OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
7 * met: | 7 * met: |
8 * | 8 * |
9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
(...skipping 535 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
546 return false; | 546 return false; |
547 } | 547 } |
548 | 548 |
549 --m_corsRedirectLimit; | 549 --m_corsRedirectLimit; |
550 | 550 |
551 InspectorInstrumentation::didReceiveCORSRedirectResponse( | 551 InspectorInstrumentation::didReceiveCORSRedirectResponse( |
552 document().frame(), resource->identifier(), | 552 document().frame(), resource->identifier(), |
553 document().frame()->loader().documentLoader(), redirectResponse, | 553 document().frame()->loader().documentLoader(), redirectResponse, |
554 resource); | 554 resource); |
555 | 555 |
556 bool allowRedirect = false; | |
557 String accessControlErrorDescription; | 556 String accessControlErrorDescription; |
558 | 557 |
559 if (!CrossOriginAccessControl::isLegalRedirectLocation( | 558 CrossOriginAccessControl::RedirectStatus redirectStatus = |
560 request.url(), accessControlErrorDescription)) { | 559 CrossOriginAccessControl::checkRedirectLocation(request.url()); |
561 accessControlErrorDescription = | 560 bool allowRedirect = |
562 "Redirect from '" + redirectResponse.url().getString() + | 561 redirectStatus == CrossOriginAccessControl::kRedirectSuccess; |
563 "' has been blocked by CORS policy: " + accessControlErrorDescription; | 562 if (!allowRedirect) { |
564 } else if (!m_sameOriginRequest && | 563 StringBuilder builder; |
565 !passesAccessControlCheck( | 564 builder.append("Redirect from '"); |
566 redirectResponse, effectiveAllowCredentials(), | 565 builder.append(redirectResponse.url().getString()); |
567 getSecurityOrigin(), accessControlErrorDescription, | 566 builder.append("' has been blocked by CORS policy: "); |
568 m_requestContext)) { | 567 CrossOriginAccessControl::redirectErrorString(builder, redirectStatus, |
| 568 request.url()); |
| 569 accessControlErrorDescription = builder.toString(); |
| 570 } else if (!m_sameOriginRequest) { |
569 // The redirect response must pass the access control check if the original | 571 // The redirect response must pass the access control check if the original |
570 // request was not same-origin. | 572 // request was not same-origin. |
571 accessControlErrorDescription = | 573 CrossOriginAccessControl::AccessStatus corsStatus = |
572 "Redirect from '" + redirectResponse.url().getString() + "' to '" + | 574 CrossOriginAccessControl::checkAccess( |
573 request.url().getString() + "' has been blocked by CORS policy: " + | 575 redirectResponse, effectiveAllowCredentials(), getSecurityOrigin()); |
574 accessControlErrorDescription; | 576 allowRedirect = corsStatus == CrossOriginAccessControl::kAccessAllowed; |
575 } else { | 577 if (!allowRedirect) { |
576 allowRedirect = true; | 578 StringBuilder builder; |
| 579 builder.append("Redirect from '"); |
| 580 builder.append(redirectResponse.url().getString()); |
| 581 builder.append("' to '"); |
| 582 builder.append(request.url().getString()); |
| 583 builder.append("' has been blocked by CORS policy: "); |
| 584 CrossOriginAccessControl::accessControlErrorString( |
| 585 builder, corsStatus, redirectResponse, getSecurityOrigin(), |
| 586 m_requestContext); |
| 587 accessControlErrorDescription = builder.toString(); |
| 588 } |
577 } | 589 } |
578 | 590 |
579 if (!allowRedirect) { | 591 if (!allowRedirect) { |
580 dispatchDidFailAccessControlCheck(ResourceError( | 592 dispatchDidFailAccessControlCheck(ResourceError( |
581 errorDomainBlinkInternal, 0, redirectResponse.url().getString(), | 593 errorDomainBlinkInternal, 0, redirectResponse.url().getString(), |
