CORS-RFC1918: Teach ResourceRequest about "external" requests

third_party/WebKit/Source/platform/network/ResourceRequest.cpp

Index: third_party/WebKit/Source/platform/network/ResourceRequest.cpp
diff --git a/third_party/WebKit/Source/platform/network/ResourceRequest.cpp b/third_party/WebKit/Source/platform/network/ResourceRequest.cpp
index f54b7d5cb6387f166b626708c362b87210fd4ca9..45d8d1aed016026539a8b864f0e9e1b292802126 100644
--- a/third_party/WebKit/Source/platform/network/ResourceRequest.cpp
+++ b/third_party/WebKit/Source/platform/network/ResourceRequest.cpp
@@ -27,7 +27,9 @@
 #include "platform/network/ResourceRequest.h"
 
 #include "platform/HTTPNames.h"
+#include "platform/RuntimeEnabledFeatures.h"
 #include "platform/weborigin/SecurityOrigin.h"
+#include "public/platform/Platform.h"
 #include "public/platform/WebURLRequest.h"
 
 namespace blink {
@@ -68,7 +70,7 @@ ResourceRequest::ResourceRequest(CrossThreadResourceRequestData* data)
     m_didSetHTTPReferrer = data->m_didSetHTTPReferrer;
     m_checkForBrowserSideNavigation = data->m_checkForBrowserSideNavigation;
     m_uiStartTime = data->m_uiStartTime;
-    m_originatesFromReservedIPRange = data->m_originatesFromReservedIPRange;
+    m_isExternalRequest = data->m_isExternalRequest;
     m_inputPerfMetricReportPolicy = data->m_inputPerfMetricReportPolicy;
     m_followedRedirect = data->m_followedRedirect;
 }
@@ -108,7 +110,7 @@ PassOwnPtr<CrossThreadResourceRequestData> ResourceRequest::copyData() const
     data->m_didSetHTTPReferrer = m_didSetHTTPReferrer;
     data->m_checkForBrowserSideNavigation = m_checkForBrowserSideNavigation;
     data->m_uiStartTime = m_uiStartTime;
-    data->m_originatesFromReservedIPRange = m_originatesFromReservedIPRange;
+    data->m_isExternalRequest = m_isExternalRequest;
     data->m_inputPerfMetricReportPolicy = m_inputPerfMetricReportPolicy;
     data->m_followedRedirect = m_followedRedirect;
     return data.release();
@@ -371,6 +373,13 @@ bool ResourceRequest::compare(const ResourceRequest& a, const ResourceRequest& b
     return true;
 }
 
+void ResourceRequest::setIsExternalRequest(bool contextHostedInReservedIPRange)
+{
+    // TODO(mkwst): This only checks explicit IP addresses. We'll have to move all this up to //net and //content in
+    // order to have any real impact on gateway attacks. That turns out to be a TON of work. https://crbug.com/378566
+    m_isExternalRequest = RuntimeEnabledFeatures::corsRFC1918Enabled() && !contextHostedInReservedIPRange && (Platform::current()->isReservedIPAddress(m_url.host()) || m_url.host() == "localhost");
+}
+
 bool ResourceRequest::isConditional() const
 {
     return (m_httpHeaderFields.contains(HTTPNames::If_Match)
@@ -439,7 +448,7 @@ void ResourceRequest::initialize(const KURL& url)
     m_didSetHTTPReferrer = false;
     m_checkForBrowserSideNavigation = true;
     m_uiStartTime = 0;
-    m_originatesFromReservedIPRange = false;
+    m_isExternalRequest = false;

[jochen (gone - plz use gerrit), 2016/03/01 15:42:29]

should this default to true if the runtime flag is on?

[Mike West, 2016/03/02 08:50:03]

I don't think so, because we'll end up using this for navigations as well, and
need to ensure that top-level navigations that are user-initiated (address bar,
bookmark, etc) don't force preflights. It seems like the right way to do that is
for the default to be non-external, and only change the setting if we're in the
context of a document (as we do in FrameFetchContext).

     m_inputPerfMetricReportPolicy = InputToLoadPerfMetricReportPolicy::NoReport;
     m_followedRedirect = false;
     m_requestorOrigin = SecurityOrigin::createUnique();