third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp - Issue 2616323002: CrossOriginAccessControl: separate access checks and error message generation

Side by Side Diff: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

Issue 2616323002: CrossOriginAccessControl: separate access checks and error message generation (Closed)

Patch Set: sync expectation Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.	2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.

3 * Copyright (C) 2013, Intel Corporation	3 * Copyright (C) 2013, Intel Corporation

4 *	4 *

5 * Redistribution and use in source and binary forms, with or without	5 * Redistribution and use in source and binary forms, with or without

6 * modification, are permitted provided that the following conditions are	6 * modification, are permitted provided that the following conditions are

7 * met:	7 * met:

8 *	8 *

9 * * Redistributions of source code must retain the above copyright	9 * * Redistributions of source code must retain the above copyright

10 * notice, this list of conditions and the following disclaimer.	10 * notice, this list of conditions and the following disclaimer.

(...skipping 535 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
546 return false;	546 return false;

547 }	547 }

548	548

549 --m_corsRedirectLimit;	549 --m_corsRedirectLimit;

550	550

551 InspectorInstrumentation::didReceiveCORSRedirectResponse(	551 InspectorInstrumentation::didReceiveCORSRedirectResponse(

552 document().frame(), resource->identifier(),	552 document().frame(), resource->identifier(),

553 document().frame()->loader().documentLoader(), redirectResponse,	553 document().frame()->loader().documentLoader(), redirectResponse,

554 resource);	554 resource);

555	555

556 bool allowRedirect = false;

557 String accessControlErrorDescription;	556 String accessControlErrorDescription;

558	557

559 if (!CrossOriginAccessControl::isLegalRedirectLocation(	558 CrossOriginAccessControl::RedirectStatus redirectStatus =

560 request.url(), accessControlErrorDescription)) {	559 CrossOriginAccessControl::checkRedirectLocation(request.url());

561 accessControlErrorDescription =	560 bool allowRedirect =

562 "Redirect from '" + redirectResponse.url().getString() +	561 redirectStatus == CrossOriginAccessControl::kRedirectSuccess;

563 "' has been blocked by CORS policy: " + accessControlErrorDescription;	562 if (!allowRedirect) {

564 } else if (!m_sameOriginRequest &&	563 StringBuilder builder;

565 !passesAccessControlCheck(	564 builder.append("Redirect from '");

566 redirectResponse, effectiveAllowCredentials(),	565 builder.append(redirectResponse.url().getString());

567 getSecurityOrigin(), accessControlErrorDescription,	566 builder.append("' has been blocked by CORS policy: ");

568 m_requestContext)) {	567 CrossOriginAccessControl::redirectErrorString(builder, redirectStatus,

	568 request.url());

	569 accessControlErrorDescription = builder.toString();

	570 } else if (!m_sameOriginRequest) {

569 // The redirect response must pass the access control check if the original	571 // The redirect response must pass the access control check if the original

570 // request was not same-origin.	572 // request was not same-origin.

571 accessControlErrorDescription =	573 CrossOriginAccessControl::AccessStatus corsStatus =

572 "Redirect from '" + redirectResponse.url().getString() + "' to '" +	574 CrossOriginAccessControl::checkAccess(

573 request.url().getString() + "' has been blocked by CORS policy: " +	575 redirectResponse, effectiveAllowCredentials(), getSecurityOrigin());

574 accessControlErrorDescription;	576 allowRedirect = corsStatus == CrossOriginAccessControl::kAccessAllowed;

575 } else {	577 if (!allowRedirect) {

576 allowRedirect = true;	578 StringBuilder builder;

	579 builder.append("Redirect from '");

	580 builder.append(redirectResponse.url().getString());

	581 builder.append("' to '");

	582 builder.append(request.url().getString());

	583 builder.append("' has been blocked by CORS policy: ");

	584 CrossOriginAccessControl::accessControlErrorString(

	585 builder, corsStatus, redirectResponse, getSecurityOrigin(),

	586 m_requestContext);

	587 accessControlErrorDescription = builder.toString();

