Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(205)

Side by Side Diff: third_party/WebKit/Source/platform/network/ResourceRequest.cpp

Issue 1749153002: CORS-RFC1918: Teach ResourceRequest about "external" requests (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2003, 2006 Apple Computer, Inc. All rights reserved. 2 * Copyright (C) 2003, 2006 Apple Computer, Inc. All rights reserved.
3 * Copyright (C) 2009, 2012 Google Inc. All rights reserved. 3 * Copyright (C) 2009, 2012 Google Inc. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
7 * are met: 7 * are met:
8 * 1. Redistributions of source code must retain the above copyright 8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright 10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the 11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution. 12 * documentation and/or other materials provided with the distribution.
13 * 13 *
14 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY 14 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
15 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR 17 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR
18 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
19 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
21 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
22 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */ 25 */
26 26
27 #include "platform/network/ResourceRequest.h" 27 #include "platform/network/ResourceRequest.h"
28 28
29 #include "platform/HTTPNames.h" 29 #include "platform/HTTPNames.h"
30 #include "platform/RuntimeEnabledFeatures.h"
30 #include "platform/weborigin/SecurityOrigin.h" 31 #include "platform/weborigin/SecurityOrigin.h"
32 #include "public/platform/Platform.h"
31 #include "public/platform/WebURLRequest.h" 33 #include "public/platform/WebURLRequest.h"
32 34
33 namespace blink { 35 namespace blink {
34 36
35 double ResourceRequest::s_defaultTimeoutInterval = INT_MAX; 37 double ResourceRequest::s_defaultTimeoutInterval = INT_MAX;
36 38
37 ResourceRequest::ResourceRequest(CrossThreadResourceRequestData* data) 39 ResourceRequest::ResourceRequest(CrossThreadResourceRequestData* data)
38 : ResourceRequest() 40 : ResourceRequest()
39 { 41 {
40 setURL(data->m_url); 42 setURL(data->m_url);
(...skipping 20 matching lines...) Expand all
61 setRequestContext(data->m_requestContext); 63 setRequestContext(data->m_requestContext);
62 setFrameType(data->m_frameType); 64 setFrameType(data->m_frameType);
63 setFetchRequestMode(data->m_fetchRequestMode); 65 setFetchRequestMode(data->m_fetchRequestMode);
64 setFetchCredentialsMode(data->m_fetchCredentialsMode); 66 setFetchCredentialsMode(data->m_fetchCredentialsMode);
65 setFetchRedirectMode(data->m_fetchRedirectMode); 67 setFetchRedirectMode(data->m_fetchRedirectMode);
66 setLoFiState(data->m_loFiState); 68 setLoFiState(data->m_loFiState);
67 m_referrerPolicy = data->m_referrerPolicy; 69 m_referrerPolicy = data->m_referrerPolicy;
68 m_didSetHTTPReferrer = data->m_didSetHTTPReferrer; 70 m_didSetHTTPReferrer = data->m_didSetHTTPReferrer;
69 m_checkForBrowserSideNavigation = data->m_checkForBrowserSideNavigation; 71 m_checkForBrowserSideNavigation = data->m_checkForBrowserSideNavigation;
70 m_uiStartTime = data->m_uiStartTime; 72 m_uiStartTime = data->m_uiStartTime;
71 m_originatesFromReservedIPRange = data->m_originatesFromReservedIPRange; 73 m_isExternalRequest = data->m_isExternalRequest;
72 m_inputPerfMetricReportPolicy = data->m_inputPerfMetricReportPolicy; 74 m_inputPerfMetricReportPolicy = data->m_inputPerfMetricReportPolicy;
73 m_followedRedirect = data->m_followedRedirect; 75 m_followedRedirect = data->m_followedRedirect;
74 } 76 }
75 77
76 PassOwnPtr<CrossThreadResourceRequestData> ResourceRequest::copyData() const 78 PassOwnPtr<CrossThreadResourceRequestData> ResourceRequest::copyData() const
77 { 79 {
78 OwnPtr<CrossThreadResourceRequestData> data = adoptPtr(new CrossThreadResour ceRequestData()); 80 OwnPtr<CrossThreadResourceRequestData> data = adoptPtr(new CrossThreadResour ceRequestData());
79 data->m_url = url().copy(); 81 data->m_url = url().copy();
80 data->m_cachePolicy = getCachePolicy(); 82 data->m_cachePolicy = getCachePolicy();
81 data->m_timeoutInterval = timeoutInterval(); 83 data->m_timeoutInterval = timeoutInterval();
(...skipping 19 matching lines...) Expand all
101 data->m_requestContext = m_requestContext; 103 data->m_requestContext = m_requestContext;
102 data->m_frameType = m_frameType; 104 data->m_frameType = m_frameType;
103 data->m_fetchRequestMode = m_fetchRequestMode; 105 data->m_fetchRequestMode = m_fetchRequestMode;
104 data->m_fetchCredentialsMode = m_fetchCredentialsMode; 106 data->m_fetchCredentialsMode = m_fetchCredentialsMode;
105 data->m_fetchRedirectMode = m_fetchRedirectMode; 107 data->m_fetchRedirectMode = m_fetchRedirectMode;
