third_party/WebKit/Source/core/loader/FrameFetchContext.cpp - Issue 2823213002: Implement CanRequest in BaseFetchContext

Unified Diff: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Issue 2823213002: Implement CanRequest in BaseFetchContext (Closed)

Patch Set: make it work with non-document Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameFetchContext.h ('k') | third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

index 295d433d0e978c2b73b6b0ac42003da62da698ea..8471c7ff317c61213be6e94484c8793887c250c8 100644

--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

@@ -337,10 +337,6 @@ LocalFrameClient* FrameFetchContext::GetLocalFrameClient() const {

return GetFrame()->Client();

}

-ContentSettingsClient* FrameFetchContext::GetContentSettingsClient() const {

- return GetFrame()->GetContentSettingsClient();

void FrameFetchContext::AddAdditionalRequestHeaders(ResourceRequest& request,

FetchResourceType type) {

BaseFetchContext::AddAdditionalRequestHeaders(request, type);

@@ -637,244 +633,6 @@ bool FrameFetchContext::AllowImage(bool images_enabled, const KURL& url) const {

return GetContentSettingsClient()->AllowImage(images_enabled, url);

}

-ResourceRequestBlockedReason FrameFetchContext::CanRequest(

- Resource::Type type,

- const ResourceRequest& resource_request,

- const KURL& url,

- const ResourceLoaderOptions& options,

- SecurityViolationReportingPolicy reporting_policy,

- FetchParameters::OriginRestriction origin_restriction) const {

- ResourceRequestBlockedReason blocked_reason = CanRequestInternal(

- type, resource_request, url, options, reporting_policy,

- origin_restriction, resource_request.GetRedirectStatus());

- if (blocked_reason != ResourceRequestBlockedReason::kNone &&

- reporting_policy == SecurityViolationReportingPolicy::kReport) {

- probe::didBlockRequest(GetFrame(), resource_request, MasterDocumentLoader(),

- options.initiator_info, blocked_reason);

- }

- return blocked_reason;

-ResourceRequestBlockedReason FrameFetchContext::CanFollowRedirect(

- Resource::Type type,

- const ResourceRequest& resource_request,

- const KURL& url,

- const ResourceLoaderOptions& options,

- SecurityViolationReportingPolicy reporting_policy,

- FetchParameters::OriginRestriction origin_restriction) const {

- // CanRequestInternal checks enforced CSP, so check report-only here to ensure

- // that violations are sent.

- CheckCSPForRequest(resource_request, url, options, reporting_policy,

- RedirectStatus::kFollowedRedirect,

- ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly);

- return CanRequest(type, resource_request, url, options, reporting_policy,

- origin_restriction);

-ResourceRequestBlockedReason FrameFetchContext::AllowResponse(

- Resource::Type type,

- const ResourceRequest& resource_request,

- const KURL& url,

- const ResourceLoaderOptions& options) const {

- // canRequestInternal only checks enforced policies: check report-only here

- // to ensure violations are sent.

- CheckCSPForRequest(resource_request, url, options,

- SecurityViolationReportingPolicy::kReport,

- RedirectStatus::kFollowedRedirect,

- ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly);

- ResourceRequestBlockedReason blocked_reason =

- CanRequestInternal(type, resource_request, url, options,

- SecurityViolationReportingPolicy::kReport,

- FetchParameters::kUseDefaultOriginRestrictionForType,

- RedirectStatus::kFollowedRedirect);

- if (blocked_reason != ResourceRequestBlockedReason::kNone) {

- probe::didBlockRequest(GetFrame(), resource_request, MasterDocumentLoader(),

- options.initiator_info, blocked_reason);

- }

- return blocked_reason;

-ResourceRequestBlockedReason FrameFetchContext::CanRequestInternal(

- Resource::Type type,

- const ResourceRequest& resource_request,

- const KURL& url,

- const ResourceLoaderOptions& options,

- SecurityViolationReportingPolicy reporting_policy,

- FetchParameters::OriginRestriction origin_restriction,

- ResourceRequest::RedirectStatus redirect_status) const {

- bool should_block_request = false;

- probe::shouldBlockRequest(GetFrame(), resource_request,

- &should_block_request);

- if (should_block_request)

- return ResourceRequestBlockedReason::kInspector;

- SecurityOrigin* security_origin = options.security_origin.Get();

- if (!security_origin && execution_context_)

- security_origin = execution_context_->GetSecurityOrigin();

- if (origin_restriction != FetchParameters::kNoOriginRestriction &&

- security_origin && !security_origin->CanDisplay(url)) {

- if (reporting_policy == SecurityViolationReportingPolicy::kReport)

- FrameLoader::ReportLocalLoadFailed(GetFrame(), url.ElidedString());

- RESOURCE_LOADING_DVLOG(1) << "ResourceFetcher::requestResource URL was not "

- "allowed by SecurityOrigin::canDisplay";

- return ResourceRequestBlockedReason::kOther;

- }

- // Some types of resources can be loaded only from the same origin. Other

- // types of resources, like Images, Scripts, and CSS, can be loaded from

- // any URL.