	588 }

577 }	589 }

578	590

579 if (!allowRedirect) {	591 if (!allowRedirect) {

580 dispatchDidFailAccessControlCheck(ResourceError(	592 dispatchDidFailAccessControlCheck(ResourceError(

581 errorDomainBlinkInternal, 0, redirectResponse.url().getString(),	593 errorDomainBlinkInternal, 0, redirectResponse.url().getString(),

582 accessControlErrorDescription));	594 accessControlErrorDescription));

583 return false;	595 return false;

584 }	596 }

585	597

586 m_client->didReceiveRedirectTo(request.url());	598 m_client->didReceiveRedirectTo(request.url());

(...skipping 99 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
686 if (handle)	698 if (handle)

687 m_isUsingDataConsumerHandle = true;	699 m_isUsingDataConsumerHandle = true;

688	700

689 handleResponse(resource->identifier(), response, std::move(handle));	701 handleResponse(resource->identifier(), response, std::move(handle));

690 }	702 }

691	703

692 void DocumentThreadableLoader::handlePreflightResponse(	704 void DocumentThreadableLoader::handlePreflightResponse(

693 const ResourceResponse& response) {	705 const ResourceResponse& response) {

694 String accessControlErrorDescription;	706 String accessControlErrorDescription;

695	707

696 if (!passesAccessControlCheck(	708 CrossOriginAccessControl::AccessStatus corsStatus =

697 response, effectiveAllowCredentials(), getSecurityOrigin(),	709 CrossOriginAccessControl::checkAccess(

698 accessControlErrorDescription, m_requestContext)) {	710 response, effectiveAllowCredentials(), getSecurityOrigin());

699 handlePreflightFailure(	711 if (corsStatus != CrossOriginAccessControl::kAccessAllowed) {

700 response.url().getString(),	712 StringBuilder builder;

701 "Response to preflight request doesn't pass access control check: " +	713 builder.append(

702 accessControlErrorDescription);	714 "Response to preflight request doesn't pass access "

	715 "control check: ");

	716 CrossOriginAccessControl::accessControlErrorString(

	717 builder, corsStatus, response, getSecurityOrigin(), m_requestContext);

	718 handlePreflightFailure(response.url().getString(), builder.toString());

703 return;	719 return;

704 }	720 }

705	721

706 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) {	722 CrossOriginAccessControl::PreflightStatus preflightStatus =

707 handlePreflightFailure(response.url().getString(),	723 CrossOriginAccessControl::checkPreflight(response);

708 accessControlErrorDescription);	724 if (preflightStatus != CrossOriginAccessControl::kPreflightSuccess) {

	725 StringBuilder builder;

	726 CrossOriginAccessControl::preflightErrorString(builder, preflightStatus,

	727 response);

	728 handlePreflightFailure(response.url().getString(), builder.toString());

709 return;	729 return;

710 }	730 }

711	731

712 if (m_actualRequest.isExternalRequest() &&	732 if (m_actualRequest.isExternalRequest()) {

713 !passesExternalPreflightCheck(response, accessControlErrorDescription)) {	733 CrossOriginAccessControl::PreflightStatus externalPreflightStatus =

714 handlePreflightFailure(response.url().getString(),	734 CrossOriginAccessControl::checkExternalPreflight(response);

715 accessControlErrorDescription);	735 if (externalPreflightStatus !=

716 return;	736 CrossOriginAccessControl::kPreflightSuccess) {

	737 StringBuilder builder;

	738 CrossOriginAccessControl::preflightErrorString(

	739 builder, externalPreflightStatus, response);

	740 handlePreflightFailure(response.url().getString(), builder.toString());

	741 return;

	742 }

717 }	743 }

718	744

719 std::unique_ptr<CrossOriginPreflightResultCacheItem> preflightResult =	745 std::unique_ptr<CrossOriginPreflightResultCacheItem> preflightResult =

720 WTF::wrapUnique(	746 WTF::wrapUnique(

721 new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials()));	747 new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials()));

