Index: third_party/WebKit/Source/platform/network/ResourceRequest.cpp |
diff --git a/third_party/WebKit/Source/platform/network/ResourceRequest.cpp b/third_party/WebKit/Source/platform/network/ResourceRequest.cpp |
index f54b7d5cb6387f166b626708c362b87210fd4ca9..fb53eecdad67d6cecd8ec55963da9cdf91155dfe 100644 |
--- a/third_party/WebKit/Source/platform/network/ResourceRequest.cpp |
+++ b/third_party/WebKit/Source/platform/network/ResourceRequest.cpp |
@@ -27,7 +27,9 @@ |
#include "platform/network/ResourceRequest.h" |
#include "platform/HTTPNames.h" |
+#include "platform/RuntimeEnabledFeatures.h" |
#include "platform/weborigin/SecurityOrigin.h" |
+#include "public/platform/Platform.h" |
#include "public/platform/WebURLRequest.h" |
namespace blink { |
@@ -68,7 +70,7 @@ ResourceRequest::ResourceRequest(CrossThreadResourceRequestData* data) |
m_didSetHTTPReferrer = data->m_didSetHTTPReferrer; |
m_checkForBrowserSideNavigation = data->m_checkForBrowserSideNavigation; |
m_uiStartTime = data->m_uiStartTime; |
- m_originatesFromReservedIPRange = data->m_originatesFromReservedIPRange; |
+ m_isExternalRequest = data->m_isExternalRequest; |
m_inputPerfMetricReportPolicy = data->m_inputPerfMetricReportPolicy; |
m_followedRedirect = data->m_followedRedirect; |
} |
@@ -108,7 +110,7 @@ PassOwnPtr<CrossThreadResourceRequestData> ResourceRequest::copyData() const |
data->m_didSetHTTPReferrer = m_didSetHTTPReferrer; |
data->m_checkForBrowserSideNavigation = m_checkForBrowserSideNavigation; |
data->m_uiStartTime = m_uiStartTime; |
- data->m_originatesFromReservedIPRange = m_originatesFromReservedIPRange; |
+ data->m_isExternalRequest = m_isExternalRequest; |
data->m_inputPerfMetricReportPolicy = m_inputPerfMetricReportPolicy; |
data->m_followedRedirect = m_followedRedirect; |
return data.release(); |
@@ -371,6 +373,28 @@ bool ResourceRequest::compare(const ResourceRequest& a, const ResourceRequest& b |
return true; |
} |
+void ResourceRequest::setExternalRequestStateFromRequestorAddressSpace(WebURLRequest::AddressSpace requestorSpace) |
+{ |
+ static_assert(WebURLRequest::AddressSpaceLocal < WebURLRequest::AddressSpacePrivate, "Local is inside Private"); |
+ static_assert(WebURLRequest::AddressSpaceLocal < WebURLRequest::AddressSpacePublic, "Local is inside Public"); |
+ static_assert(WebURLRequest::AddressSpacePrivate < WebURLRequest::AddressSpacePublic, "Private is inside Public"); |
+ |
+ // TODO(mkwst): This only checks explicit IP addresses. We'll have to move all this up to //net and //content in |
+ // order to have any real impact on gateway attacks. That turns out to be a TON of work. https://crbug.com/378566 |
+ if (!RuntimeEnabledFeatures::corsRFC1918Enabled()) { |
+ m_isExternalRequest = false; |
+ return; |
+ } |
+ |
+ WebURLRequest::AddressSpace targetSpace = WebURLRequest::AddressSpacePublic; |
+ if (Platform::current()->isReservedIPAddress(m_url.host())) |
+ targetSpace = WebURLRequest::AddressSpacePrivate; |
+ if (SecurityOrigin::create(m_url)->isLocalhost()) |
+ targetSpace = WebURLRequest::AddressSpaceLocal; |
+ |
+ m_isExternalRequest = requestorSpace > targetSpace; |
+} |
+ |
bool ResourceRequest::isConditional() const |
{ |
return (m_httpHeaderFields.contains(HTTPNames::If_Match) |
@@ -439,7 +463,7 @@ void ResourceRequest::initialize(const KURL& url) |
m_didSetHTTPReferrer = false; |
m_checkForBrowserSideNavigation = true; |
m_uiStartTime = 0; |
- m_originatesFromReservedIPRange = false; |
+ m_isExternalRequest = false; |
m_inputPerfMetricReportPolicy = InputToLoadPerfMetricReportPolicy::NoReport; |
m_followedRedirect = false; |
m_requestorOrigin = SecurityOrigin::createUnique(); |