- switch (type) {

- case Resource::kMainResource:

- case Resource::kImage:

- case Resource::kCSSStyleSheet:

- case Resource::kScript:

- case Resource::kFont:

- case Resource::kRaw:

- case Resource::kLinkPrefetch:

- case Resource::kTextTrack:

- case Resource::kImportResource:

- case Resource::kMedia:

- case Resource::kManifest:

- case Resource::kMock:

- // By default these types of resources can be loaded from any origin.

- // FIXME: Are we sure about Resource::Font?

- if (origin_restriction == FetchParameters::kRestrictToSameOrigin &&

- !security_origin->CanRequest(url)) {

- PrintAccessDeniedMessage(url);

- return ResourceRequestBlockedReason::kOrigin;

- }

- break;

- case Resource::kXSLStyleSheet:

- DCHECK(RuntimeEnabledFeatures::xsltEnabled());

- case Resource::kSVGDocument:

- if (!security_origin->CanRequest(url)) {

- PrintAccessDeniedMessage(url);

- return ResourceRequestBlockedReason::kOrigin;

- }

- break;

- }

- // We check the 'report-only' headers before upgrading the request (in

- // populateResourceRequest). We check the enforced headers here to ensure we

- // block things we ought to block.

- if (CheckCSPForRequest(

- resource_request, url, options, reporting_policy, redirect_status,

- ContentSecurityPolicy::CheckHeaderType::kCheckEnforce) ==

- ResourceRequestBlockedReason::CSP) {

- return ResourceRequestBlockedReason::CSP;

- }

- if (type == Resource::kScript || type == Resource::kImportResource) {

- DCHECK(GetFrame());

- if (!GetContentSettingsClient()->AllowScriptFromSource(

- !GetFrame()->GetSettings() ||

- GetFrame()->GetSettings()->GetScriptEnabled(),

- url)) {

- GetContentSettingsClient()->DidNotAllowScript();

- // TODO(estark): Use a different ResourceRequestBlockedReason here, since

- // this check has nothing to do with CSP. https://crbug.com/600795

- return ResourceRequestBlockedReason::CSP;

- }

- // SVG Images have unique security rules that prevent all subresource requests

- // except for data urls.

- if (type != Resource::kMainResource &&

- GetFrame()->GetChromeClient().IsSVGImageChromeClient() &&

- !url.ProtocolIsData())

- return ResourceRequestBlockedReason::kOrigin;

- // Measure the number of legacy URL schemes ('ftp://') and the number of

- // embedded-credential ('http://user:password@...') resources embedded as

- // subresources.

- if (resource_request.GetFrameType() != WebURLRequest::kFrameTypeTopLevel) {

- DCHECK(GetFrame()->GetDocument());

- if (SchemeRegistry::ShouldTreatURLSchemeAsLegacy(url.Protocol()) &&

- !SchemeRegistry::ShouldTreatURLSchemeAsLegacy(

- GetFrame()->GetDocument()->GetSecurityOrigin()->Protocol())) {

- Deprecation::CountDeprecation(

- GetFrame()->GetDocument(),

- UseCounter::kLegacyProtocolEmbeddedAsSubresource);

- // TODO(mkwst): Enabled by default in M59. Drop the runtime-enabled check

- // in M60: https://www.chromestatus.com/feature/5709390967472128

- if (RuntimeEnabledFeatures::blockLegacySubresourcesEnabled())

- return ResourceRequestBlockedReason::kOrigin;

- }

- if ((!url.User().IsEmpty() || !url.Pass().IsEmpty()) &&

- resource_request.GetRequestContext() !=

- WebURLRequest::kRequestContextXMLHttpRequest) {

- Deprecation::CountDeprecation(

- GetFrame()->GetDocument(),

- UseCounter::kRequestedSubresourceWithEmbeddedCredentials);

- // TODO(mkwst): Remove the runtime-enabled check in M59:

- // https://www.chromestatus.com/feature/5669008342777856

- if (RuntimeEnabledFeatures::blockCredentialedSubresourcesEnabled())

- return ResourceRequestBlockedReason::kOrigin;

- }

- // Check for mixed content. We do this second-to-last so that when folks block

- // mixed content with a CSP policy, they don't get a warning. They'll still

- // get a warning in the console about CSP blocking the load.

- if (MixedContentChecker::ShouldBlockFetch(GetFrame(), resource_request, url,

- reporting_policy))

- return ResourceRequestBlockedReason::kMixedContent;

- if (url.WhitespaceRemoved()) {

- Deprecation::CountDeprecation(

- GetFrame()->GetDocument(),

- UseCounter::kCanRequestURLHTTPContainingNewline);

- if (url.ProtocolIsInHTTPFamily()) {

- if (RuntimeEnabledFeatures::restrictCanRequestURLCharacterSetEnabled())

- return ResourceRequestBlockedReason::kOther;

- } else {

- UseCounter::Count(GetFrame()->GetDocument(),

- UseCounter::kCanRequestURLNonHTTPContainingNewline);

- }

- // Let the client have the final say into whether or not the load should

- // proceed.

