OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
7 * met: | 7 * met: |
8 * | 8 * |
9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
154 BlockingBehavior blockingBehavior, | 154 BlockingBehavior blockingBehavior, |
155 const ThreadableLoaderOptions& options, | 155 const ThreadableLoaderOptions& options, |
156 const ResourceLoaderOptions& resourceLoaderOptions) | 156 const ResourceLoaderOptions& resourceLoaderOptions) |
157 : m_client(client), | 157 : m_client(client), |
158 m_document(&document), | 158 m_document(&document), |
159 m_options(options), | 159 m_options(options), |
160 m_resourceLoaderOptions(resourceLoaderOptions), | 160 m_resourceLoaderOptions(resourceLoaderOptions), |
161 m_forceDoNotAllowStoredCredentials(false), | 161 m_forceDoNotAllowStoredCredentials(false), |
162 m_securityOrigin(m_resourceLoaderOptions.securityOrigin), | 162 m_securityOrigin(m_resourceLoaderOptions.securityOrigin), |
163 m_sameOriginRequest(false), | 163 m_sameOriginRequest(false), |
164 m_crossOriginNonSimpleRequest(false), | |
165 m_isUsingDataConsumerHandle(false), | 164 m_isUsingDataConsumerHandle(false), |
166 m_async(blockingBehavior == LoadAsynchronously), | 165 m_async(blockingBehavior == LoadAsynchronously), |
167 m_requestContext(WebURLRequest::RequestContextUnspecified), | 166 m_requestContext(WebURLRequest::RequestContextUnspecified), |
168 m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout), | 167 m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout), |
169 m_requestStartedSeconds(0.0), | 168 m_requestStartedSeconds(0.0), |
170 m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl | 169 m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl |
171 ? kMaxCORSRedirects | 170 ? kMaxCORSRedirects |
172 : 0), | 171 : 0), |
173 m_redirectMode(WebURLRequest::FetchRedirectModeFollow), | 172 m_redirectMode(WebURLRequest::FetchRedirectModeFollow), |
174 m_didRedirect(false) { | 173 m_didRedirect(false) { |
(...skipping 192 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
367 // FIXME: We should set it in the caller of DocumentThreadableLoader. | 366 // FIXME: We should set it in the caller of DocumentThreadableLoader. |
368 crossOriginRequest.setFetchCredentialsMode( | 367 crossOriginRequest.setFetchCredentialsMode( |
369 effectiveAllowCredentials() == AllowStoredCredentials | 368 effectiveAllowCredentials() == AllowStoredCredentials |
370 ? WebURLRequest::FetchCredentialsModeInclude | 369 ? WebURLRequest::FetchCredentialsModeInclude |
371 : WebURLRequest::FetchCredentialsModeOmit); | 370 : WebURLRequest::FetchCredentialsModeOmit); |
372 if (m_didRedirect) { | 371 if (m_didRedirect) { |
373 crossOriginRequest.setHTTPReferrer(m_referrerAfterRedirect); | 372 crossOriginRequest.setHTTPReferrer(m_referrerAfterRedirect); |
374 } | 373 } |
375 loadRequest(crossOriginRequest, crossOriginOptions); | 374 loadRequest(crossOriginRequest, crossOriginOptions); |
376 } else { | 375 } else { |
377 m_crossOriginNonSimpleRequest = true; | |
378 // Do not set the Origin header for preflight requests. | 376 // Do not set the Origin header for preflight requests. |
379 updateRequestForAccessControl(crossOriginRequest, 0, | 377 updateRequestForAccessControl(crossOriginRequest, 0, |
380 effectiveAllowCredentials()); | 378 effectiveAllowCredentials()); |
381 // We update the credentials mode according to effectiveAllowCredentials() | 379 // We update the credentials mode according to effectiveAllowCredentials() |
382 // here for backward compatibility. But this is not correct. | 380 // here for backward compatibility. But this is not correct. |
383 // FIXME: We should set it in the caller of DocumentThreadableLoader. | 381 // FIXME: We should set it in the caller of DocumentThreadableLoader. |
