third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.cpp - Issue 1969403004: Expose and check origin of request in response for foreign fetch.

Side by Side Diff: third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.cpp

Issue 1969403004: Expose and check origin of request in response for foreign fetch. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@set-request-and-credentials-mode

Patch Set: update layouttests Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.h ('k') | third_party/WebKit/Source/modules/serviceworkers/RespondWithObserver.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2016 The Chromium Authors. All rights reserved.	1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "modules/serviceworkers/ForeignFetchRespondWithObserver.h"	5 #include "modules/serviceworkers/ForeignFetchRespondWithObserver.h"

6	6

7 #include "modules/serviceworkers/ForeignFetchResponse.h"	7 #include "modules/serviceworkers/ForeignFetchResponse.h"

8	8

9 namespace blink {	9 namespace blink {

10	10

11 ForeignFetchRespondWithObserver* ForeignFetchRespondWithObserver::create(Executi onContext* context, int eventID, const KURL& requestURL, WebURLRequest::FetchReq uestMode requestMode, WebURLRequest::FrameType frameType, WebURLRequest::Request Context requestContext)	11 ForeignFetchRespondWithObserver* ForeignFetchRespondWithObserver::create(Executi onContext* context, int eventID, const KURL& requestURL, WebURLRequest::FetchReq uestMode requestMode, WebURLRequest::FrameType frameType, WebURLRequest::Request Context requestContext, PassRefPtr<SecurityOrigin> requestOrigin)

12 {	12 {

13 return new ForeignFetchRespondWithObserver(context, eventID, requestURL, req uestMode, frameType, requestContext);	13 return new ForeignFetchRespondWithObserver(context, eventID, requestURL, req uestMode, frameType, requestContext, requestOrigin);

14 }	14 }

15	15

16 void ForeignFetchRespondWithObserver::responseWasFulfilled(const ScriptValue& va lue)	16 void ForeignFetchRespondWithObserver::responseWasFulfilled(const ScriptValue& va lue)

17 {	17 {

18 ASSERT(getExecutionContext());	18 ASSERT(getExecutionContext());

19 TrackExceptionState exceptionState;	19 TrackExceptionState exceptionState;

20 ForeignFetchResponse foreignFetchResponse = ScriptValue::to<ForeignFetchResp onse>(toIsolate(getExecutionContext()), value, exceptionState);	20 ForeignFetchResponse foreignFetchResponse = ScriptValue::to<ForeignFetchResp onse>(toIsolate(getExecutionContext()), value, exceptionState);

21 if (exceptionState.hadException()) {	21 if (exceptionState.hadException()) {

22 responseWasRejected(WebServiceWorkerResponseErrorNoForeignFetchResponse) ;	22 responseWasRejected(WebServiceWorkerResponseErrorNoForeignFetchResponse) ;

23 return;	23 return;

24 }	24 }

25	25

26 // TODO(mek): Handle foreign fetch specific response parameters.

27 Response* response = foreignFetchResponse.response();	26 Response* response = foreignFetchResponse.response();

	27 const FetchResponseData* internalResponse = response->response();

	28 const bool isOpaque = internalResponse->getType() == FetchResponseData::Opaq ueType \|\| internalResponse->getType() == FetchResponseData::OpaqueRedirectType;

	29 if (internalResponse->getType() != FetchResponseData::DefaultType)

	30 internalResponse = internalResponse->internalResponse();

	31

	32 if (!foreignFetchResponse.hasOrigin()) {

	33 if (foreignFetchResponse.hasHeaders() && !foreignFetchResponse.headers() .isEmpty()) {

	34 responseWasRejected(WebServiceWorkerResponseErrorForeignFetchHeaders WithoutOrigin);

	35 return;

	36 }

	37

	38 // If response isn't already opaque, make it opaque.

	39 if (!isOpaque) {

	40 FetchResponseData* opaqueData = internalResponse->createOpaqueFilter edResponse();

	41 response = Response::create(getExecutionContext(), opaqueData);

	42 }

	43 } else if (m_requestOrigin->toString() != foreignFetchResponse.origin()) {
	Nate Chapin 2016/05/17 17:39:22 I don't know the spec well enough to know exactly I don't know the spec well enough to know exactly which check you want here, but I'm pretty sure the canonical way to do an origin check is with a function on SecurityOrigin, rather than via direct string compare. Maybe SecurityOrigin::isSameSchemeHostPort? Marijn Kruisselbrink 2016/05/17 17:43:16 I actually had that check first (and then realized Show quoted text On 2016/05/17 at 17:39:22, Nate Chapin wrote: > I don't know the spec well enough to know exactly which check you want here, but I'm pretty sure the canonical way to do an origin check is with a function on SecurityOrigin, rather than via direct string compare. Maybe SecurityOrigin::isSameSchemeHostPort? I actually had that check first (and then realized that the comment for isSameSchemeHostPort is wrong and there isn't currently a isSameOrigin equivalent method at all). But more importantly, the way regular CORS checks if an origin received in a Access-Control-Allow-Origin header is valid is by comparing the serialized origins, rather than comparing the origins themselves. And this code is very similar to CORS so it makes sense to do the same thing here. I don't know exactly why the fetch/cors spec (and the blink implementation of CORS) were written this way (where it matters is with what happens with unique origins; which are serialized as "null" and then always compare as equal with eachoterh), but for now this is definitely the correct check, and consistent with our CORS implementation.
	44 responseWasRejected(WebServiceWorkerResponseErrorForeignFetchMismatchedO rigin);

	45 return;

	46 } else if (!isOpaque) {

	47 // TODO(mek): Handle \|headers\| response attribute, and properly filter r esponse.

	48 }

	49

28 RespondWithObserver::responseWasFulfilled(ScriptValue::from(value.getScriptS tate(), response));	50 RespondWithObserver::responseWasFulfilled(ScriptValue::from(value.getScriptS tate(), response));

29 }	51 }

30	52

31 ForeignFetchRespondWithObserver::ForeignFetchRespondWithObserver(ExecutionContex t* context, int eventID, const KURL& requestURL, WebURLRequest::FetchRequestMode requestMode, WebURLRequest::FrameType frameType, WebURLRequest::RequestContext requestContext)	53 ForeignFetchRespondWithObserver::ForeignFetchRespondWithObserver(ExecutionContex t* context, int eventID, const KURL& requestURL, WebURLRequest::FetchRequestMode requestMode, WebURLRequest::FrameType frameType, WebURLRequest::RequestContext requestContext, PassRefPtr<SecurityOrigin> requestOrigin)

32 : RespondWithObserver(context, eventID, requestURL, requestMode, frameType, requestContext)	54 : RespondWithObserver(context, eventID, requestURL, requestMode, frameType, requestContext)

	55 , m_requestOrigin(requestOrigin)

33 {	56 {

34 }	57 }

35	58

36 } // namespace blink	59 } // namespace blink

OLD	NEW