Chromium Code Reviews Chromium Code Reviews
Issue 1749153002:
CORS-RFC1918: Teach ResourceRequest about "external" requests (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2003, 2006 Apple Computer, Inc. All rights reserved. | 2 * Copyright (C) 2003, 2006 Apple Computer, Inc. All rights reserved. |
| 3 * Copyright (C) 2009, 2012 Google Inc. All rights reserved. | 3 * Copyright (C) 2009, 2012 Google Inc. All rights reserved. |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions | 6 * modification, are permitted provided that the following conditions |
| 7 * are met: | 7 * are met: |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| 11 * notice, this list of conditions and the following disclaimer in the | 11 * notice, this list of conditions and the following disclaimer in the |
| 12 * documentation and/or other materials provided with the distribution. | 12 * documentation and/or other materials provided with the distribution. |
| 13 * | 13 * |
| 14 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY | 14 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY |
| 15 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | 15 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 17 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR | 17 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR |
| 18 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | 18 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
| 19 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | 19 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
| 20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | 20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
| 21 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY | 21 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
| 22 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 22 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 25 */ | 25 */ |
| 26 | 26 |
| 27 #include "platform/network/ResourceRequest.h" | 27 #include "platform/network/ResourceRequest.h" |
| 28 | 28 |
| 29 #include "platform/HTTPNames.h" | 29 #include "platform/HTTPNames.h" |
| 30 #include "platform/RuntimeEnabledFeatures.h" | |
| 30 #include "platform/weborigin/SecurityOrigin.h" | 31 #include "platform/weborigin/SecurityOrigin.h" |
| 32 #include "public/platform/Platform.h" | |
| 31 #include "public/platform/WebURLRequest.h" | 33 #include "public/platform/WebURLRequest.h" |
| 32 | 34 |
| 33 namespace blink { | 35 namespace blink { |
| 34 | 36 |
| 35 double ResourceRequest::s_defaultTimeoutInterval = INT_MAX; | 37 double ResourceRequest::s_defaultTimeoutInterval = INT_MAX; |
| 36 | 38 |
| 37 ResourceRequest::ResourceRequest(CrossThreadResourceRequestData* data) | 39 ResourceRequest::ResourceRequest(CrossThreadResourceRequestData* data) |
| 38 : ResourceRequest() | 40 : ResourceRequest() |
| 39 { | 41 { |
| 40 setURL(data->m_url); | 42 setURL(data->m_url); |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 61 setRequestContext(data->m_requestContext); | 63 setRequestContext(data->m_requestContext); |
| 62 setFrameType(data->m_frameType); | 64 setFrameType(data->m_frameType); |
| 63 setFetchRequestMode(data->m_fetchRequestMode); | 65 setFetchRequestMode(data->m_fetchRequestMode); |
| 64 setFetchCredentialsMode(data->m_fetchCredentialsMode); | 66 setFetchCredentialsMode(data->m_fetchCredentialsMode); |
| 65 setFetchRedirectMode(data->m_fetchRedirectMode); | 67 setFetchRedirectMode(data->m_fetchRedirectMode); |
| 66 setLoFiState(data->m_loFiState); | 68 setLoFiState(data->m_loFiState); |
