| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 154 BlockingBehavior blockingBehavior, | 154 BlockingBehavior blockingBehavior, |
| 155 const ThreadableLoaderOptions& options, | 155 const ThreadableLoaderOptions& options, |
| 156 const ResourceLoaderOptions& resourceLoaderOptions) | 156 const ResourceLoaderOptions& resourceLoaderOptions) |
| 157 : m_client(client), | 157 : m_client(client), |
| 158 m_document(&document), | 158 m_document(&document), |
| 159 m_options(options), | 159 m_options(options), |
| 160 m_resourceLoaderOptions(resourceLoaderOptions), | 160 m_resourceLoaderOptions(resourceLoaderOptions), |
| 161 m_forceDoNotAllowStoredCredentials(false), | 161 m_forceDoNotAllowStoredCredentials(false), |
| 162 m_securityOrigin(m_resourceLoaderOptions.securityOrigin), | 162 m_securityOrigin(m_resourceLoaderOptions.securityOrigin), |
| 163 m_sameOriginRequest(false), | 163 m_sameOriginRequest(false), |
| 164 m_crossOriginNonSimpleRequest(false), | |
| 165 m_isUsingDataConsumerHandle(false), | 164 m_isUsingDataConsumerHandle(false), |
| 166 m_async(blockingBehavior == LoadAsynchronously), | 165 m_async(blockingBehavior == LoadAsynchronously), |
| 167 m_requestContext(WebURLRequest::RequestContextUnspecified), | 166 m_requestContext(WebURLRequest::RequestContextUnspecified), |
| 168 m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout), | 167 m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout), |
| 169 m_requestStartedSeconds(0.0), | 168 m_requestStartedSeconds(0.0), |
| 170 m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl | 169 m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl |
| 171 ? kMaxCORSRedirects | 170 ? kMaxCORSRedirects |
| 172 : 0), | 171 : 0), |
| 173 m_redirectMode(WebURLRequest::FetchRedirectModeFollow), | 172 m_redirectMode(WebURLRequest::FetchRedirectModeFollow), |
| 174 m_overrideReferrer(false) { | 173 m_overrideReferrer(false) { |
| (...skipping 204 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 379 // example, referrer. We need to accept them. For security, we must reject | 378 // example, referrer. We need to accept them. For security, we must reject |
| 380 // forbidden headers/methods at the point we accept user's input. Not here. | 379 // forbidden headers/methods at the point we accept user's input. Not here. |
| 381 if (!request.isExternalRequest() && | 380 if (!request.isExternalRequest() && |
| 382 ((m_options.preflightPolicy == ConsiderPreflight && | 381 ((m_options.preflightPolicy == ConsiderPreflight && |
| 383 FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), | 382 FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), |
| 384 request.httpHeaderFields())) || | 383 request.httpHeaderFields())) || |
| 385 m_options.preflightPolicy == PreventPreflight)) { | 384 m_options.preflightPolicy == PreventPreflight)) { |
| 386 prepareCrossOriginRequest(crossOriginRequest); | 385 prepareCrossOriginRequest(crossOriginRequest); |
| 387 loadRequest(crossOriginRequest, crossOriginOptions); | 386 loadRequest(crossOriginRequest, crossOriginOptions); |
| 388 } else { | 387 } else { |
| 389 m_crossOriginNonSimpleRequest = true; | |
| 390 | |
| 391 bool shouldForcePreflight = | 388 bool shouldForcePreflight = |
| 392 request.isExternalRequest() || | 389 request.isExternalRequest() || |
| 393 InspectorInstrumentation::shouldForceCORSPreflight(m_document); | 390 InspectorInstrumentation::shouldForceCORSPreflight(m_document); |
| 394 bool canSkipPreflight = | 391 bool canSkipPreflight = |
| 395 CrossOriginPreflightResultCache::shared().canSkipPreflight( | 392 CrossOriginPreflightResultCache::shared().canSkipPreflight( |
