| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 154 BlockingBehavior blockingBehavior, | 154 BlockingBehavior blockingBehavior, |
| 155 const ThreadableLoaderOptions& options, | 155 const ThreadableLoaderOptions& options, |
| 156 const ResourceLoaderOptions& resourceLoaderOptions) | 156 const ResourceLoaderOptions& resourceLoaderOptions) |
| 157 : m_client(client), | 157 : m_client(client), |
| 158 m_document(&document), | 158 m_document(&document), |
| 159 m_options(options), | 159 m_options(options), |
| 160 m_resourceLoaderOptions(resourceLoaderOptions), | 160 m_resourceLoaderOptions(resourceLoaderOptions), |
| 161 m_forceDoNotAllowStoredCredentials(false), | 161 m_forceDoNotAllowStoredCredentials(false), |
| 162 m_securityOrigin(m_resourceLoaderOptions.securityOrigin), | 162 m_securityOrigin(m_resourceLoaderOptions.securityOrigin), |
| 163 m_sameOriginRequest(false), | 163 m_sameOriginRequest(false), |
| 164 m_crossOriginNonSimpleRequest(false), | |
| 165 m_isUsingDataConsumerHandle(false), | 164 m_isUsingDataConsumerHandle(false), |
| 166 m_async(blockingBehavior == LoadAsynchronously), | 165 m_async(blockingBehavior == LoadAsynchronously), |
| 167 m_requestContext(WebURLRequest::RequestContextUnspecified), | 166 m_requestContext(WebURLRequest::RequestContextUnspecified), |
| 168 m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout), | 167 m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout), |
| 169 m_requestStartedSeconds(0.0), | 168 m_requestStartedSeconds(0.0), |
| 170 m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl | 169 m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl |
| 171 ? kMaxCORSRedirects | 170 ? kMaxCORSRedirects |
| 172 : 0), | 171 : 0), |
| 173 m_redirectMode(WebURLRequest::FetchRedirectModeFollow), | 172 m_redirectMode(WebURLRequest::FetchRedirectModeFollow), |
| 174 m_overrideReferrer(false) { | 173 m_overrideReferrer(false) { |
| (...skipping 204 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 379 // example, referrer. We need to accept them. For security, we must reject | 378 // example, referrer. We need to accept them. For security, we must reject |
| 380 // forbidden headers/methods at the point we accept user's input. Not here. | 379 // forbidden headers/methods at the point we accept user's input. Not here. |
| 381 if (!request.isExternalRequest() && | 380 if (!request.isExternalRequest() && |
| 382 ((m_options.preflightPolicy == ConsiderPreflight && | 381 ((m_options.preflightPolicy == ConsiderPreflight && |
| 383 FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), | 382 FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), |
| 384 request.httpHeaderFields())) || | 383 request.httpHeaderFields())) || |
| 385 m_options.preflightPolicy == PreventPreflight)) { | 384 m_options.preflightPolicy == PreventPreflight)) { |
| 386 prepareCrossOriginRequest(crossOriginRequest); | 385 prepareCrossOriginRequest(crossOriginRequest); |
| 387 loadRequest(crossOriginRequest, crossOriginOptions); | 386 loadRequest(crossOriginRequest, crossOriginOptions); |
| 388 } else { | 387 } else { |
| 389 m_crossOriginNonSimpleRequest = true; | |
| 390 | |
| 391 bool shouldForcePreflight = | 388 bool shouldForcePreflight = |
| 392 request.isExternalRequest() || | 389 request.isExternalRequest() || |
| 393 InspectorInstrumentation::shouldForceCORSPreflight(m_document); | 390 InspectorInstrumentation::shouldForceCORSPreflight(m_document); |
| 394 bool canSkipPreflight = | 391 bool canSkipPreflight = |
| 395 CrossOriginPreflightResultCache::shared().canSkipPreflight( | 392 CrossOriginPreflightResultCache::shared().canSkipPreflight( |
