OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
7 * met: | 7 * met: |
8 * | 8 * |
9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
66 if (!loader->resource()) | 66 if (!loader->resource()) |
67 loader = nullptr; | 67 loader = nullptr; |
68 return loader.release(); | 68 return loader.release(); |
69 } | 69 } |
70 | 70 |
71 DocumentThreadableLoader::DocumentThreadableLoader(Document& document, Threadabl eLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options, const ResourceLoaderOptions& r esourceLoaderOptions) | 71 DocumentThreadableLoader::DocumentThreadableLoader(Document& document, Threadabl eLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options, const ResourceLoaderOptions& r esourceLoaderOptions) |
72 : m_client(client) | 72 : m_client(client) |
73 , m_document(document) | 73 , m_document(document) |
74 , m_options(options) | 74 , m_options(options) |
75 , m_resourceLoaderOptions(resourceLoaderOptions) | 75 , m_resourceLoaderOptions(resourceLoaderOptions) |
76 , m_allowCredentials(m_resourceLoaderOptions.allowCredentials) | 76 , m_forceDoNotAllowStoredCredentials(false) |
77 , m_securityOrigin(m_resourceLoaderOptions.securityOrigin) | 77 , m_securityOrigin(m_resourceLoaderOptions.securityOrigin) |
78 , m_sameOriginRequest(securityOrigin()->canRequest(request.url())) | 78 , m_sameOriginRequest(securityOrigin()->canRequest(request.url())) |
79 , m_simpleRequest(true) | 79 , m_simpleRequest(true) |
80 , m_async(blockingBehavior == LoadAsynchronously) | 80 , m_async(blockingBehavior == LoadAsynchronously) |
81 , m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout) | 81 , m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout) |
82 { | 82 { |
83 ASSERT(client); | 83 ASSERT(client); |
84 // Setting an outgoing referer is only supported in the async code path. | 84 // Setting an outgoing referer is only supported in the async code path. |
85 ASSERT(m_async || request.httpReferrer().isEmpty()); | 85 ASSERT(m_async || request.httpReferrer().isEmpty()); |
86 | 86 |
87 // Save any CORS simple headers on the request here. If this request redirec ts cross-origin, we cancel the old request | 87 // Save any CORS simple headers on the request here. If this request redirec ts cross-origin, we cancel the old request |
88 // create a new one, and copy these headers. | 88 // create a new one, and copy these headers. |
89 const HTTPHeaderMap& headerMap = request.httpHeaderFields(); | 89 const HTTPHeaderMap& headerMap = request.httpHeaderFields(); |
90 HTTPHeaderMap::const_iterator end = headerMap.end(); | 90 HTTPHeaderMap::const_iterator end = headerMap.end(); |
91 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) { | 91 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) { |
92 if (isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value)) | 92 if (isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value)) |
93 m_simpleRequestHeaders.add(it->key, it->value); | 93 m_simpleRequestHeaders.add(it->key, it->value); |
94 } | 94 } |
95 | 95 |
96 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossO riginRequests) { | 96 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossO riginRequests) { |
97 loadRequest(request); | 97 loadRequest(request, m_resourceLoaderOptions); |
98 return; | 98 return; |
99 } | 99 } |
100 | 100 |
101 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { | 101 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { |
102 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url ().string(), "Cross origin requests are not supported.")); | 102 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url ().string(), "Cross origin requests are not supported.")); |
103 return; | 103 return; |
104 } | 104 } |
105 | 105 |
106 makeCrossOriginAccessRequest(request); | 106 makeCrossOriginAccessRequest(request); |
107 } | 107 } |
108 | 108 |
109 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request) | 109 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request) |
110 { | 110 { |
111 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); | 111 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); |
112 | 112 |
113 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.pref lightPolicy == PreventPreflight) { | 113 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.pref lightPolicy == PreventPreflight) { |
114 // Cross-origin requests are only allowed for HTTP and registered scheme s. We would catch this when checking response headers later, but there is no rea son to send a request that's guaranteed to be denied. | 114 // Cross-origin requests are only allowed for HTTP and registered scheme s. We would catch this when checking response headers later, but there is no rea son to send a request that's guaranteed to be denied. |
