OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
7 * met: | 7 * met: |
8 * | 8 * |
9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
87 // Save any CORS simple headers on the request here. If this request redirec ts cross-origin, we cancel the old request | 87 // Save any CORS simple headers on the request here. If this request redirec ts cross-origin, we cancel the old request |
88 // create a new one, and copy these headers. | 88 // create a new one, and copy these headers. |
89 const HTTPHeaderMap& headerMap = request.httpHeaderFields(); | 89 const HTTPHeaderMap& headerMap = request.httpHeaderFields(); |
90 HTTPHeaderMap::const_iterator end = headerMap.end(); | 90 HTTPHeaderMap::const_iterator end = headerMap.end(); |
91 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) { | 91 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) { |
92 if (isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value)) | 92 if (isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value)) |
93 m_simpleRequestHeaders.add(it->key, it->value); | 93 m_simpleRequestHeaders.add(it->key, it->value); |
94 } | 94 } |
95 | 95 |
96 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossO riginRequests) { | 96 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossO riginRequests) { |
97 loadRequest(request); | 97 loadRequest(request, m_resourceLoaderOptions); |
98 return; | 98 return; |
99 } | 99 } |
100 | 100 |
101 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { | 101 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { |
102 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url ().string(), "Cross origin requests are not supported.")); | 102 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url ().string(), "Cross origin requests are not supported.")); |
103 return; | 103 return; |
104 } | 104 } |
105 | 105 |
106 makeCrossOriginAccessRequest(request); | 106 makeCrossOriginAccessRequest(request); |
107 } | 107 } |
108 | 108 |
109 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request) | 109 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request) |
110 { | 110 { |
111 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); | 111 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); |
112 | 112 |
113 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.pref lightPolicy == PreventPreflight) { | 113 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.pref lightPolicy == PreventPreflight) { |
114 // Cross-origin requests are only allowed for HTTP and registered scheme s. We would catch this when checking response headers later, but there is no rea son to send a request that's guaranteed to be denied. | 114 // Cross-origin requests are only allowed for HTTP and registered scheme s. We would catch this when checking response headers later, but there is no rea son to send a request that's guaranteed to be denied. |
115 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro tocol())) { | 115 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro tocol())) { |
116 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP.")); | 116 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP.")); |
117 return; | 117 return; |
118 } | 118 } |
119 | 119 |
120 ResourceRequest crossOriginRequest(request); | 120 ResourceRequest crossOriginRequest(request); |
121 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions); | |
121 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), m_al lowCredentials); | 122 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), m_al lowCredentials); |
122 loadRequest(crossOriginRequest); | 123 loadRequest(crossOriginRequest, crossOriginOptions); |
123 } else { | 124 } else { |
124 m_simpleRequest = false; | 125 m_simpleRequest = false; |
125 | 126 |
126 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request)); | 127 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request)); |
128 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource LoaderOptions(m_resourceLoaderOptions)); | |
127 // Do not set the Origin header for preflight requests. | 129 // Do not set the Origin header for preflight requests. |
128 updateRequestForAccessControl(*crossOriginRequest, 0, m_allowCredentials ); | 130 updateRequestForAccessControl(*crossOriginRequest, 0, m_allowCredentials ); |
129 m_actualRequest = crossOriginRequest.release(); | 131 m_actualRequest = crossOriginRequest.release(); |
132 m_actualOptions = crossOriginOptions.release(); | |
130 | 133 |
131 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO rigin()->toString(), m_actualRequest->url(), m_allowCredentials, m_actualRequest ->httpMethod(), m_actualRequest->httpHeaderFields())) { | 134 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO rigin()->toString(), m_actualRequest->url(), m_allowCredentials, m_actualRequest ->httpMethod(), m_actualRequest->httpHeaderFields())) { |
132 loadActualRequest(); | 135 loadActualRequest(); |
133 } else { | 136 } else { |
134 ResourceRequest preflightRequest = createAccessControlPreflightReque st(*m_actualRequest, securityOrigin()); | 137 ResourceRequest preflightRequest = createAccessControlPreflightReque st(*m_actualRequest, securityOrigin()); |
135 loadRequest(preflightRequest); | 138 // Create a ResourceLoaderOptions for preflight. |
139 ResourceLoaderOptions preflightOptions = *m_actualOptions; | |
Nate Chapin
2014/06/03 16:24:56
m_acutalOptions.get() is how we usually dereferenc
tyoshino (SeeGerritForStatus)
2014/06/04 05:50:35
Oh, ok. Fixed the rest too instead.
