| Index: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
|
| diff --git a/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
|
| index 0cb013b57d725807d33abe52058de247a0676aa5..da915d21d032729966820a9096c2b0a6427a90c8 100644
|
| --- a/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
|
| +++ b/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
|
| @@ -235,13 +235,13 @@ void DocumentThreadableLoader::start(const ResourceRequest& request)
|
|
|
| void DocumentThreadableLoader::dispatchInitialRequest(const ResourceRequest& request)
|
| {
|
| - if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
|
| + if (!request.isExternalRequest() && (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)) {
|
| loadRequest(request, m_resourceLoaderOptions);
|
| // |this| may be dead here in async mode.
|
| return;
|
| }
|
|
|
| - ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
|
| + ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl || request.isExternalRequest());
|
|
|
| makeCrossOriginAccessRequest(request);
|
| // |this| may be dead here in async mode.
|
| @@ -249,7 +249,7 @@ void DocumentThreadableLoader::dispatchInitialRequest(const ResourceRequest& req
|
|
|
| void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceRequest& request)
|
| {
|
| - ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
|
| + ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl || request.isExternalRequest());
|
| ASSERT(m_client);
|
| ASSERT(!resource());
|
|
|
| @@ -266,11 +266,20 @@ void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques
|
| return;
|
| }
|
|
|
| + // Non-secure origins may not make "external requests": https://mikewest.github.io/cors-rfc1918/#integration-fetch
|
| + if (!document().isSecureContext() && request.isExternalRequest()) {
|
| + ThreadableLoaderClient* client = m_client;
|
| + clear();
|
| + client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, request.url().getString(), "Requests to internal network resources are not allowed from non-secure contexts (see https://goo.gl/Y0ZkNV). This is an experimental restriction which is part of 'https://mikewest.github.io/cors-rfc1918/'."));
|
| + // |this| may be dead here in async mode.
|
| + return;
|
| + }
|
| +
|
| // We use isSimpleOrForbiddenRequest() here since |request| may have been
|
| // modified in the process of loading (not from the user's input). For
|
| // example, referrer. We need to accept them. For security, we must reject
|
| // forbidden headers/methods at the point we accept user's input. Not here.
|
| - if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) {
|
| + if (!request.isExternalRequest() && ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight)) {
|
| ResourceRequest crossOriginRequest(request);
|
| ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
|
| updateRequestForAccessControl(crossOriginRequest, getSecurityOrigin(), effectiveAllowCredentials());
|
| @@ -292,7 +301,7 @@ void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques
|
| m_actualRequest = crossOriginRequest;
|
| m_actualOptions = crossOriginOptions;
|
|
|
| - bool shouldForcePreflight = InspectorInstrumentation::shouldForceCORSPreflight(m_document);
|
| + bool shouldForcePreflight = request.isExternalRequest() || InspectorInstrumentation::shouldForceCORSPreflight(m_document);
|
| bool canSkipPreflight = CrossOriginPreflightResultCache::shared().canSkipPreflight(getSecurityOrigin()->toString(), m_actualRequest.url(), effectiveAllowCredentials(), m_actualRequest.httpMethod(), m_actualRequest.httpHeaderFields());
|
| if (canSkipPreflight && !shouldForcePreflight) {
|
| loadActualRequest();
|
| @@ -598,6 +607,12 @@ void DocumentThreadableLoader::handlePreflightResponse(const ResourceResponse& r
|
| return;
|
| }
|
|
|
| + if (m_actualRequest.isExternalRequest() && !passesExternalPreflightCheck(response, accessControlErrorDescription)) {
|
| + handlePreflightFailure(response.url().getString(), accessControlErrorDescription);
|
| + // |this| may be dead here in async mode.
|
| + return;
|
| + }
|
| +
|
| OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials()));
|
| if (!preflightResult->parse(response, accessControlErrorDescription)
|
| || !preflightResult->allowsCrossOriginMethod(m_actualRequest.httpMethod(), accessControlErrorDescription)
|
|
|
Chromium Code Reviews
Issue 1745083002:
CORS-RFC1918: Force preflights for external requests in DocumentThreadableLoader. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master