106 data->m_loFiState = m_loFiState; 108 data->m_loFiState = m_loFiState;
107 data->m_referrerPolicy = m_referrerPolicy; 109 data->m_referrerPolicy = m_referrerPolicy;
108 data->m_didSetHTTPReferrer = m_didSetHTTPReferrer; 110 data->m_didSetHTTPReferrer = m_didSetHTTPReferrer;
109 data->m_checkForBrowserSideNavigation = m_checkForBrowserSideNavigation; 111 data->m_checkForBrowserSideNavigation = m_checkForBrowserSideNavigation;
110 data->m_uiStartTime = m_uiStartTime; 112 data->m_uiStartTime = m_uiStartTime;
111 data->m_originatesFromReservedIPRange = m_originatesFromReservedIPRange; 113 data->m_isExternalRequest = m_isExternalRequest;
112 data->m_inputPerfMetricReportPolicy = m_inputPerfMetricReportPolicy; 114 data->m_inputPerfMetricReportPolicy = m_inputPerfMetricReportPolicy;
113 data->m_followedRedirect = m_followedRedirect; 115 data->m_followedRedirect = m_followedRedirect;
114 return data.release(); 116 return data.release();
115 } 117 }
116 118
117 bool ResourceRequest::isEmpty() const 119 bool ResourceRequest::isEmpty() const
118 { 120 {
119 return m_url.isEmpty(); 121 return m_url.isEmpty();
120 } 122 }
121 123
(...skipping 242 matching lines...) Expand 10 before | Expand all | Expand 10 after
364 { 366 {
365 if (!equalIgnoringHeaderFields(a, b)) 367 if (!equalIgnoringHeaderFields(a, b))
366 return false; 368 return false;
367 369
368 if (a.httpHeaderFields() != b.httpHeaderFields()) 370 if (a.httpHeaderFields() != b.httpHeaderFields())
369 return false; 371 return false;
370 372
371 return true; 373 return true;
372 } 374 }
373 375
376 void ResourceRequest::setIsExternalRequest(bool contextHostedInReservedIPRange)
377 {
378 // TODO(mkwst): This only checks explicit IP addresses. We'll have to move a ll this up to //net and //content in
379 // order to have any real impact on gateway attacks. That turns out to be a TON of work. https://crbug.com/378566
380 m_isExternalRequest = RuntimeEnabledFeatures::corsRFC1918Enabled() && !conte xtHostedInReservedIPRange && (Platform::current()->isReservedIPAddress(m_url.hos t()) || m_url.host() == "localhost");
381 }
382
374 bool ResourceRequest::isConditional() const 383 bool ResourceRequest::isConditional() const
375 { 384 {
376 return (m_httpHeaderFields.contains(HTTPNames::If_Match) 385 return (m_httpHeaderFields.contains(HTTPNames::If_Match)
377 || m_httpHeaderFields.contains(HTTPNames::If_Modified_Since) 386 || m_httpHeaderFields.contains(HTTPNames::If_Modified_Since)
378 || m_httpHeaderFields.contains(HTTPNames::If_None_Match) 387 || m_httpHeaderFields.contains(HTTPNames::If_None_Match)
379 || m_httpHeaderFields.contains(HTTPNames::If_Range) 388 || m_httpHeaderFields.contains(HTTPNames::If_Range)
380 || m_httpHeaderFields.contains(HTTPNames::If_Unmodified_Since)); 389 || m_httpHeaderFields.contains(HTTPNames::If_Unmodified_Since));
381 } 390 }
382 391
383 void ResourceRequest::setHasUserGesture(bool hasUserGesture) 392 void ResourceRequest::setHasUserGesture(bool hasUserGesture)
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after
432 // Contrary to the Fetch spec, we default to same-origin mode here, and deal 441 // Contrary to the Fetch spec, we default to same-origin mode here, and deal
433 // with CORS modes in updateRequestForAccessControl if we're called in a 442 // with CORS modes in updateRequestForAccessControl if we're called in a
434 // context which requires it. 443 // context which requires it.
435 m_fetchCredentialsMode = WebURLRequest::FetchCredentialsModeSameOrigin; 444 m_fetchCredentialsMode = WebURLRequest::FetchCredentialsModeSameOrigin;
436 m_fetchRedirectMode = WebURLRequest::FetchRedirectModeFollow; 445 m_fetchRedirectMode = WebURLRequest::FetchRedirectModeFollow;
437 m_referrerPolicy = ReferrerPolicyDefault; 446 m_referrerPolicy = ReferrerPolicyDefault;
438 m_loFiState = WebURLRequest::LoFiUnspecified; 447 m_loFiState = WebURLRequest::LoFiUnspecified;
439 m_didSetHTTPReferrer = false; 448 m_didSetHTTPReferrer = false;
440 m_checkForBrowserSideNavigation = true; 449 m_checkForBrowserSideNavigation = true;
441 m_uiStartTime = 0; 450 m_uiStartTime = 0;
442 m_originatesFromReservedIPRange = false; 451 m_isExternalRequest = false;
jochen (gone - plz use gerrit) 2016/03/01 15:42:29 should this default to true if the runtime flag is
Mike West 2016/03/02 08:50:03 I don't think so, because we'll end up using this
443 m_inputPerfMetricReportPolicy = InputToLoadPerfMetricReportPolicy::NoReport; 452 m_inputPerfMetricReportPolicy = InputToLoadPerfMetricReportPolicy::NoReport;
444 m_followedRedirect = false; 453 m_followedRedirect = false;
445 m_requestorOrigin = SecurityOrigin::createUnique(); 454 m_requestorOrigin = SecurityOrigin::createUnique();
446 } 455 }
447 456
448 } // namespace blink 457 } // namespace blink
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698