Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(229)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp

Issue 2456013002: CSP: 'connect-src' should not cause exceptions. (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html ('K') | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt ('k') | third_party/WebKit/Source/modules/beacon/NavigatorBeacon.cpp » ('j') | third_party/WebKit/Source/modules/websockets/DOMWebSocket.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved. 2 * Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved.
3 * Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org> 3 * Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org>
4 * Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org> 4 * Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org>
5 * Copyright (C) 2008, 2011 Google Inc. All rights reserved. 5 * Copyright (C) 2008, 2011 Google Inc. All rights reserved.
6 * Copyright (C) 2012 Intel Corporation 6 * Copyright (C) 2012 Intel Corporation
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public 9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 609 matching lines...) Expand 10 before | Expand all | Expand 10 after
620 DCHECK(validateOpenArguments(method, url, exceptionState)); 620 DCHECK(validateOpenArguments(method, url, exceptionState));
621 621
622 if (!internalAbort()) 622 if (!internalAbort())
623 return; 623 return;
624 624
625 State previousState = m_state; 625 State previousState = m_state;
626 m_state = kUnsent; 626 m_state = kUnsent;
627 m_error = false; 627 m_error = false;
628 m_uploadComplete = false; 628 m_uploadComplete = false;
629 629
630 if (!ContentSecurityPolicy::shouldBypassMainWorld(getExecutionContext()) &&
631 !getExecutionContext()->contentSecurityPolicy()->allowConnectToSource(
632 url)) {
633 // We can safely expose the URL to JavaScript, as these checks happen
634 // synchronously before redirection. JavaScript receives no new information.
635 exceptionState.throwSecurityError(
636 "Refused to connect to '" + url.elidedString() +
637 "' because it violates the document's Content Security Policy.");
638 return;
639 }
640
641 if (!async && getExecutionContext()->isDocument()) { 630 if (!async && getExecutionContext()->isDocument()) {
642 if (document()->settings() && 631 if (document()->settings() &&
643 !document()->settings()->syncXHRInDocumentsEnabled()) { 632 !document()->settings()->syncXHRInDocumentsEnabled()) {
644 exceptionState.throwDOMException( 633 exceptionState.throwDOMException(
645 InvalidAccessError, 634 InvalidAccessError,
646 "Synchronous requests are disabled for this page."); 635 "Synchronous requests are disabled for this page.");
647 return; 636 return;
648 } 637 }
649 638
650 // Newer functionality is not available to synchronous requests in window 639 // Newer functionality is not available to synchronous requests in window
(...skipping 1220 matching lines...) Expand 10 before | Expand all | Expand 10 after
1871 visitor->traceWrappers(m_responseDocument); 1860 visitor->traceWrappers(m_responseDocument);
1872 visitor->traceWrappers(m_responseArrayBuffer); 1861 visitor->traceWrappers(m_responseArrayBuffer);
1873 XMLHttpRequestEventTarget::traceWrappers(visitor); 1862 XMLHttpRequestEventTarget::traceWrappers(visitor);
1874 } 1863 }
1875 1864
1876 std::ostream& operator<<(std::ostream& ostream, const XMLHttpRequest* xhr) { 1865 std::ostream& operator<<(std::ostream& ostream, const XMLHttpRequest* xhr) {
1877 return ostream << "XMLHttpRequest " << static_cast<const void*>(xhr); 1866 return ostream << "XMLHttpRequest " << static_cast<const void*>(xhr);
1878 } 1867 }
1879 1868
1880 } // namespace blink 1869 } // namespace blink
OLDNEW
« third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html ('K') | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt ('k') | third_party/WebKit/Source/modules/beacon/NavigatorBeacon.cpp » ('j') | third_party/WebKit/Source/modules/websockets/DOMWebSocket.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698