582 accessControlErrorDescription)); | 594 accessControlErrorDescription)); |
583 return false; | 595 return false; |
584 } | 596 } |
585 | 597 |
586 m_client->didReceiveRedirectTo(request.url()); | 598 m_client->didReceiveRedirectTo(request.url()); |
(...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
686 if (handle) | 698 if (handle) |
687 m_isUsingDataConsumerHandle = true; | 699 m_isUsingDataConsumerHandle = true; |
688 | 700 |
689 handleResponse(resource->identifier(), response, std::move(handle)); | 701 handleResponse(resource->identifier(), response, std::move(handle)); |
690 } | 702 } |
691 | 703 |
692 void DocumentThreadableLoader::handlePreflightResponse( | 704 void DocumentThreadableLoader::handlePreflightResponse( |
693 const ResourceResponse& response) { | 705 const ResourceResponse& response) { |
694 String accessControlErrorDescription; | 706 String accessControlErrorDescription; |
695 | 707 |
696 if (!passesAccessControlCheck( | 708 CrossOriginAccessControl::AccessStatus corsStatus = |
697 response, effectiveAllowCredentials(), getSecurityOrigin(), | 709 CrossOriginAccessControl::checkAccess( |
698 accessControlErrorDescription, m_requestContext)) { | 710 response, effectiveAllowCredentials(), getSecurityOrigin()); |
699 handlePreflightFailure( | 711 if (corsStatus != CrossOriginAccessControl::kAccessAllowed) { |
700 response.url().getString(), | 712 StringBuilder builder; |
701 "Response to preflight request doesn't pass access control check: " + | 713 builder.append( |
702 accessControlErrorDescription); | 714 "Response to preflight request doesn't pass access " |
| 715 "control check: "); |
| 716 CrossOriginAccessControl::accessControlErrorString( |
| 717 builder, corsStatus, response, getSecurityOrigin(), m_requestContext); |
| 718 handlePreflightFailure(response.url().getString(), builder.toString()); |
703 return; | 719 return; |
704 } | 720 } |
705 | 721 |
706 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { | 722 CrossOriginAccessControl::PreflightStatus preflightStatus = |
707 handlePreflightFailure(response.url().getString(), | 723 CrossOriginAccessControl::checkPreflight(response); |
708 accessControlErrorDescription); | 724 if (preflightStatus != CrossOriginAccessControl::kPreflightSuccess) { |
| 725 StringBuilder builder; |
| 726 CrossOriginAccessControl::preflightErrorString(builder, preflightStatus, |
| 727 response); |
| 728 handlePreflightFailure(response.url().getString(), builder.toString()); |
709 return; | 729 return; |
710 } | 730 } |
711 | 731 |
712 if (m_actualRequest.isExternalRequest() && | 732 if (m_actualRequest.isExternalRequest()) { |
713 !passesExternalPreflightCheck(response, accessControlErrorDescription)) { | 733 CrossOriginAccessControl::PreflightStatus externalPreflightStatus = |
714 handlePreflightFailure(response.url().getString(), | 734 CrossOriginAccessControl::checkExternalPreflight(response); |
715 accessControlErrorDescription); | 735 if (externalPreflightStatus != |
716 return; | 736 CrossOriginAccessControl::kPreflightSuccess) { |
| 737 StringBuilder builder; |
| 738 CrossOriginAccessControl::preflightErrorString( |
| 739 builder, externalPreflightStatus, response); |
| 740 handlePreflightFailure(response.url().getString(), builder.toString()); |
| 741 return; |
| 742 } |
717 } | 743 } |
718 | 744 |
719 std::unique_ptr<CrossOriginPreflightResultCacheItem> preflightResult = | 745 std::unique_ptr<CrossOriginPreflightResultCacheItem> preflightResult = |
720 WTF::wrapUnique( | 746 WTF::wrapUnique( |
721 new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials())); | 747 new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials())); |
