Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(16)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

Issue 2616323002: CrossOriginAccessControl: separate access checks and error message generation (Closed)
Patch Set: initialize allowRedirect correctly Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp ('K') | « third_party/WebKit/Source/core/fetch/ResourceLoader.cpp ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
3 * Copyright (C) 2013, Intel Corporation 3 * Copyright (C) 2013, Intel Corporation
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are 6 * modification, are permitted provided that the following conditions are
7 * met: 7 * met:
8 * 8 *
9 * * Redistributions of source code must retain the above copyright 9 * * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
(...skipping 535 matching lines...) Expand 10 before | Expand all | Expand 10 after
546 return false; 546 return false;
547 } 547 }
548 548
549 --m_corsRedirectLimit; 549 --m_corsRedirectLimit;
550 550
551 InspectorInstrumentation::didReceiveCORSRedirectResponse( 551 InspectorInstrumentation::didReceiveCORSRedirectResponse(
552 document().frame(), resource->identifier(), 552 document().frame(), resource->identifier(),
553 document().frame()->loader().documentLoader(), redirectResponse, 553 document().frame()->loader().documentLoader(), redirectResponse,
554 resource); 554 resource);
555 555
556 bool allowRedirect = false;
557 String accessControlErrorDescription; 556 String accessControlErrorDescription;
558 557
559 if (!CrossOriginAccessControl::isLegalRedirectLocation( 558 CrossOriginAccessControl::RedirectStatus redirectStatus =
560 request.url(), accessControlErrorDescription)) { 559 CrossOriginAccessControl::checkRedirectLocation(request.url());
561 accessControlErrorDescription = 560 bool allowRedirect =
562 "Redirect from '" + redirectResponse.url().getString() + 561 redirectStatus == CrossOriginAccessControl::kRedirectSuccess;
563 "' has been blocked by CORS policy: " + accessControlErrorDescription; 562 if (!allowRedirect) {
564 } else if (!m_sameOriginRequest && 563 StringBuilder builder;
565 !passesAccessControlCheck( 564 builder.append("Redirect from '");
566 redirectResponse, effectiveAllowCredentials(), 565 builder.append(redirectResponse.url().getString());
567 getSecurityOrigin(), accessControlErrorDescription, 566 builder.append("' has been blocked by CORS policy: ");
568 m_requestContext)) { 567 CrossOriginAccessControl::redirectErrorString(builder, redirectStatus,
568 request.url());
569 accessControlErrorDescription = builder.toString();
570 } else if (!m_sameOriginRequest) {
569 // The redirect response must pass the access control check if the original 571 // The redirect response must pass the access control check if the original
570 // request was not same-origin. 572 // request was not same-origin.
571 accessControlErrorDescription = 573 CrossOriginAccessControl::AccessStatus corsStatus =
572 "Redirect from '" + redirectResponse.url().getString() + "' to '" + 574 CrossOriginAccessControl::checkAccess(
573 request.url().getString() + "' has been blocked by CORS policy: " + 575 redirectResponse, effectiveAllowCredentials(), getSecurityOrigin());
574 accessControlErrorDescription; 576 allowRedirect = corsStatus == CrossOriginAccessControl::kAccessAllowed;
575 } else { 577 if (!allowRedirect) {
576 allowRedirect = true; 578 StringBuilder builder;
579 builder.append("Redirect from '");
580 builder.append(redirectResponse.url().getString());
581 builder.append("' to '");
582 builder.append(request.url().getString());
583 builder.append("' has been blocked by CORS policy: ");
584 CrossOriginAccessControl::accessControlErrorString(
585 builder, corsStatus, redirectResponse, getSecurityOrigin(),
586 m_requestContext);
587 accessControlErrorDescription = builder.toString();
588 }
577 } 589 }
578 590
579 if (!allowRedirect) { 591 if (!allowRedirect) {
580 dispatchDidFailAccessControlCheck(ResourceError( 592 dispatchDidFailAccessControlCheck(ResourceError(
581 errorDomainBlinkInternal, 0, redirectResponse.url().getString(), 593 errorDomainBlinkInternal, 0, redirectResponse.url().getString(),
