| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 582 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 593 StringBuilder builder; | 593 StringBuilder builder; |
| 594 builder.Append("Redirect from '"); | 594 builder.Append("Redirect from '"); |
| 595 builder.Append(redirect_response.Url().GetString()); | 595 builder.Append(redirect_response.Url().GetString()); |
| 596 builder.Append("' to '"); | 596 builder.Append("' to '"); |
| 597 builder.Append(request.Url().GetString()); | 597 builder.Append(request.Url().GetString()); |
| 598 builder.Append("' has been blocked by CORS policy: "); | 598 builder.Append("' has been blocked by CORS policy: "); |
| 599 CrossOriginAccessControl::AccessControlErrorString( | 599 CrossOriginAccessControl::AccessControlErrorString( |
| 600 builder, cors_status, redirect_response, GetSecurityOrigin(), | 600 builder, cors_status, redirect_response, GetSecurityOrigin(), |
| 601 request_context_); | 601 request_context_); |
| 602 access_control_error_description = builder.ToString(); | 602 access_control_error_description = builder.ToString(); |
| 603 } else { |
| 604 MeasureAccessControlAllowOrigin(redirect_response); |
| 603 } | 605 } |
| 604 } | 606 } |
| 605 | 607 |
| 606 if (!allow_redirect) { | 608 if (!allow_redirect) { |
| 607 DispatchDidFailAccessControlCheck(ResourceError( | 609 DispatchDidFailAccessControlCheck(ResourceError( |
| 608 kErrorDomainBlinkInternal, 0, redirect_response.Url().GetString(), | 610 kErrorDomainBlinkInternal, 0, redirect_response.Url().GetString(), |
| 609 access_control_error_description)); | 611 access_control_error_description)); |
| 610 return false; | 612 return false; |
| 611 } | 613 } |
| 612 | 614 |
| (...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 726 response, EffectiveAllowCredentials(), GetSecurityOrigin()); | 728 response, EffectiveAllowCredentials(), GetSecurityOrigin()); |
| 727 if (cors_status != CrossOriginAccessControl::kAccessAllowed) { | 729 if (cors_status != CrossOriginAccessControl::kAccessAllowed) { |
| 728 StringBuilder builder; | 730 StringBuilder builder; |
| 729 builder.Append( | 731 builder.Append( |
| 730 "Response to preflight request doesn't pass access " | 732 "Response to preflight request doesn't pass access " |
| 731 "control check: "); | 733 "control check: "); |
| 732 CrossOriginAccessControl::AccessControlErrorString( | 734 CrossOriginAccessControl::AccessControlErrorString( |
| 733 builder, cors_status, response, GetSecurityOrigin(), request_context_); | 735 builder, cors_status, response, GetSecurityOrigin(), request_context_); |
| 734 HandlePreflightFailure(response.Url().GetString(), builder.ToString()); | 736 HandlePreflightFailure(response.Url().GetString(), builder.ToString()); |
| 735 return; | 737 return; |
| 738 } else { |
| 739 MeasureAccessControlAllowOrigin(response); |
| 736 } | 740 } |
| 737 | 741 |
| 738 CrossOriginAccessControl::PreflightStatus preflight_status = | 742 CrossOriginAccessControl::PreflightStatus preflight_status = |
| 739 CrossOriginAccessControl::CheckPreflight(response); | 743 CrossOriginAccessControl::CheckPreflight(response); |
| 740 if (preflight_status != CrossOriginAccessControl::kPreflightSuccess) { | 744 if (preflight_status != CrossOriginAccessControl::kPreflightSuccess) { |
| 741 StringBuilder builder; | 745 StringBuilder builder; |
| 742 CrossOriginAccessControl::PreflightErrorString(builder, preflight_status, | 746 CrossOriginAccessControl::PreflightErrorString(builder, preflight_status, |
| 743 response); | 747 response); |
| 744 HandlePreflightFailure(response.Url().GetString(), builder.ToString()); | 748 HandlePreflightFailure(response.Url().GetString(), builder.ToString()); |
| 745 return; | 749 return; |
| (...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 845 if (cors_status != CrossOriginAccessControl::kAccessAllowed) { | 849 if (cors_status != CrossOriginAccessControl::kAccessAllowed) { |
