Chromium Code Reviews Chromium Code Reviews
Issue 23582002:
CORS: Update the redirection status in Inspector Network tab for CORS requests. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 199 if (isAllowedRedirect(request.url())) { | 199 if (isAllowedRedirect(request.url())) { |
| 200 if (m_client->isDocumentThreadableLoaderClient()) | 200 if (m_client->isDocumentThreadableLoaderClient()) |
| 201 static_cast<DocumentThreadableLoaderClient*>(m_client)->willSendRequ est(request, redirectResponse); | 201 static_cast<DocumentThreadableLoaderClient*>(m_client)->willSendRequ est(request, redirectResponse); |
| 202 return; | 202 return; |
| 203 } | 203 } |
| 204 | 204 |
| 205 // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported | 205 // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported |
| 206 // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the | 206 // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the |
| 207 // original request was not same-origin. | 207 // original request was not same-origin. |
| 208 if (m_options.crossOriginRequestPolicy == UseAccessControl) { | 208 if (m_options.crossOriginRequestPolicy == UseAccessControl) { |
| 209 | |
| 210 DocumentLoader* loader = m_document->frame()->loader()->documentLoader() ; | |
| 211 InspectorInstrumentationCookie cookie = InspectorInstrumentation::willRe ceiveResourceResponse(m_document->frame(), resource->identifier(), redirectRespo nse); | |
|
pfeldman
2013/08/27 14:21:33
You should not need 2 instrumenting signals here,
ancilgeorge
2013/08/28 08:14:36
Done.
| |
| 212 InspectorInstrumentation::didReceiveCORSRedirectResponse(cookie, resourc e->identifier(), loader, redirectResponse, 0, resource->loadFinishTime()); | |
| 213 | |
| 209 bool allowRedirect = false; | 214 bool allowRedirect = false; |
| 215 String accessControlErrorDescription; | |
| 210 if (m_simpleRequest) { | 216 if (m_simpleRequest) { |
| 211 String accessControlErrorDescription; | |
| 212 allowRedirect = SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(re quest.url().protocol()) | 217 allowRedirect = SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(re quest.url().protocol()) |
| 213 && request.url().user().isEmpty() | 218 && request.url().user().isEmpty() |
| 214 && request.url().pass().isEmpty() | 219 && request.url().pass().isEmpty() |
| 215 && (m_sameOriginRequest || passesAccessControlCheck( redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErr orDescription)); | 220 && (m_sameOriginRequest || passesAccessControlCheck( redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErr orDescription)); |
| 221 } else { | |
| 222 accessControlErrorDescription = "Cross Origin Requests with prefligh t cannot be redirected"; | |
| 216 } | 223 } |
| 217 | 224 |
| 218 if (allowRedirect) { | 225 if (allowRedirect) { |
| 219 if (m_resource) | 226 if (m_resource) |
| 220 clearResource(); | 227 clearResource(); |
| 221 | 228 |
| 222 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redir ectResponse.url()); | 229 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redir ectResponse.url()); |
| 223 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(reques t.url()); | 230 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(reques t.url()); |
| 224 // If the original request wasn't same-origin, then if the request U RL origin is not same origin with the original URL origin, | 231 // If the original request wasn't same-origin, then if the request U RL origin is not same origin with the original URL origin, |
| 225 // set the source origin to a globally unique identifier. (If the or iginal request was same-origin, the origin of the new request | 232 // set the source origin to a globally unique identifier. (If the or iginal request was same-origin, the origin of the new request |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 236 | 243 |
| 237 // Remove any headers that may have been added by the network layer that cause access control to fail. | 244 // Remove any headers that may have been added by the network layer that cause access control to fail. |
| 238 request.clearHTTPContentType(); | 245 request.clearHTTPContentType(); |
| 239 request.clearHTTPReferrer(); | 246 request.clearHTTPReferrer(); |
| 240 request.clearHTTPOrigin(); | 247 request.clearHTTPOrigin(); |
| 241 request.clearHTTPUserAgent(); | 248 request.clearHTTPUserAgent(); |
| 242 request.clearHTTPAccept(); | 249 request.clearHTTPAccept(); |
| 243 makeCrossOriginAccessRequest(request); | 250 makeCrossOriginAccessRequest(request); |
| 244 return; | 251 return; |
| 245 } | 252 } |
| 253 | |
| 254 ResourceError error(errorDomainWebKitInternal, 0, redirectResponse.url() .string(), accessControlErrorDescription); | |
| 255 m_client->didFailAccessControlCheck(error); | |
| 256 } else { | |
| 257 m_client->didFailRedirectCheck(); | |
| 246 } | 258 } |
| 247 | |
| 248 m_client->didFailRedirectCheck(); | |
| 249 request = ResourceRequest(); | 259 request = ResourceRequest(); |
| 250 } | 260 } |
| 251 | 261 |
| 252 void DocumentThreadableLoader::dataSent(Resource* resource, unsigned long long b ytesSent, unsigned long long totalBytesToBeSent) | 262 void DocumentThreadableLoader::dataSent(Resource* resource, unsigned long long b ytesSent, unsigned long long totalBytesToBeSent) |
| 253 { | 263 { |
| 254 ASSERT(m_client); | 264 ASSERT(m_client); |
| 255 ASSERT_UNUSED(resource, resource == m_resource); | 265 ASSERT_UNUSED(resource, resource == m_resource); |
| 256 m_client->didSendData(bytesSent, totalBytesToBeSent); | 266 m_client->didSendData(bytesSent, totalBytesToBeSent); |
| 257 } | 267 } |
| 258 | 268 |
| (...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 486 return true; | 496 return true; |
| 487 return m_document->contentSecurityPolicy()->allowConnectToSource(url); | 497 return m_document->contentSecurityPolicy()->allowConnectToSource(url); |
| 488 } | 498 } |
| 489 | 499 |
| 490 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const | 500 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const |
| 491 { | 501 { |
| 492 return m_options.securityOrigin ? m_options.securityOrigin.get() : m_documen t->securityOrigin(); | 502 return m_options.securityOrigin ? m_options.securityOrigin.get() : m_documen t->securityOrigin(); |
| 493 } | 503 } |
| 494 | 504 |
| 495 } // namespace WebCore | 505 } // namespace WebCore |
| OLD | NEW |