722 if (!preflightResult->parse(response, accessControlErrorDescription) || | 748 if (!preflightResult->parse(response, accessControlErrorDescription) || |
723 !preflightResult->allowsCrossOriginMethod( | 749 !preflightResult->allowsCrossOriginMethod( |
724 m_actualRequest.httpMethod(), accessControlErrorDescription) || | 750 m_actualRequest.httpMethod(), accessControlErrorDescription) || |
725 !preflightResult->allowsCrossOriginHeaders( | 751 !preflightResult->allowsCrossOriginHeaders( |
726 m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) { | 752 m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) { |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
791 // loadFallbackRequestForServiceWorker(). | 817 // loadFallbackRequestForServiceWorker(). |
792 // FIXME: We should use |m_sameOriginRequest| when we will support Suborigins | 818 // FIXME: We should use |m_sameOriginRequest| when we will support Suborigins |
793 // (crbug.com/336894) for Service Worker. | 819 // (crbug.com/336894) for Service Worker. |
794 DCHECK( | 820 DCHECK( |
795 m_fallbackRequestForServiceWorker.isNull() || | 821 m_fallbackRequestForServiceWorker.isNull() || |
796 getSecurityOrigin()->canRequest(m_fallbackRequestForServiceWorker.url())); | 822 getSecurityOrigin()->canRequest(m_fallbackRequestForServiceWorker.url())); |
797 m_fallbackRequestForServiceWorker = ResourceRequest(); | 823 m_fallbackRequestForServiceWorker = ResourceRequest(); |
798 | 824 |
799 if (!m_sameOriginRequest && | 825 if (!m_sameOriginRequest && |
800 m_options.crossOriginRequestPolicy == UseAccessControl) { | 826 m_options.crossOriginRequestPolicy == UseAccessControl) { |
801 String accessControlErrorDescription; | 827 CrossOriginAccessControl::AccessStatus corsStatus = |
802 if (!passesAccessControlCheck( | 828 CrossOriginAccessControl::checkAccess( |
803 response, effectiveAllowCredentials(), getSecurityOrigin(), | 829 response, effectiveAllowCredentials(), getSecurityOrigin()); |
804 accessControlErrorDescription, m_requestContext)) { | 830 if (corsStatus != CrossOriginAccessControl::kAccessAllowed) { |
805 reportResponseReceived(identifier, response); | 831 reportResponseReceived(identifier, response); |
806 | 832 StringBuilder builder; |
| 833 CrossOriginAccessControl::accessControlErrorString( |
| 834 builder, corsStatus, response, getSecurityOrigin(), m_requestContext); |
807 dispatchDidFailAccessControlCheck( | 835 dispatchDidFailAccessControlCheck( |
808 ResourceError(errorDomainBlinkInternal, 0, response.url().getString(), | 836 ResourceError(errorDomainBlinkInternal, 0, response.url().getString(), |
809 accessControlErrorDescription)); | 837 builder.toString())); |
810 return; | 838 return; |
811 } | 839 } |
812 } | 840 } |
813 | 841 |
814 m_client->didReceiveResponse(identifier, response, std::move(handle)); | 842 m_client->didReceiveResponse(identifier, response, std::move(handle)); |
815 } | 843 } |
816 | 844 |
817 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*, | 845 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*, |
818 const char* data, | 846 const char* data, |
819 size_t size) { | 847 size_t size) { |
(...skipping 298 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1118 } | 1146 } |
1119 | 1147 |
1120 DEFINE_TRACE(DocumentThreadableLoader) { | 1148 DEFINE_TRACE(DocumentThreadableLoader) { |
1121 visitor->trace(m_resource); | 1149 visitor->trace(m_resource); |
1122 visitor->trace(m_document); | 1150 visitor->trace(m_document); |
1123 ThreadableLoader::trace(visitor); | 1151 ThreadableLoader::trace(visitor); |
1124 RawResourceClient::trace(visitor); | 1152 RawResourceClient::trace(visitor); |
1125 } | 1153 } |
1126 | 1154 |
1127 } // namespace blink | 1155 } // namespace blink |
OLD | NEW |