- DocumentLoader* document_loader = MasterDocumentLoader();

- if (document_loader && document_loader->GetSubresourceFilter() &&

- type != Resource::kMainResource && type != Resource::kImportResource) {

- if (!document_loader->GetSubresourceFilter()->AllowLoad(

- url, resource_request.GetRequestContext(), reporting_policy)) {

- return ResourceRequestBlockedReason::kSubresourceFilter;

- }

- return ResourceRequestBlockedReason::kNone;

-ResourceRequestBlockedReason FrameFetchContext::CheckCSPForRequest(

- const ResourceRequest& resource_request,

- const KURL& url,

- const ResourceLoaderOptions& options,

- SecurityViolationReportingPolicy reporting_policy,

- ResourceRequest::RedirectStatus redirect_status,

- ContentSecurityPolicy::CheckHeaderType check_header_type) const {

- if (GetFrame()->GetScriptController().ShouldBypassMainWorldCSP() ||

- options.content_security_policy_option ==

- kDoNotCheckContentSecurityPolicy) {

- return ResourceRequestBlockedReason::kNone;

- }

- if (execution_context_) {

- DCHECK(execution_context_->GetContentSecurityPolicy());

- if (!execution_context_->GetContentSecurityPolicy()->AllowRequest(

- resource_request.GetRequestContext(), url,

- options.content_security_policy_nonce, options.integrity_metadata,

- options.parser_disposition, redirect_status, reporting_policy,

- check_header_type))

- return ResourceRequestBlockedReason::CSP;

- }

- return ResourceRequestBlockedReason::kNone;

bool FrameFetchContext::IsControlledByServiceWorker() const {

DCHECK(MasterDocumentLoader());

@@ -1082,6 +840,69 @@ RefPtr<WebTaskRunner> FrameFetchContext::LoadingTaskRunner() const {

return GetFrame()->FrameScheduler()->LoadingTaskRunner();

}

+ContentSettingsClient* FrameFetchContext::GetContentSettingsClient() const {

+ return GetFrame()->GetContentSettingsClient();

+Settings* FrameFetchContext::GetSettings() const {

+ DCHECK(GetFrame());

+ return GetFrame()->GetSettings();

+SubresourceFilter* FrameFetchContext::GetSubresourceFilter() const {

+ DocumentLoader* document_loader = MasterDocumentLoader();

+ return document_loader ? document_loader->GetSubresourceFilter() : nullptr;

+SecurityContext* FrameFetchContext::GetMainResourceSecurityContext() const {

+ DCHECK(GetFrame()->GetDocument());

+ return GetFrame()->GetDocument();

+bool FrameFetchContext::ShouldBlockRequestByInspector(

+ const ResourceRequest& resource_request) const {

+ bool should_block_request = false;

+ probe::shouldBlockRequest(GetFrame(), resource_request,

+ &should_block_request);

+ return should_block_request;

+void FrameFetchContext::DispatchDidBlockRequest(

+ const ResourceRequest& resource_request,

+ const FetchInitiatorInfo& fetch_initiator_info,

+ ResourceRequestBlockedReason blocked_reason) const {

+ probe::didBlockRequest(GetFrame(), resource_request, MasterDocumentLoader(),

+ fetch_initiator_info, blocked_reason);

+void FrameFetchContext::ReportLocalLoadFailed(const KURL& url) const {

+ FrameLoader::ReportLocalLoadFailed(GetFrame(), url.ElidedString());

+bool FrameFetchContext::ShouldBypassMainWorldCSP() const {

+ return GetFrame()->GetScriptController().ShouldBypassMainWorldCSP();

+bool FrameFetchContext::IsSVGImageChromeClient() const {

+ return GetFrame()->GetChromeClient().IsSVGImageChromeClient();

+void FrameFetchContext::CountUsage(UseCounter::Feature feature) const {

+ UseCounter::Count(GetFrame()->GetDocument(), feature);

+void FrameFetchContext::CountDeprecation(UseCounter::Feature feature) const {

+ Deprecation::CountDeprecation(GetFrame()->GetDocument(), feature);

+bool FrameFetchContext::ShouldBlockFetchByMixedContentCheck(

+ const ResourceRequest& resource_request,

+ const KURL& url,

+ SecurityViolationReportingPolicy reporting_policy) const {

+ return MixedContentChecker::ShouldBlockFetch(GetFrame(), resource_request,

+ url, reporting_policy);

DEFINE_TRACE(FrameFetchContext) {

visitor->Trace(document_loader_);

BaseFetchContext::Trace(visitor);