Source/core/loader/DocumentThreadableLoader.cpp - Issue 312653002: ResourceLoaderOptions also must be updated by updateRequestForAccessControl()

Side by Side Diff: Source/core/loader/DocumentThreadableLoader.cpp

Issue 312653002: ResourceLoaderOptions also must be updated by updateRequestForAccessControl() (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Created 6 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.	2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.

3 * Copyright (C) 2013, Intel Corporation	3 * Copyright (C) 2013, Intel Corporation

4 *	4 *

5 * Redistribution and use in source and binary forms, with or without	5 * Redistribution and use in source and binary forms, with or without

6 * modification, are permitted provided that the following conditions are	6 * modification, are permitted provided that the following conditions are

7 * met:	7 * met:

8 *	8 *

9 * * Redistributions of source code must retain the above copyright	9 * * Redistributions of source code must retain the above copyright

10 * notice, this list of conditions and the following disclaimer.	10 * notice, this list of conditions and the following disclaimer.

(...skipping 76 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
87 // Save any CORS simple headers on the request here. If this request redirec ts cross-origin, we cancel the old request	87 // Save any CORS simple headers on the request here. If this request redirec ts cross-origin, we cancel the old request

88 // create a new one, and copy these headers.	88 // create a new one, and copy these headers.

89 const HTTPHeaderMap& headerMap = request.httpHeaderFields();	89 const HTTPHeaderMap& headerMap = request.httpHeaderFields();

90 HTTPHeaderMap::const_iterator end = headerMap.end();	90 HTTPHeaderMap::const_iterator end = headerMap.end();

91 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) {	91 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) {

92 if (isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value))	92 if (isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value))

93 m_simpleRequestHeaders.add(it->key, it->value);	93 m_simpleRequestHeaders.add(it->key, it->value);

94 }	94 }

95	95

96 if (m_sameOriginRequest \|\| m_options.crossOriginRequestPolicy == AllowCrossO riginRequests) {	96 if (m_sameOriginRequest \|\| m_options.crossOriginRequestPolicy == AllowCrossO riginRequests) {

97 loadRequest(request);	97 loadRequest(request, m_resourceLoaderOptions);

98 return;	98 return;

99 }	99 }

100	100

101 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {	101 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {

102 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url ().string(), "Cross origin requests are not supported."));	102 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url ().string(), "Cross origin requests are not supported."));

103 return;	103 return;

104 }	104 }

105	105

106 makeCrossOriginAccessRequest(request);	106 makeCrossOriginAccessRequest(request);

107 }	107 }

108	108

109 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request)	109 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request)

110 {	110 {

111 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);	111 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);

112	112

113 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(request.httpMethod(), request.httpHeaderFields())) \|\| m_options.pref lightPolicy == PreventPreflight) {	113 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(request.httpMethod(), request.httpHeaderFields())) \|\| m_options.pref lightPolicy == PreventPreflight) {

114 // Cross-origin requests are only allowed for HTTP and registered scheme s. We would catch this when checking response headers later, but there is no rea son to send a request that's guaranteed to be denied.	114 // Cross-origin requests are only allowed for HTTP and registered scheme s. We would catch this when checking response headers later, but there is no rea son to send a request that's guaranteed to be denied.

115 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro tocol())) {	115 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro tocol())) {

116 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP."));	116 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP."));

117 return;	117 return;

118 }	118 }

119	119

120 ResourceRequest crossOriginRequest(request);	120 ResourceRequest crossOriginRequest(request);

	121 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);

121 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), m_al lowCredentials);	122 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), m_al lowCredentials);

122 loadRequest(crossOriginRequest);	123 loadRequest(crossOriginRequest, crossOriginOptions);

123 } else {	124 } else {

124 m_simpleRequest = false;	125 m_simpleRequest = false;

125	126

126 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request));	127 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request));

	128 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource LoaderOptions(m_resourceLoaderOptions));

127 // Do not set the Origin header for preflight requests.	129 // Do not set the Origin header for preflight requests.

128 updateRequestForAccessControl(*crossOriginRequest, 0, m_allowCredentials );	130 updateRequestForAccessControl(*crossOriginRequest, 0, m_allowCredentials );

129 m_actualRequest = crossOriginRequest.release();	131 m_actualRequest = crossOriginRequest.release();

	132 m_actualOptions = crossOriginOptions.release();

130	133

131 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO rigin()->toString(), m_actualRequest->url(), m_allowCredentials, m_actualRequest ->httpMethod(), m_actualRequest->httpHeaderFields())) {	134 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO rigin()->toString(), m_actualRequest->url(), m_allowCredentials, m_actualRequest ->httpMethod(), m_actualRequest->httpHeaderFields())) {

132 loadActualRequest();	135 loadActualRequest();

133 } else {	136 } else {

134 ResourceRequest preflightRequest = createAccessControlPreflightReque st(*m_actualRequest, securityOrigin());	137 ResourceRequest preflightRequest = createAccessControlPreflightReque st(*m_actualRequest, securityOrigin());

135 loadRequest(preflightRequest);	138 // Create a ResourceLoaderOptions for preflight.