| |
140 preflightOptions.allowCredentials = DoNotAllowStoredCredentials; | |
141 loadRequest(preflightRequest, preflightOptions); | |
136 } | 142 } |
137 } | 143 } |
138 } | 144 } |
139 | 145 |
140 DocumentThreadableLoader::~DocumentThreadableLoader() | 146 DocumentThreadableLoader::~DocumentThreadableLoader() |
141 { | 147 { |
142 } | 148 } |
143 | 149 |
144 void DocumentThreadableLoader::cancel() | 150 void DocumentThreadableLoader::cancel() |
145 { | 151 { |
(...skipping 223 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
369 static const int timeoutError = -7; | 375 static const int timeoutError = -7; |
370 ResourceError error("net", timeoutError, resource()->url(), String()); | 376 ResourceError error("net", timeoutError, resource()->url(), String()); |
371 error.setIsTimeout(true); | 377 error.setIsTimeout(true); |
372 cancelWithError(error); | 378 cancelWithError(error); |
373 } | 379 } |
374 | 380 |
375 void DocumentThreadableLoader::loadActualRequest() | 381 void DocumentThreadableLoader::loadActualRequest() |
376 { | 382 { |
377 OwnPtr<ResourceRequest> actualRequest; | 383 OwnPtr<ResourceRequest> actualRequest; |
378 actualRequest.swap(m_actualRequest); | 384 actualRequest.swap(m_actualRequest); |
385 OwnPtr<ResourceLoaderOptions> actualOptions; | |
386 actualOptions.swap(m_actualOptions); | |
379 | 387 |
380 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString()); | 388 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString()); |
381 | 389 |
382 clearResource(); | 390 clearResource(); |
383 | 391 |
384 loadRequest(*actualRequest); | 392 loadRequest(*actualRequest, *actualOptions); |
385 } | 393 } |
386 | 394 |
387 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const S tring& errorDescription) | 395 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const S tring& errorDescription) |
388 { | 396 { |
389 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription); | 397 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription); |
390 | 398 |
391 // Prevent handleSuccessfulFinish() from bypassing access check. | 399 // Prevent handleSuccessfulFinish() from bypassing access check. |
392 m_actualRequest = nullptr; | 400 m_actualRequest = nullptr; |
393 | 401 |
394 m_client->didFailAccessControlCheck(error); | 402 m_client->didFailAccessControlCheck(error); |
395 } | 403 } |
396 | 404 |
397 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request) | 405 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, Resou rceLoaderOptions resourceLoaderOptions) |
398 { | 406 { |
399 // Any credential should have been removed from the cross-site requests. | 407 // Any credential should have been removed from the cross-site requests. |
400 const KURL& requestURL = request.url(); | 408 const KURL& requestURL = request.url(); |
401 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); | 409 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); |
402 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); | 410 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); |
403 | 411 |
404 ResourceLoaderOptions resourceLoaderOptions = m_resourceLoaderOptions; | |
405 // Update resourceLoaderOptions with enforced values. | 412 // Update resourceLoaderOptions with enforced values. |
406 resourceLoaderOptions.allowCredentials = m_allowCredentials; | 413 if (m_allowCredentials == DoNotAllowStoredCredentials) |
414 resourceLoaderOptions.allowCredentials = DoNotAllowStoredCredentials; | |
Nate Chapin
2014/06/03 16:24:56
I take it there are cases where m_allowCredentials
tyoshino (SeeGerritForStatus)
2014/06/04 05:50:35
This code need to be like this because for preflig
| |
407 resourceLoaderOptions.securityOrigin = m_securityOrigin; | 415 resourceLoaderOptions.securityOrigin = m_securityOrigin; |
408 if (m_async) { | 416 if (m_async) { |
409 if (m_actualRequest) { | 417 if (m_actualRequest) { |
410 resourceLoaderOptions.sniffContent = DoNotSniffContent; | 418 resourceLoaderOptions.sniffContent = DoNotSniffContent; |
411 resourceLoaderOptions.dataBufferingPolicy = BufferData; | 419 resourceLoaderOptions.dataBufferingPolicy = BufferData; |
412 } | 420 } |
413 | 421 |
414 if (m_options.timeoutMilliseconds > 0) | 422 if (m_options.timeoutMilliseconds > 0) |
415 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0, FROM_HERE); | 423 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0, FROM_HERE); |
416 | 424 |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
478 return true; | 486 return true; |
479 return m_document.contentSecurityPolicy()->allowConnectToSource(url); | 487 return m_document.contentSecurityPolicy()->allowConnectToSource(url); |
480 } | 488 } |
481 | 489 |
482 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const | 490 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const |
483 { | 491 { |
484 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin (); | 492 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin (); |
485 } | 493 } |
486 | 494 |
487 } // namespace WebCore | 495 } // namespace WebCore |
OLD | NEW |