OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
7 * met: | 7 * met: |
8 * | 8 * |
9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
75 , m_simpleRequest(true) | 75 , m_simpleRequest(true) |
76 , m_async(blockingBehavior == LoadAsynchronously) | 76 , m_async(blockingBehavior == LoadAsynchronously) |
77 , m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout) | 77 , m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout) |
78 { | 78 { |
79 ASSERT(document); | 79 ASSERT(document); |
80 ASSERT(client); | 80 ASSERT(client); |
81 // Setting an outgoing referer is only supported in the async code path. | 81 // Setting an outgoing referer is only supported in the async code path. |
82 ASSERT(m_async || request.httpReferrer().isEmpty()); | 82 ASSERT(m_async || request.httpReferrer().isEmpty()); |
83 | 83 |
84 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossO
riginRequests) { | 84 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossO
riginRequests) { |
85 loadRequest(request, DoSecurityCheck); | 85 loadRequest(request); |
86 return; | 86 return; |
87 } | 87 } |
88 | 88 |
89 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { | 89 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { |
90 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url
().string(), "Cross origin requests are not supported.")); | 90 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url
().string(), "Cross origin requests are not supported.")); |
91 return; | 91 return; |
92 } | 92 } |
93 | 93 |
94 makeCrossOriginAccessRequest(request); | 94 makeCrossOriginAccessRequest(request); |
95 } | 95 } |
(...skipping 24 matching lines...) Expand all Loading... |
120 { | 120 { |
121 ASSERT(m_options.preflightPolicy != ForcePreflight); | 121 ASSERT(m_options.preflightPolicy != ForcePreflight); |
122 ASSERT(m_options.preflightPolicy == PreventPreflight || isSimpleCrossOriginA
ccessRequest(request.httpMethod(), request.httpHeaderFields())); | 122 ASSERT(m_options.preflightPolicy == PreventPreflight || isSimpleCrossOriginA
ccessRequest(request.httpMethod(), request.httpHeaderFields())); |
123 | 123 |
124 // Cross-origin requests are only allowed for HTTP and registered schemes. W
e would catch this when checking response headers later, but there is no reason
to send a request that's guaranteed to be denied. | 124 // Cross-origin requests are only allowed for HTTP and registered schemes. W
e would catch this when checking response headers later, but there is no reason
to send a request that's guaranteed to be denied. |
125 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protoco
l())) { | 125 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protoco
l())) { |
126 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIntern
al, 0, request.url().string(), "Cross origin requests are only supported for HTT
P.")); | 126 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIntern
al, 0, request.url().string(), "Cross origin requests are only supported for HTT
P.")); |
127 return; | 127 return; |
128 } | 128 } |
129 | 129 |
130 loadRequest(request, DoSecurityCheck); | 130 loadRequest(request); |
131 } | 131 } |
132 | 132 |
133 void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const R
esourceRequest& request) | 133 void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const R
esourceRequest& request) |
134 { | 134 { |
135 ResourceRequest preflightRequest = createAccessControlPreflightRequest(reque
st, securityOrigin()); | 135 ResourceRequest preflightRequest = createAccessControlPreflightRequest(reque
st, securityOrigin()); |
136 loadRequest(preflightRequest, DoSecurityCheck); | 136 loadRequest(preflightRequest); |
137 } | 137 } |
138 | 138 |
139 DocumentThreadableLoader::~DocumentThreadableLoader() | 139 DocumentThreadableLoader::~DocumentThreadableLoader() |
140 { | 140 { |
141 } | 141 } |
142 | 142 |
143 void DocumentThreadableLoader::cancel() | 143 void DocumentThreadableLoader::cancel() |
144 { | 144 { |
145 cancelWithError(ResourceError()); | 145 cancelWithError(ResourceError()); |
146 } | 146 } |
(...skipping 213 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
360 | 360 |
361 void DocumentThreadableLoader::preflightSuccess() | 361 void DocumentThreadableLoader::preflightSuccess() |
362 { | 362 { |
363 OwnPtr<ResourceRequest> actualRequest; | 363 OwnPtr<ResourceRequest> actualRequest; |
364 actualRequest.swap(m_actualRequest); | 364 actualRequest.swap(m_actualRequest); |
365 | 365 |
366 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString()); | 366 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString()); |
367 | 367 |
368 clearResource(); | 368 clearResource(); |
369 | 369 |
370 // It should be ok to skip the security check since we already asked about t
he preflight request. | 370 loadRequest(*actualRequest); |
371 loadRequest(*actualRequest, SkipSecurityCheck); | |
372 } | 371 } |
373 | 372 |
374 void DocumentThreadableLoader::preflightFailure(const String& url, const String&
errorDescription) | 373 void DocumentThreadableLoader::preflightFailure(const String& url, const String&
errorDescription) |
375 { | 374 { |
376 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription); | 375 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription); |
377 m_actualRequest = nullptr; // Prevent didFinishLoading() from bypassing acce
ss check. | 376 m_actualRequest = nullptr; // Prevent didFinishLoading() from bypassing acce
ss check. |
378 m_client->didFailAccessControlCheck(error); | 377 m_client->didFailAccessControlCheck(error); |
379 } | 378 } |
380 | 379 |
381 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, Secur
ityCheckPolicy securityCheck) | 380 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request) |
382 { | 381 { |
383 // Any credential should have been removed from the cross-site requests. | 382 // Any credential should have been removed from the cross-site requests. |
384 const KURL& requestURL = request.url(); | 383 const KURL& requestURL = request.url(); |
385 m_options.securityCheck = securityCheck; | |
386 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); | 384 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); |
387 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); | 385 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); |
388 | 386 |
389 ThreadableLoaderOptions options = m_options; | 387 ThreadableLoaderOptions options = m_options; |
390 if (m_async) { | 388 if (m_async) { |
391 options.crossOriginCredentialPolicy = DoNotAskClientForCrossOriginCreden
tials; | |
392 if (m_actualRequest) { | 389 if (m_actualRequest) { |
393 options.sniffContent = DoNotSniffContent; | 390 options.sniffContent = DoNotSniffContent; |
394 options.dataBufferingPolicy = BufferData; | 391 options.dataBufferingPolicy = BufferData; |
395 } | 392 } |
396 | 393 |
397 if (m_options.timeoutMilliseconds > 0) | 394 if (m_options.timeoutMilliseconds > 0) |
398 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0); | 395 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0); |
399 | 396 |
400 FetchRequest newRequest(request, m_options.initiator, options); | 397 FetchRequest newRequest(request, m_options.initiator, options); |
401 ASSERT(!resource()); | 398 ASSERT(!resource()); |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
458 return true; | 455 return true; |
459 return m_document->contentSecurityPolicy()->allowConnectToSource(url); | 456 return m_document->contentSecurityPolicy()->allowConnectToSource(url); |
460 } | 457 } |
461 | 458 |
462 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const | 459 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const |
463 { | 460 { |
464 return m_options.securityOrigin ? m_options.securityOrigin.get() : m_documen
t->securityOrigin(); | 461 return m_options.securityOrigin ? m_options.securityOrigin.get() : m_documen
t->securityOrigin(); |
465 } | 462 } |
466 | 463 |
467 } // namespace WebCore | 464 } // namespace WebCore |
OLD | NEW |