582 accessControlErrorDescription)); 594 accessControlErrorDescription));
583 return false; 595 return false;
584 } 596 }
585 597
586 m_client->didReceiveRedirectTo(request.url()); 598 m_client->didReceiveRedirectTo(request.url());
(...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after
686 if (handle) 698 if (handle)
687 m_isUsingDataConsumerHandle = true; 699 m_isUsingDataConsumerHandle = true;
688 700
689 handleResponse(resource->identifier(), response, std::move(handle)); 701 handleResponse(resource->identifier(), response, std::move(handle));
690 } 702 }
691 703
692 void DocumentThreadableLoader::handlePreflightResponse( 704 void DocumentThreadableLoader::handlePreflightResponse(
693 const ResourceResponse& response) { 705 const ResourceResponse& response) {
694 String accessControlErrorDescription; 706 String accessControlErrorDescription;
695 707
696 if (!passesAccessControlCheck( 708 CrossOriginAccessControl::AccessStatus corsStatus =
697 response, effectiveAllowCredentials(), getSecurityOrigin(), 709 CrossOriginAccessControl::checkAccess(
698 accessControlErrorDescription, m_requestContext)) { 710 response, effectiveAllowCredentials(), getSecurityOrigin());
699 handlePreflightFailure( 711 if (corsStatus != CrossOriginAccessControl::kAccessAllowed) {
700 response.url().getString(), 712 StringBuilder builder;
701 "Response to preflight request doesn't pass access control check: " + 713 builder.append(
702 accessControlErrorDescription); 714 "Response to preflight request doesn't pass access "
715 "control check: ");
716 CrossOriginAccessControl::accessControlErrorString(
717 builder, corsStatus, response, getSecurityOrigin(), m_requestContext);
718 handlePreflightFailure(response.url().getString(), builder.toString());
703 return; 719 return;
704 } 720 }
705 721
706 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { 722 CrossOriginAccessControl::PreflightStatus preflightStatus =
707 handlePreflightFailure(response.url().getString(), 723 CrossOriginAccessControl::checkPreflight(response);
708 accessControlErrorDescription); 724 if (preflightStatus != CrossOriginAccessControl::kPreflightSuccess) {
725 StringBuilder builder;
726 CrossOriginAccessControl::preflightErrorString(builder, preflightStatus,
727 response);
728 handlePreflightFailure(response.url().getString(), builder.toString());
709 return; 729 return;
710 } 730 }
711 731
712 if (m_actualRequest.isExternalRequest() && 732 if (m_actualRequest.isExternalRequest()) {
713 !passesExternalPreflightCheck(response, accessControlErrorDescription)) { 733 CrossOriginAccessControl::PreflightStatus externalPreflightStatus =
714 handlePreflightFailure(response.url().getString(), 734 CrossOriginAccessControl::checkExternalPreflight(response);
715 accessControlErrorDescription); 735 if (externalPreflightStatus !=
716 return; 736 CrossOriginAccessControl::kPreflightSuccess) {
737 StringBuilder builder;
738 CrossOriginAccessControl::preflightErrorString(
739 builder, externalPreflightStatus, response);
740 handlePreflightFailure(response.url().getString(), builder.toString());
741 return;
742 }
717 } 743 }
718 744
719 std::unique_ptr<CrossOriginPreflightResultCacheItem> preflightResult = 745 std::unique_ptr<CrossOriginPreflightResultCacheItem> preflightResult =
720 WTF::wrapUnique( 746 WTF::wrapUnique(
721 new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials())); 747 new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials()));
722 if (!preflightResult->parse(response, accessControlErrorDescription) || 748 if (!preflightResult->parse(response, accessControlErrorDescription) ||
723 !preflightResult->allowsCrossOriginMethod( 749 !preflightResult->allowsCrossOriginMethod(
724 m_actualRequest.httpMethod(), accessControlErrorDescription) || 750 m_actualRequest.httpMethod(), accessControlErrorDescription) ||
725 !preflightResult->allowsCrossOriginHeaders( 751 !preflightResult->allowsCrossOriginHeaders(
726 m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) { 752 m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) {
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after
791 // loadFallbackRequestForServiceWorker(). 817 // loadFallbackRequestForServiceWorker().