115 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro tocol())) { | 115 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro tocol())) { |
116 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP.")); | 116 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP.")); |
117 return; | 117 return; |
118 } | 118 } |
119 | 119 |
120 ResourceRequest crossOriginRequest(request); | 120 ResourceRequest crossOriginRequest(request); |
121 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), m_al lowCredentials); | 121 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions); |
122 loadRequest(crossOriginRequest); | 122 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe ctiveAllowCredentials()); |
123 loadRequest(crossOriginRequest, crossOriginOptions); | |
123 } else { | 124 } else { |
124 m_simpleRequest = false; | 125 m_simpleRequest = false; |
125 | 126 |
126 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request)); | 127 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request)); |
128 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource LoaderOptions(m_resourceLoaderOptions)); | |
127 // Do not set the Origin header for preflight requests. | 129 // Do not set the Origin header for preflight requests. |
128 updateRequestForAccessControl(*crossOriginRequest, 0, m_allowCredentials ); | 130 updateRequestForAccessControl(*crossOriginRequest.get(), 0, effectiveAll owCredentials()); |
129 m_actualRequest = crossOriginRequest.release(); | 131 m_actualRequest = crossOriginRequest.release(); |
132 m_actualOptions = crossOriginOptions.release(); | |
130 | 133 |
131 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO rigin()->toString(), m_actualRequest->url(), m_allowCredentials, m_actualRequest ->httpMethod(), m_actualRequest->httpHeaderFields())) { | 134 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO rigin()->toString(), m_actualRequest->url(), effectiveAllowCredentials(), m_actu alRequest->httpMethod(), m_actualRequest->httpHeaderFields())) { |
132 loadActualRequest(); | 135 loadActualRequest(); |
133 } else { | 136 } else { |
134 ResourceRequest preflightRequest = createAccessControlPreflightReque st(*m_actualRequest, securityOrigin()); | 137 ResourceRequest preflightRequest = createAccessControlPreflightReque st(*m_actualRequest.get(), securityOrigin()); |
135 loadRequest(preflightRequest); | 138 // Create a ResourceLoaderOptions for preflight. |
139 ResourceLoaderOptions preflightOptions = *m_actualOptions.get(); | |
140 preflightOptions.allowCredentials = DoNotAllowStoredCredentials; | |
141 loadRequest(preflightRequest, preflightOptions); | |
136 } | 142 } |
137 } | 143 } |
138 } | 144 } |
139 | 145 |
140 DocumentThreadableLoader::~DocumentThreadableLoader() | 146 DocumentThreadableLoader::~DocumentThreadableLoader() |
141 { | 147 { |
142 } | 148 } |
143 | 149 |
144 void DocumentThreadableLoader::cancel() | 150 void DocumentThreadableLoader::cancel() |
145 { | 151 { |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
194 // original request was not same-origin. | 200 // original request was not same-origin. |
195 if (m_options.crossOriginRequestPolicy == UseAccessControl) { | 201 if (m_options.crossOriginRequestPolicy == UseAccessControl) { |
196 | 202 |
197 InspectorInstrumentation::didReceiveCORSRedirectResponse(m_document.fram e(), resource->identifier(), m_document.frame()->loader().documentLoader(), redi rectResponse, 0); | 203 InspectorInstrumentation::didReceiveCORSRedirectResponse(m_document.fram e(), resource->identifier(), m_document.frame()->loader().documentLoader(), redi rectResponse, 0); |
198 | 204 |
199 bool allowRedirect = false; | 205 bool allowRedirect = false; |
200 String accessControlErrorDescription; | 206 String accessControlErrorDescription; |
201 | 207 |
202 if (m_simpleRequest) { | 208 if (m_simpleRequest) { |
203 allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(re quest.url(), accessControlErrorDescription) | 209 allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(re quest.url(), accessControlErrorDescription) |
204 && (m_sameOriginRequest || passesAccessControlCheck(redirectResp onse, m_allowCredentials, securityOrigin(), accessControlErrorDescription)); | 210 && (m_sameOriginRequest || passesAccessControlCheck(redirectResp onse, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescripti on)); |
205 } else { | 211 } else { |
206 accessControlErrorDescription = "The request was redirected to '"+ r equest.url().string() + "', which is disallowed for cross-origin requests that r equire preflight."; | 212 accessControlErrorDescription = "The request was redirected to '"+ r equest.url().string() + "', which is disallowed for cross-origin requests that r equire preflight."; |