| 396 getSecurityOrigin()->toString(), crossOriginRequest.url(), | 393 getSecurityOrigin()->toString(), crossOriginRequest.url(), |
| 397 effectiveAllowCredentials(), crossOriginRequest.httpMethod(), | 394 effectiveAllowCredentials(), crossOriginRequest.httpMethod(), |
| 398 crossOriginRequest.httpHeaderFields()); | 395 crossOriginRequest.httpHeaderFields()); |
| 399 if (canSkipPreflight && !shouldForcePreflight) { | 396 if (canSkipPreflight && !shouldForcePreflight) { |
| 400 if (getSecurityOrigin()) | 397 if (getSecurityOrigin()) |
| (...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 566 --m_corsRedirectLimit; | 563 --m_corsRedirectLimit; |
| 567 | 564 |
| 568 InspectorInstrumentation::didReceiveCORSRedirectResponse( | 565 InspectorInstrumentation::didReceiveCORSRedirectResponse( |
| 569 document().frame(), resource->identifier(), | 566 document().frame(), resource->identifier(), |
| 570 document().frame()->loader().documentLoader(), redirectResponse, | 567 document().frame()->loader().documentLoader(), redirectResponse, |
| 571 resource); | 568 resource); |
| 572 | 569 |
| 573 bool allowRedirect = false; | 570 bool allowRedirect = false; |
| 574 String accessControlErrorDescription; | 571 String accessControlErrorDescription; |
| 575 | 572 |
| 576 if (m_crossOriginNonSimpleRequest) { | 573 if (!CrossOriginAccessControl::isLegalRedirectLocation( |
| 577 // Non-simple cross origin requests (both preflight and actual one) are not | 574 request.url(), accessControlErrorDescription)) { |
| 578 // allowed to follow redirect. | |
| 579 accessControlErrorDescription = | |
| 580 "Redirect from '" + redirectResponse.url().getString() + "' to '" + | |
| 581 request.url().getString() + | |
| 582 "' has been blocked by CORS policy: Request requires preflight, which " | |
| 583 "is disallowed to follow cross-origin redirect."; | |
| 584 } else if (!CrossOriginAccessControl::isLegalRedirectLocation( | |
| 585 request.url(), accessControlErrorDescription)) { | |
| 586 accessControlErrorDescription = | 575 accessControlErrorDescription = |
| 587 "Redirect from '" + redirectResponse.url().getString() + | 576 "Redirect from '" + redirectResponse.url().getString() + |
| 588 "' has been blocked by CORS policy: " + accessControlErrorDescription; | 577 "' has been blocked by CORS policy: " + accessControlErrorDescription; |
| 589 } else if (!m_sameOriginRequest && | 578 } else if (!m_sameOriginRequest && |
| 590 !passesAccessControlCheck( | 579 !passesAccessControlCheck( |
| 591 redirectResponse, effectiveAllowCredentials(), | 580 redirectResponse, effectiveAllowCredentials(), |
| 592 getSecurityOrigin(), accessControlErrorDescription, | 581 getSecurityOrigin(), accessControlErrorDescription, |
| 593 m_requestContext)) { | 582 m_requestContext)) { |
| 594 // The redirect response must pass the access control check if the original | 583 // The redirect response must pass the access control check if the original |
| 595 // request was not same-origin. | 584 // request was not same-origin. |
| (...skipping 540 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1136 } | 1125 } |
| 1137 | 1126 |
| 1138 DEFINE_TRACE(DocumentThreadableLoader) { | 1127 DEFINE_TRACE(DocumentThreadableLoader) { |
| 1139 visitor->trace(m_resource); | 1128 visitor->trace(m_resource); |
| 1140 visitor->trace(m_document); | 1129 visitor->trace(m_document); |
| 1141 ThreadableLoader::trace(visitor); | 1130 ThreadableLoader::trace(visitor); |
| 1142 RawResourceClient::trace(visitor); | 1131 RawResourceClient::trace(visitor); |
| 1143 } | 1132 } |
| 1144 | 1133 |
| 1145 } // namespace blink | 1134 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2421093003:
Allow redirects for requests that require preflight. (Closed)