384 crossOriginRequest.setFetchCredentialsMode( | 382 crossOriginRequest.setFetchCredentialsMode( |
385 effectiveAllowCredentials() == AllowStoredCredentials | 383 effectiveAllowCredentials() == AllowStoredCredentials |
386 ? WebURLRequest::FetchCredentialsModeInclude | 384 ? WebURLRequest::FetchCredentialsModeInclude |
387 : WebURLRequest::FetchCredentialsModeOmit); | 385 : WebURLRequest::FetchCredentialsModeOmit); |
(...skipping 168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
556 | 554 |
557 --m_corsRedirectLimit; | 555 --m_corsRedirectLimit; |
558 | 556 |
559 InspectorInstrumentation::didReceiveCORSRedirectResponse( | 557 InspectorInstrumentation::didReceiveCORSRedirectResponse( |
560 document().frame(), resource->identifier(), | 558 document().frame(), resource->identifier(), |
561 document().frame()->loader().documentLoader(), redirectResponse, | 559 document().frame()->loader().documentLoader(), redirectResponse, |
562 resource); | 560 resource); |
563 | 561 |
564 bool allowRedirect = false; | 562 bool allowRedirect = false; |
565 String accessControlErrorDescription; | 563 String accessControlErrorDescription; |
566 | 564 |
yhirano
2016/10/27 06:19:44
The preflight request (not a request w/preflight)
Jack Bates
2016/11/03 17:22:03
Right. I confirm that if you try to redirect the p
| |
567 if (m_crossOriginNonSimpleRequest) { | 565 if (!CrossOriginAccessControl::isLegalRedirectLocation( |
568 // Non-simple cross origin requests (both preflight and actual one) are not | 566 request.url(), accessControlErrorDescription)) { |
569 // allowed to follow redirect. | |
570 accessControlErrorDescription = | |
571 "Redirect from '" + redirectResponse.url().getString() + "' to '" + | |
572 request.url().getString() + | |
573 "' has been blocked by CORS policy: Request requires preflight, which " | |
574 "is disallowed to follow cross-origin redirect."; | |
575 } else if (!CrossOriginAccessControl::isLegalRedirectLocation( | |
576 request.url(), accessControlErrorDescription)) { | |
577 accessControlErrorDescription = | 567 accessControlErrorDescription = |
578 "Redirect from '" + redirectResponse.url().getString() + | 568 "Redirect from '" + redirectResponse.url().getString() + |
579 "' has been blocked by CORS policy: " + accessControlErrorDescription; | 569 "' has been blocked by CORS policy: " + accessControlErrorDescription; |
580 } else if (!m_sameOriginRequest && | 570 } else if (!m_sameOriginRequest && |
581 !passesAccessControlCheck( | 571 !passesAccessControlCheck( |
582 redirectResponse, effectiveAllowCredentials(), | 572 redirectResponse, effectiveAllowCredentials(), |
583 getSecurityOrigin(), accessControlErrorDescription, | 573 getSecurityOrigin(), accessControlErrorDescription, |
584 m_requestContext)) { | 574 m_requestContext)) { |
585 // The redirect response must pass the access control check if the original | 575 // The redirect response must pass the access control check if the original |
586 // request was not same-origin. | 576 // request was not same-origin. |
(...skipping 535 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1122 } | 1112 } |
1123 | 1113 |
1124 DEFINE_TRACE(DocumentThreadableLoader) { | 1114 DEFINE_TRACE(DocumentThreadableLoader) { |
1125 visitor->trace(m_resource); | 1115 visitor->trace(m_resource); |
1126 visitor->trace(m_document); | 1116 visitor->trace(m_document); |
1127 ThreadableLoader::trace(visitor); | 1117 ThreadableLoader::trace(visitor); |
1128 RawResourceClient::trace(visitor); | 1118 RawResourceClient::trace(visitor); |
1129 } | 1119 } |
1130 | 1120 |
1131 } // namespace blink | 1121 } // namespace blink |
OLD | NEW |