722 if (!preflightResult->parse(response, accessControlErrorDescription) \|\|	748 if (!preflightResult->parse(response, accessControlErrorDescription) \|\|

723 !preflightResult->allowsCrossOriginMethod(	749 !preflightResult->allowsCrossOriginMethod(

724 m_actualRequest.httpMethod(), accessControlErrorDescription) \|\|	750 m_actualRequest.httpMethod(), accessControlErrorDescription) \|\|

725 !preflightResult->allowsCrossOriginHeaders(	751 !preflightResult->allowsCrossOriginHeaders(

726 m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) {	752 m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) {

(...skipping 64 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
791 // loadFallbackRequestForServiceWorker().	817 // loadFallbackRequestForServiceWorker().

792 // FIXME: We should use \|m_sameOriginRequest\| when we will support Suborigins	818 // FIXME: We should use \|m_sameOriginRequest\| when we will support Suborigins

793 // (crbug.com/336894) for Service Worker.	819 // (crbug.com/336894) for Service Worker.

794 DCHECK(	820 DCHECK(

795 m_fallbackRequestForServiceWorker.isNull() \|\|	821 m_fallbackRequestForServiceWorker.isNull() \|\|

796 getSecurityOrigin()->canRequest(m_fallbackRequestForServiceWorker.url()));	822 getSecurityOrigin()->canRequest(m_fallbackRequestForServiceWorker.url()));

797 m_fallbackRequestForServiceWorker = ResourceRequest();	823 m_fallbackRequestForServiceWorker = ResourceRequest();

798	824

799 if (!m_sameOriginRequest &&	825 if (!m_sameOriginRequest &&

800 m_options.crossOriginRequestPolicy == UseAccessControl) {	826 m_options.crossOriginRequestPolicy == UseAccessControl) {

801 String accessControlErrorDescription;	827 CrossOriginAccessControl::AccessStatus corsStatus =

802 if (!passesAccessControlCheck(	828 CrossOriginAccessControl::checkAccess(

803 response, effectiveAllowCredentials(), getSecurityOrigin(),	829 response, effectiveAllowCredentials(), getSecurityOrigin());

804 accessControlErrorDescription, m_requestContext)) {	830 if (corsStatus != CrossOriginAccessControl::kAccessAllowed) {

805 reportResponseReceived(identifier, response);	831 reportResponseReceived(identifier, response);

806	832 StringBuilder builder;

	833 CrossOriginAccessControl::accessControlErrorString(

	834 builder, corsStatus, response, getSecurityOrigin(), m_requestContext);

807 dispatchDidFailAccessControlCheck(	835 dispatchDidFailAccessControlCheck(

808 ResourceError(errorDomainBlinkInternal, 0, response.url().getString(),	836 ResourceError(errorDomainBlinkInternal, 0, response.url().getString(),

809 accessControlErrorDescription));	837 builder.toString()));

810 return;	838 return;

811 }	839 }

812 }	840 }

813	841

814 m_client->didReceiveResponse(identifier, response, std::move(handle));	842 m_client->didReceiveResponse(identifier, response, std::move(handle));

815 }	843 }

816	844

817 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*,	845 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*,

818 const char* data,	846 const char* data,

819 size_t size) {	847 size_t size) {

(...skipping 298 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1118 }	1146 }

1119	1147

1120 DEFINE_TRACE(DocumentThreadableLoader) {	1148 DEFINE_TRACE(DocumentThreadableLoader) {

1121 visitor->trace(m_resource);	1149 visitor->trace(m_resource);

1122 visitor->trace(m_document);	1150 visitor->trace(m_document);

1123 ThreadableLoader::trace(visitor);	1151 ThreadableLoader::trace(visitor);

1124 RawResourceClient::trace(visitor);	1152 RawResourceClient::trace(visitor);

1125 }	1153 }

1126	1154

1127 } // namespace blink	1155 } // namespace blink

OLD	NEW

« no previous file with comments | « third_party/WebKit/Source/core/fetch/ResourceLoader.cpp ('k') | no next file » | no next file with comments »