	139 ResourceLoaderOptions preflightOptions = *m_actualOptions;
	Nate Chapin 2014/06/03 16:24:56 m_acutalOptions.get() is how we usually dereferenc m_acutalOptions.get() is how we usually dereference an OwnPtr, but I guess this is consistent with the rest of the file. tyoshino (SeeGerritForStatus) 2014/06/04 05:50:35 Oh, ok. Fixed the rest too instead. Show quoted text On 2014/06/03 16:24:56, Nate Chapin wrote: > m_acutalOptions.get() is how we usually dereference an OwnPtr, but I guess this > is consistent with the rest of the file. Oh, ok. Fixed the rest too instead.
	140 preflightOptions.allowCredentials = DoNotAllowStoredCredentials;

	141 loadRequest(preflightRequest, preflightOptions);

136 }	142 }

137 }	143 }

138 }	144 }

139	145

140 DocumentThreadableLoader::~DocumentThreadableLoader()	146 DocumentThreadableLoader::~DocumentThreadableLoader()

141 {	147 {

142 }	148 }

143	149

144 void DocumentThreadableLoader::cancel()	150 void DocumentThreadableLoader::cancel()

145 {	151 {

(...skipping 223 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
369 static const int timeoutError = -7;	375 static const int timeoutError = -7;

370 ResourceError error("net", timeoutError, resource()->url(), String());	376 ResourceError error("net", timeoutError, resource()->url(), String());

371 error.setIsTimeout(true);	377 error.setIsTimeout(true);

372 cancelWithError(error);	378 cancelWithError(error);

373 }	379 }

374	380

375 void DocumentThreadableLoader::loadActualRequest()	381 void DocumentThreadableLoader::loadActualRequest()

376 {	382 {

377 OwnPtr<ResourceRequest> actualRequest;	383 OwnPtr<ResourceRequest> actualRequest;

378 actualRequest.swap(m_actualRequest);	384 actualRequest.swap(m_actualRequest);

	385 OwnPtr<ResourceLoaderOptions> actualOptions;

	386 actualOptions.swap(m_actualOptions);

379	387

380 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString());	388 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString());

381	389

382 clearResource();	390 clearResource();

383	391

384 loadRequest(*actualRequest);	392 loadRequest(actualRequest, actualOptions);

385 }	393 }

386	394

387 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const S tring& errorDescription)	395 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const S tring& errorDescription)

388 {	396 {

389 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription);	397 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription);

390	398

391 // Prevent handleSuccessfulFinish() from bypassing access check.	399 // Prevent handleSuccessfulFinish() from bypassing access check.

392 m_actualRequest = nullptr;	400 m_actualRequest = nullptr;

393	401

394 m_client->didFailAccessControlCheck(error);	402 m_client->didFailAccessControlCheck(error);

395 }	403 }

396	404

397 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request)	405 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, Resou rceLoaderOptions resourceLoaderOptions)

398 {	406 {

399 // Any credential should have been removed from the cross-site requests.	407 // Any credential should have been removed from the cross-site requests.

400 const KURL& requestURL = request.url();	408 const KURL& requestURL = request.url();

401 ASSERT(m_sameOriginRequest \|\| requestURL.user().isEmpty());	409 ASSERT(m_sameOriginRequest \|\| requestURL.user().isEmpty());

402 ASSERT(m_sameOriginRequest \|\| requestURL.pass().isEmpty());	410 ASSERT(m_sameOriginRequest \|\| requestURL.pass().isEmpty());

403	411

404 ResourceLoaderOptions resourceLoaderOptions = m_resourceLoaderOptions;

405 // Update resourceLoaderOptions with enforced values.	412 // Update resourceLoaderOptions with enforced values.

406 resourceLoaderOptions.allowCredentials = m_allowCredentials;	413 if (m_allowCredentials == DoNotAllowStoredCredentials)

	414 resourceLoaderOptions.allowCredentials = DoNotAllowStoredCredentials;
	Nate Chapin 2014/06/03 16:24:56 I take it there are cases where m_allowCredentials I take it there are cases where m_allowCredentials will allow credenetials, but resourceLoaderOptions.allowCredentials will not? When exactly is this the case? tyoshino (SeeGerritForStatus) 2014/06/04 05:50:35 This code need to be like this because for preflig Show quoted text On 2014/06/03 16:24:56, Nate Chapin wrote: > I take it there are cases where m_allowCredentials will allow credenetials, but > resourceLoaderOptions.allowCredentials will not? When exactly is this the case? This code need to be like this because for preflight request we set resourceLoaderOptions to DoNot and we don't want it to be overridden by m_allowCredentials here. m_allowCredentials is only set to DoNotAllowStoredCredentials at L233 when redirect happens. Otherwise, it's the same as the original allowCredentials value set in m_resourceLoaderOptions. I replaced m_allowCredentials with a boolean named "forceDoNotAllowStoredCredentials" to make it clear.
407 resourceLoaderOptions.securityOrigin = m_securityOrigin;	415 resourceLoaderOptions.securityOrigin = m_securityOrigin;

408 if (m_async) {	416 if (m_async) {

409 if (m_actualRequest) {	417 if (m_actualRequest) {

410 resourceLoaderOptions.sniffContent = DoNotSniffContent;	418 resourceLoaderOptions.sniffContent = DoNotSniffContent;

411 resourceLoaderOptions.dataBufferingPolicy = BufferData;	419 resourceLoaderOptions.dataBufferingPolicy = BufferData;

412 }	420 }

413	421

414 if (m_options.timeoutMilliseconds > 0)	422 if (m_options.timeoutMilliseconds > 0)

415 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0, FROM_HERE);	423 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0, FROM_HERE);

416	424

(...skipping 61 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
478 return true;	486 return true;

479 return m_document.contentSecurityPolicy()->allowConnectToSource(url);	487 return m_document.contentSecurityPolicy()->allowConnectToSource(url);

480 }	488 }

481	489

482 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const	490 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const

483 {	491 {

484 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin ();	492 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin ();

485 }	493 }

486	494

487 } // namespace WebCore	495 } // namespace WebCore

OLD	NEW

« no previous file with comments | « Source/core/loader/DocumentThreadableLoader.h ('k') | no next file » | no next file with comments »