| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) | 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) |
| 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) | 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) |
| 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) | 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) |
| 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All | 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All |
| 6 rights reserved. | 6 rights reserved. |
| 7 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ | 7 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ |
| 8 | 8 |
| 9 This library is free software; you can redistribute it and/or | 9 This library is free software; you can redistribute it and/or |
| 10 modify it under the terms of the GNU Library General Public | 10 modify it under the terms of the GNU Library General Public |
| (...skipping 22 matching lines...) Expand all Loading... |
| 33 #include "core/fetch/FetchInitiatorTypeNames.h" | 33 #include "core/fetch/FetchInitiatorTypeNames.h" |
| 34 #include "core/fetch/ImageResource.h" | 34 #include "core/fetch/ImageResource.h" |
| 35 #include "core/fetch/MemoryCache.h" | 35 #include "core/fetch/MemoryCache.h" |
| 36 #include "core/fetch/ResourceLoader.h" | 36 #include "core/fetch/ResourceLoader.h" |
| 37 #include "core/fetch/ResourceLoadingLog.h" | 37 #include "core/fetch/ResourceLoadingLog.h" |
| 38 #include "core/fetch/UniqueIdentifier.h" | 38 #include "core/fetch/UniqueIdentifier.h" |
| 39 #include "platform/Histogram.h" | 39 #include "platform/Histogram.h" |
| 40 #include "platform/RuntimeEnabledFeatures.h" | 40 #include "platform/RuntimeEnabledFeatures.h" |
| 41 #include "platform/mhtml/ArchiveResource.h" | 41 #include "platform/mhtml/ArchiveResource.h" |
| 42 #include "platform/mhtml/MHTMLArchive.h" | 42 #include "platform/mhtml/MHTMLArchive.h" |
| 43 #include "platform/network/ContentSecurityPolicyParsers.h" |
| 43 #include "platform/network/NetworkInstrumentation.h" | 44 #include "platform/network/NetworkInstrumentation.h" |
| 44 #include "platform/network/NetworkUtils.h" | 45 #include "platform/network/NetworkUtils.h" |
| 45 #include "platform/network/ResourceTimingInfo.h" | 46 #include "platform/network/ResourceTimingInfo.h" |
| 46 #include "platform/tracing/TraceEvent.h" | 47 #include "platform/tracing/TraceEvent.h" |
| 47 #include "platform/tracing/TracedValue.h" | 48 #include "platform/tracing/TracedValue.h" |
| 48 #include "platform/weborigin/KnownPorts.h" | 49 #include "platform/weborigin/KnownPorts.h" |
| 49 #include "platform/weborigin/SecurityOrigin.h" | 50 #include "platform/weborigin/SecurityOrigin.h" |
| 50 #include "platform/weborigin/SecurityPolicy.h" | 51 #include "platform/weborigin/SecurityPolicy.h" |
| 51 #include "public/platform/Platform.h" | 52 #include "public/platform/Platform.h" |
| 52 #include "public/platform/WebCachePolicy.h" | 53 #include "public/platform/WebCachePolicy.h" |
| (...skipping 435 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 488 const SubstituteData& substituteData) { | 489 const SubstituteData& substituteData) { |
| 489 unsigned long identifier = createUniqueIdentifier(); | 490 unsigned long identifier = createUniqueIdentifier(); |
| 490 network_instrumentation::ScopedResourceLoadTracker scopedResourceLoadTracker( | 491 network_instrumentation::ScopedResourceLoadTracker scopedResourceLoadTracker( |
| 491 identifier, request.resourceRequest()); | 492 identifier, request.resourceRequest()); |
| 492 SCOPED_BLINK_UMA_HISTOGRAM_TIMER("Blink.Fetch.RequestResourceTime"); | 493 SCOPED_BLINK_UMA_HISTOGRAM_TIMER("Blink.Fetch.RequestResourceTime"); |
| 493 DCHECK(request.options().synchronousPolicy == RequestAsynchronously || | 494 DCHECK(request.options().synchronousPolicy == RequestAsynchronously || |
| 494 factory.type() == Resource::Raw || | 495 factory.type() == Resource::Raw || |
| 495 factory.type() == Resource::XSLStyleSheet); | 496 factory.type() == Resource::XSLStyleSheet); |
| 496 | 497 |
| 497 context().populateRequestData(request.mutableResourceRequest()); | 498 context().populateRequestData(request.mutableResourceRequest()); |