| 67 m_referrerPolicy = data->m_referrerPolicy; | 69 m_referrerPolicy = data->m_referrerPolicy; |
| 68 m_didSetHTTPReferrer = data->m_didSetHTTPReferrer; | 70 m_didSetHTTPReferrer = data->m_didSetHTTPReferrer; |
| 69 m_checkForBrowserSideNavigation = data->m_checkForBrowserSideNavigation; | 71 m_checkForBrowserSideNavigation = data->m_checkForBrowserSideNavigation; |
| 70 m_uiStartTime = data->m_uiStartTime; | 72 m_uiStartTime = data->m_uiStartTime; |
| 71 m_originatesFromReservedIPRange = data->m_originatesFromReservedIPRange; | 73 m_isExternalRequest = data->m_isExternalRequest; |
| 72 m_inputPerfMetricReportPolicy = data->m_inputPerfMetricReportPolicy; | 74 m_inputPerfMetricReportPolicy = data->m_inputPerfMetricReportPolicy; |
| 73 m_followedRedirect = data->m_followedRedirect; | 75 m_followedRedirect = data->m_followedRedirect; |
| 74 } | 76 } |
| 75 | 77 |
| 76 PassOwnPtr<CrossThreadResourceRequestData> ResourceRequest::copyData() const | 78 PassOwnPtr<CrossThreadResourceRequestData> ResourceRequest::copyData() const |
| 77 { | 79 { |
| 78 OwnPtr<CrossThreadResourceRequestData> data = adoptPtr(new CrossThreadResour ceRequestData()); | 80 OwnPtr<CrossThreadResourceRequestData> data = adoptPtr(new CrossThreadResour ceRequestData()); |
| 79 data->m_url = url().copy(); | 81 data->m_url = url().copy(); |
| 80 data->m_cachePolicy = getCachePolicy(); | 82 data->m_cachePolicy = getCachePolicy(); |
| 81 data->m_timeoutInterval = timeoutInterval(); | 83 data->m_timeoutInterval = timeoutInterval(); |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 101 data->m_requestContext = m_requestContext; | 103 data->m_requestContext = m_requestContext; |
| 102 data->m_frameType = m_frameType; | 104 data->m_frameType = m_frameType; |
| 103 data->m_fetchRequestMode = m_fetchRequestMode; | 105 data->m_fetchRequestMode = m_fetchRequestMode; |
| 104 data->m_fetchCredentialsMode = m_fetchCredentialsMode; | 106 data->m_fetchCredentialsMode = m_fetchCredentialsMode; |
| 105 data->m_fetchRedirectMode = m_fetchRedirectMode; | 107 data->m_fetchRedirectMode = m_fetchRedirectMode; |
| 106 data->m_loFiState = m_loFiState; | 108 data->m_loFiState = m_loFiState; |
| 107 data->m_referrerPolicy = m_referrerPolicy; | 109 data->m_referrerPolicy = m_referrerPolicy; |
| 108 data->m_didSetHTTPReferrer = m_didSetHTTPReferrer; | 110 data->m_didSetHTTPReferrer = m_didSetHTTPReferrer; |
| 109 data->m_checkForBrowserSideNavigation = m_checkForBrowserSideNavigation; | 111 data->m_checkForBrowserSideNavigation = m_checkForBrowserSideNavigation; |
| 110 data->m_uiStartTime = m_uiStartTime; | 112 data->m_uiStartTime = m_uiStartTime; |
| 111 data->m_originatesFromReservedIPRange = m_originatesFromReservedIPRange; | 113 data->m_isExternalRequest = m_isExternalRequest; |
| 112 data->m_inputPerfMetricReportPolicy = m_inputPerfMetricReportPolicy; | 114 data->m_inputPerfMetricReportPolicy = m_inputPerfMetricReportPolicy; |
| 113 data->m_followedRedirect = m_followedRedirect; | 115 data->m_followedRedirect = m_followedRedirect; |
| 114 return data.release(); | 116 return data.release(); |
| 115 } | 117 } |
| 116 | 118 |
| 117 bool ResourceRequest::isEmpty() const | 119 bool ResourceRequest::isEmpty() const |
| 118 { | 120 { |
| 119 return m_url.isEmpty(); | 121 return m_url.isEmpty(); |
| 120 } | 122 } |
| 121 | 123 |
| (...skipping 242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 364 { | 366 { |
| 365 if (!equalIgnoringHeaderFields(a, b)) | 367 if (!equalIgnoringHeaderFields(a, b)) |
| 366 return false; | 368 return false; |
| 367 | 369 |
| 368 if (a.httpHeaderFields() != b.httpHeaderFields()) | 370 if (a.httpHeaderFields() != b.httpHeaderFields()) |