| 396 getSecurityOrigin()->toString(), crossOriginRequest.url(), | 393 getSecurityOrigin()->toString(), crossOriginRequest.url(), |
| 397 effectiveAllowCredentials(), crossOriginRequest.httpMethod(), | 394 effectiveAllowCredentials(), crossOriginRequest.httpMethod(), |
| 398 crossOriginRequest.httpHeaderFields()); | 395 crossOriginRequest.httpHeaderFields()); |
| 399 if (canSkipPreflight && !shouldForcePreflight) { | 396 if (canSkipPreflight && !shouldForcePreflight) { |
| 400 if (getSecurityOrigin()) | 397 if (getSecurityOrigin()) |
| (...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 565 --m_corsRedirectLimit; | 562 --m_corsRedirectLimit; |
| 566 | 563 |
| 567 InspectorInstrumentation::didReceiveCORSRedirectResponse( | 564 InspectorInstrumentation::didReceiveCORSRedirectResponse( |
| 568 document().frame(), resource->identifier(), | 565 document().frame(), resource->identifier(), |
| 569 document().frame()->loader().documentLoader(), redirectResponse, | 566 document().frame()->loader().documentLoader(), redirectResponse, |
| 570 resource); | 567 resource); |
| 571 | 568 |
| 572 bool allowRedirect = false; | 569 bool allowRedirect = false; |
| 573 String accessControlErrorDescription; | 570 String accessControlErrorDescription; |
| 574 | 571 |
| 575 if (m_crossOriginNonSimpleRequest) { | 572 if (!CrossOriginAccessControl::isLegalRedirectLocation( |
| 576 // Non-simple cross origin requests (both preflight and actual one) are not | 573 request.url(), accessControlErrorDescription)) { |
| 577 // allowed to follow redirect. | |
| 578 accessControlErrorDescription = | |
| 579 "Redirect from '" + redirectResponse.url().getString() + "' to '" + | |
| 580 request.url().getString() + | |
| 581 "' has been blocked by CORS policy: Request requires preflight, which " | |
| 582 "is disallowed to follow cross-origin redirect."; | |
| 583 } else if (!CrossOriginAccessControl::isLegalRedirectLocation( | |
| 584 request.url(), accessControlErrorDescription)) { | |
| 585 accessControlErrorDescription = | 574 accessControlErrorDescription = |
| 586 "Redirect from '" + redirectResponse.url().getString() + | 575 "Redirect from '" + redirectResponse.url().getString() + |
| 587 "' has been blocked by CORS policy: " + accessControlErrorDescription; | 576 "' has been blocked by CORS policy: " + accessControlErrorDescription; |
| 588 } else if (!m_sameOriginRequest && | 577 } else if (!m_sameOriginRequest && |
| 589 !passesAccessControlCheck( | 578 !passesAccessControlCheck( |
| 590 redirectResponse, effectiveAllowCredentials(), | 579 redirectResponse, effectiveAllowCredentials(), |
| 591 getSecurityOrigin(), accessControlErrorDescription, | 580 getSecurityOrigin(), accessControlErrorDescription, |
| 592 m_requestContext)) { | 581 m_requestContext)) { |
| 593 // The redirect response must pass the access control check if the original | 582 // The redirect response must pass the access control check if the original |
| 594 // request was not same-origin. | 583 // request was not same-origin. |
| (...skipping 540 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1135 } | 1124 } |
| 1136 | 1125 |
| 1137 DEFINE_TRACE(DocumentThreadableLoader) { | 1126 DEFINE_TRACE(DocumentThreadableLoader) { |
| 1138 visitor->trace(m_resource); | 1127 visitor->trace(m_resource); |
| 1139 visitor->trace(m_document); | 1128 visitor->trace(m_document); |
| 1140 ThreadableLoader::trace(visitor); | 1129 ThreadableLoader::trace(visitor); |
| 1141 RawResourceClient::trace(visitor); | 1130 RawResourceClient::trace(visitor); |
| 1142 } | 1131 } |
| 1143 | 1132 |
| 1144 } // namespace blink | 1133 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2421093003:
Allow redirects for requests that require preflight. (Closed)