| 499 |
| 500 // It's important that we check the request against the page's CSP _before_ |
| 501 // modifying it via upgrade-insecure-requests, etc. Otherwise, developers |
| 502 // won't get error reports for upgraded resources. |
| 503 context().checkCSPForRequest( |
| 504 request.resourceRequest(), |
| 505 MemoryCache::removeFragmentIdentifierIfNeeded(request.url()), |
| 506 request.options(), request.forPreload(), |
| 507 request.resourceRequest().redirectStatus(), |
| 508 ContentSecurityPolicyHeaderTypeReport); |
| 498 context().modifyRequestForCSP(request.mutableResourceRequest()); | 509 context().modifyRequestForCSP(request.mutableResourceRequest()); |
| 499 context().addClientHintsIfNecessary(request); | 510 context().addClientHintsIfNecessary(request); |
| 500 context().addCSPHeaderIfNecessary(factory.type(), request); | 511 context().addCSPHeaderIfNecessary(factory.type(), request); |
| 501 | 512 |
| 502 // TODO(dproy): Remove this. http://crbug.com/659666 | 513 // TODO(dproy): Remove this. http://crbug.com/659666 |
| 503 TRACE_EVENT1("blink", "ResourceFetcher::requestResource", "url", | 514 TRACE_EVENT1("blink", "ResourceFetcher::requestResource", "url", |
| 504 urlForTraceEvent(request.url())); | 515 urlForTraceEvent(request.url())); |
| 505 | 516 |
| 506 if (!request.url().isValid()) | 517 if (!request.url().isValid()) |
| 507 return nullptr; | 518 return nullptr; |
| (...skipping 853 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1361 return request.fetchRedirectMode() == | 1372 return request.fetchRedirectMode() == |
| 1362 WebURLRequest::FetchRedirectModeManual && | 1373 WebURLRequest::FetchRedirectModeManual && |
| 1363 request.requestContext() == WebURLRequest::RequestContextFetch; | 1374 request.requestContext() == WebURLRequest::RequestContextFetch; |
| 1364 } | 1375 } |
| 1365 | 1376 |
| 1366 bool ResourceFetcher::willFollowRedirect( | 1377 bool ResourceFetcher::willFollowRedirect( |
| 1367 Resource* resource, | 1378 Resource* resource, |
| 1368 ResourceRequest& newRequest, | 1379 ResourceRequest& newRequest, |
| 1369 const ResourceResponse& redirectResponse) { | 1380 const ResourceResponse& redirectResponse) { |
| 1370 if (!isManualRedirectFetchRequest(resource->resourceRequest())) { | 1381 if (!isManualRedirectFetchRequest(resource->resourceRequest())) { |
| 1382 // TODO(mkwst): |
| 1371 if (!context().canRequest(resource->getType(), newRequest, newRequest.url(), | 1383 if (!context().canRequest(resource->getType(), newRequest, newRequest.url(), |
| 1372 resource->options(), resource->isUnusedPreload(), | 1384 resource->options(), resource->isUnusedPreload(), |
| 1373 FetchRequest::UseDefaultOriginRestrictionForType)) | 1385 FetchRequest::UseDefaultOriginRestrictionForType)) |
| 1374 return false; | 1386 return false; |
| 1375 if (resource->options().corsEnabled == IsCORSEnabled) { | 1387 if (resource->options().corsEnabled == IsCORSEnabled) { |
| 1376 RefPtr<SecurityOrigin> sourceOrigin = resource->options().securityOrigin; | 1388 RefPtr<SecurityOrigin> sourceOrigin = resource->options().securityOrigin; |
| 1377 if (!sourceOrigin.get()) | 1389 if (!sourceOrigin.get()) |
| 1378 sourceOrigin = context().getSecurityOrigin(); | 1390 sourceOrigin = context().getSecurityOrigin(); |
| 1379 | 1391 |
| 1380 String errorMessage; | 1392 String errorMessage; |
| (...skipping 257 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1638 visitor->trace(m_context); | 1650 visitor->trace(m_context); |
| 1639 visitor->trace(m_archive); | 1651 visitor->trace(m_archive); |
| 1640 visitor->trace(m_loaders); | 1652 visitor->trace(m_loaders); |
| 1641 visitor->trace(m_nonBlockingLoaders); | 1653 visitor->trace(m_nonBlockingLoaders); |
| 1642 visitor->trace(m_documentResources); | 1654 visitor->trace(m_documentResources); |
| 1643 visitor->trace(m_preloads); | 1655 visitor->trace(m_preloads); |
| 1644 visitor->trace(m_resourceTimingInfoMap); | 1656 visitor->trace(m_resourceTimingInfoMap); |
| 1645 } | 1657 } |
| 1646 | 1658 |
| 1647 } // namespace blink | 1659 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2551893002:
Upgrade-Insecure-Requests: Split CSP checks into pre-upgrade and post-upgrade.