| 846 ReportResponseReceived(identifier, response); | 850 ReportResponseReceived(identifier, response); |
| 847 StringBuilder builder; | 851 StringBuilder builder; |
| 848 CrossOriginAccessControl::AccessControlErrorString( | 852 CrossOriginAccessControl::AccessControlErrorString( |
| 849 builder, cors_status, response, GetSecurityOrigin(), | 853 builder, cors_status, response, GetSecurityOrigin(), |
| 850 request_context_); | 854 request_context_); |
| 851 DispatchDidFailAccessControlCheck( | 855 DispatchDidFailAccessControlCheck( |
| 852 ResourceError(kErrorDomainBlinkInternal, 0, | 856 ResourceError(kErrorDomainBlinkInternal, 0, |
| 853 response.Url().GetString(), builder.ToString())); | 857 response.Url().GetString(), builder.ToString())); |
| 854 return; | 858 return; |
| 859 } else { |
| 860 MeasureAccessControlAllowOrigin(response); |
| 855 } | 861 } |
| 856 } | 862 } |
| 857 | 863 |
| 858 client_->DidReceiveResponse(identifier, response, std::move(handle)); | 864 client_->DidReceiveResponse(identifier, response, std::move(handle)); |
| 859 } | 865 } |
| 860 | 866 |
| 861 void DocumentThreadableLoader::SetSerializedCachedMetadata(Resource*, | 867 void DocumentThreadableLoader::SetSerializedCachedMetadata(Resource*, |
| 862 const char* data, | 868 const char* data, |
| 863 size_t size) { | 869 size_t size) { |
| 864 checker_.SetSerializedCachedMetadata(); | 870 checker_.SetSerializedCachedMetadata(); |
| (...skipping 290 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1155 const SecurityOrigin* DocumentThreadableLoader::GetSecurityOrigin() const { | 1161 const SecurityOrigin* DocumentThreadableLoader::GetSecurityOrigin() const { |
| 1156 return security_origin_ ? security_origin_.Get() | 1162 return security_origin_ ? security_origin_.Get() |
| 1157 : loading_context_->GetSecurityOrigin(); | 1163 : loading_context_->GetSecurityOrigin(); |
| 1158 } | 1164 } |
| 1159 | 1165 |
| 1160 Document* DocumentThreadableLoader::GetDocument() const { | 1166 Document* DocumentThreadableLoader::GetDocument() const { |
| 1161 DCHECK(loading_context_); | 1167 DCHECK(loading_context_); |
| 1162 return loading_context_->GetLoadingDocument(); | 1168 return loading_context_->GetLoadingDocument(); |
| 1163 } | 1169 } |
| 1164 | 1170 |
| 1171 void DocumentThreadableLoader::MeasureAccessControlAllowOrigin( |
| 1172 const ResourceResponse& response) const { |
| 1173 DEFINE_STATIC_LOCAL(AtomicString, null_token, ("null")); |
| 1174 const AtomicString& acao = |
| 1175 response.HttpHeaderField(HTTPNames::Access_Control_Allow_Origin); |
| 1176 if (acao == null_token && EffectiveAllowCredentials()) { |
| 1177 loading_context_->RecordUseCount( |
| 1178 UseCounter::kAccessControlAllowOriginNullWithCredentials); |
| 1179 } |
| 1180 if (SecurityOrigin::IsSecure(response.Url()) && |
| 1181 !GetSecurityOrigin()->IsPotentiallyTrustworthy()) { |
| 1182 if (acao == g_star_atom) { |
| 1183 loading_context_->RecordUseCount( |
| 1184 UseCounter::kAccessControlAllowOriginInsecureStarFromHTTPS); |
| 1185 } else if (acao == null_token) { |
| 1186 loading_context_->RecordUseCount( |
| 1187 UseCounter::kAccessControlAllowOriginInsecureNullFromHTTPS); |
| 1188 } else { |
| 1189 loading_context_->RecordUseCount( |
| 1190 UseCounter::kAccessControlAllowOriginInsecureExplicitFromHTTPS); |
| 1191 } |
| 1192 } |
| 1193 } |
| 1194 |
| 1165 DEFINE_TRACE(DocumentThreadableLoader) { | 1195 DEFINE_TRACE(DocumentThreadableLoader) { |
| 1166 visitor->Trace(resource_); | 1196 visitor->Trace(resource_); |
| 1167 visitor->Trace(loading_context_); | 1197 visitor->Trace(loading_context_); |
| 1168 ThreadableLoader::Trace(visitor); | 1198 ThreadableLoader::Trace(visitor); |
| 1169 RawResourceClient::Trace(visitor); | 1199 RawResourceClient::Trace(visitor); |
| 1170 } | 1200 } |
| 1171 | 1201 |
| 1172 } // namespace blink | 1202 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2873973002:
CORS: Measure some ways in which we might tighten CORS processing.