792 // FIXME: We should use |m_sameOriginRequest| when we will support Suborigins 818 // FIXME: We should use |m_sameOriginRequest| when we will support Suborigins
793 // (crbug.com/336894) for Service Worker. 819 // (crbug.com/336894) for Service Worker.
794 DCHECK( 820 DCHECK(
795 m_fallbackRequestForServiceWorker.isNull() || 821 m_fallbackRequestForServiceWorker.isNull() ||
796 getSecurityOrigin()->canRequest(m_fallbackRequestForServiceWorker.url())); 822 getSecurityOrigin()->canRequest(m_fallbackRequestForServiceWorker.url()));
797 m_fallbackRequestForServiceWorker = ResourceRequest(); 823 m_fallbackRequestForServiceWorker = ResourceRequest();
798 824
799 if (!m_sameOriginRequest && 825 if (!m_sameOriginRequest &&
800 m_options.crossOriginRequestPolicy == UseAccessControl) { 826 m_options.crossOriginRequestPolicy == UseAccessControl) {
801 String accessControlErrorDescription; 827 CrossOriginAccessControl::AccessStatus corsStatus =
802 if (!passesAccessControlCheck( 828 CrossOriginAccessControl::checkAccess(
803 response, effectiveAllowCredentials(), getSecurityOrigin(), 829 response, effectiveAllowCredentials(), getSecurityOrigin());
804 accessControlErrorDescription, m_requestContext)) { 830 if (corsStatus != CrossOriginAccessControl::kAccessAllowed) {
805 reportResponseReceived(identifier, response); 831 reportResponseReceived(identifier, response);
806 832 StringBuilder builder;
833 CrossOriginAccessControl::accessControlErrorString(
834 builder, corsStatus, response, getSecurityOrigin(), m_requestContext);
807 dispatchDidFailAccessControlCheck( 835 dispatchDidFailAccessControlCheck(
808 ResourceError(errorDomainBlinkInternal, 0, response.url().getString(), 836 ResourceError(errorDomainBlinkInternal, 0, response.url().getString(),
809 accessControlErrorDescription)); 837 builder.toString()));
810 return; 838 return;
811 } 839 }
812 } 840 }
813 841
814 m_client->didReceiveResponse(identifier, response, std::move(handle)); 842 m_client->didReceiveResponse(identifier, response, std::move(handle));
815 } 843 }
816 844
817 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*, 845 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*,
818 const char* data, 846 const char* data,
819 size_t size) { 847 size_t size) {
(...skipping 298 matching lines...) Expand 10 before | Expand all | Expand 10 after
1118 } 1146 }
1119 1147
1120 DEFINE_TRACE(DocumentThreadableLoader) { 1148 DEFINE_TRACE(DocumentThreadableLoader) {
1121 visitor->trace(m_resource); 1149 visitor->trace(m_resource);
1122 visitor->trace(m_document); 1150 visitor->trace(m_document);
1123 ThreadableLoader::trace(visitor); 1151 ThreadableLoader::trace(visitor);
1124 RawResourceClient::trace(visitor); 1152 RawResourceClient::trace(visitor);
1125 } 1153 }
1126 1154
1127 } // namespace blink 1155 } // namespace blink
OLDNEW
« third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp ('K') | « third_party/WebKit/Source/core/fetch/ResourceLoader.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698