| 369 return false; | 371 return false; |
| 370 | 372 |
| 371 return true; | 373 return true; |
| 372 } | 374 } |
| 373 | 375 |
| 376 void ResourceRequest::setIsExternalRequest(bool contextHostedInReservedIPRange) | |
| 377 { | |
| 378 // TODO(mkwst): This only checks explicit IP addresses. We'll have to move a ll this up to //net and //content in | |
| 379 // order to have any real impact on gateway attacks. That turns out to be a TON of work. https://crbug.com/378566 | |
| 380 m_isExternalRequest = RuntimeEnabledFeatures::corsRFC1918Enabled() && !conte xtHostedInReservedIPRange && (Platform::current()->isReservedIPAddress(m_url.hos t()) || m_url.host() == "localhost"); | |
| 381 } | |
| 382 | |
| 374 bool ResourceRequest::isConditional() const | 383 bool ResourceRequest::isConditional() const |
| 375 { | 384 { |
| 376 return (m_httpHeaderFields.contains(HTTPNames::If_Match) | 385 return (m_httpHeaderFields.contains(HTTPNames::If_Match) |
| 377 || m_httpHeaderFields.contains(HTTPNames::If_Modified_Since) | 386 || m_httpHeaderFields.contains(HTTPNames::If_Modified_Since) |
| 378 || m_httpHeaderFields.contains(HTTPNames::If_None_Match) | 387 || m_httpHeaderFields.contains(HTTPNames::If_None_Match) |
| 379 || m_httpHeaderFields.contains(HTTPNames::If_Range) | 388 || m_httpHeaderFields.contains(HTTPNames::If_Range) |
| 380 || m_httpHeaderFields.contains(HTTPNames::If_Unmodified_Since)); | 389 || m_httpHeaderFields.contains(HTTPNames::If_Unmodified_Since)); |
| 381 } | 390 } |
| 382 | 391 |
| 383 void ResourceRequest::setHasUserGesture(bool hasUserGesture) | 392 void ResourceRequest::setHasUserGesture(bool hasUserGesture) |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 432 // Contrary to the Fetch spec, we default to same-origin mode here, and deal | 441 // Contrary to the Fetch spec, we default to same-origin mode here, and deal |
| 433 // with CORS modes in updateRequestForAccessControl if we're called in a | 442 // with CORS modes in updateRequestForAccessControl if we're called in a |
| 434 // context which requires it. | 443 // context which requires it. |
| 435 m_fetchCredentialsMode = WebURLRequest::FetchCredentialsModeSameOrigin; | 444 m_fetchCredentialsMode = WebURLRequest::FetchCredentialsModeSameOrigin; |
| 436 m_fetchRedirectMode = WebURLRequest::FetchRedirectModeFollow; | 445 m_fetchRedirectMode = WebURLRequest::FetchRedirectModeFollow; |
| 437 m_referrerPolicy = ReferrerPolicyDefault; | 446 m_referrerPolicy = ReferrerPolicyDefault; |
| 438 m_loFiState = WebURLRequest::LoFiUnspecified; | 447 m_loFiState = WebURLRequest::LoFiUnspecified; |
| 439 m_didSetHTTPReferrer = false; | 448 m_didSetHTTPReferrer = false; |
| 440 m_checkForBrowserSideNavigation = true; | 449 m_checkForBrowserSideNavigation = true; |
| 441 m_uiStartTime = 0; | 450 m_uiStartTime = 0; |
| 442 m_originatesFromReservedIPRange = false; | 451 m_isExternalRequest = false; |
|
jochen (gone - plz use gerrit)
2016/03/01 15:42:29
should this default to true if the runtime flag is
Mike West
2016/03/02 08:50:03
I don't think so, because we'll end up using this
| |
| 443 m_inputPerfMetricReportPolicy = InputToLoadPerfMetricReportPolicy::NoReport; | 452 m_inputPerfMetricReportPolicy = InputToLoadPerfMetricReportPolicy::NoReport; |
| 444 m_followedRedirect = false; | 453 m_followedRedirect = false; |
| 445 m_requestorOrigin = SecurityOrigin::createUnique(); | 454 m_requestorOrigin = SecurityOrigin::createUnique(); |
| 446 } | 455 } |
| 447 | 456 |
| 448 } // namespace blink | 457 } // namespace blink |
| OLD | NEW |
