 } // namespace blink | 915 } // namespace blink |
| OLD | NEW |