207 } | 213 } |
208 | 214 |
209 if (allowRedirect) { | 215 if (allowRedirect) { |
210 // FIXME: consider combining this with CORS redirect handling perfor med by | 216 // FIXME: consider combining this with CORS redirect handling perfor med by |
211 // CrossOriginAccessControl::handleRedirect(). | 217 // CrossOriginAccessControl::handleRedirect(). |
212 clearResource(); | 218 clearResource(); |
213 | 219 |
214 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redir ectResponse.url()); | 220 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redir ectResponse.url()); |
215 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(reques t.url()); | 221 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(reques t.url()); |
216 // If the original request wasn't same-origin, then if the request U RL origin is not same origin with the original URL origin, | 222 // If the original request wasn't same-origin, then if the request U RL origin is not same origin with the original URL origin, |
217 // set the source origin to a globally unique identifier. (If the or iginal request was same-origin, the origin of the new request | 223 // set the source origin to a globally unique identifier. (If the or iginal request was same-origin, the origin of the new request |
218 // should be the original URL origin.) | 224 // should be the original URL origin.) |
219 if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(re questOrigin.get())) | 225 if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(re questOrigin.get())) |
220 m_securityOrigin = SecurityOrigin::createUnique(); | 226 m_securityOrigin = SecurityOrigin::createUnique(); |
221 // Force any subsequent requests to use these checks. | 227 // Force any subsequent requests to use these checks. |
222 m_sameOriginRequest = false; | 228 m_sameOriginRequest = false; |
223 | 229 |
224 // Since the request is no longer same-origin, if the user didn't re quest credentials in | 230 // Since the request is no longer same-origin, if the user didn't re quest credentials in |
225 // the first place, update our state so we neither request them nor expect they must be allowed. | 231 // the first place, update our state so we neither request them nor expect they must be allowed. |
226 if (m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequ estCredentials) | 232 if (m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequ estCredentials) |
227 m_allowCredentials = DoNotAllowStoredCredentials; | 233 m_forceDoNotAllowStoredCredentials = true; |
228 | 234 |
229 // Remove any headers that may have been added by the network layer that cause access control to fail. | 235 // Remove any headers that may have been added by the network layer that cause access control to fail. |
230 request.clearHTTPReferrer(); | 236 request.clearHTTPReferrer(); |
231 request.clearHTTPOrigin(); | 237 request.clearHTTPOrigin(); |
232 request.clearHTTPUserAgent(); | 238 request.clearHTTPUserAgent(); |
233 // Add any CORS simple request headers which we previously saved fro m the original request. | 239 // Add any CORS simple request headers which we previously saved fro m the original request. |
234 HTTPHeaderMap::const_iterator end = m_simpleRequestHeaders.end(); | 240 HTTPHeaderMap::const_iterator end = m_simpleRequestHeaders.end(); |
235 for (HTTPHeaderMap::const_iterator it = m_simpleRequestHeaders.begin (); it != end; ++it) { | 241 for (HTTPHeaderMap::const_iterator it = m_simpleRequestHeaders.begin (); it != end; ++it) { |
236 request.setHTTPHeaderField(it->key, it->value); | 242 request.setHTTPHeaderField(it->key, it->value); |
237 } | 243 } |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
275 // cause the underlying ResourceLoader to be cancelled before it tells the i nspector about the response. | 281 // cause the underlying ResourceLoader to be cancelled before it tells the i nspector about the response. |
276 // In that case, if we don't tell the inspector about the response now, the resource type in the inspector | 282 // In that case, if we don't tell the inspector about the response now, the resource type in the inspector |
277 // will default to "other" instead of something more descriptive. | 283 // will default to "other" instead of something more descriptive. |
278 DocumentLoader* loader = m_document.frame()->loader().documentLoader(); | 284 DocumentLoader* loader = m_document.frame()->loader().documentLoader(); |
279 TRACE_EVENT_INSTANT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline"), "Resour ceReceiveResponse", "data", InspectorReceiveResponseEvent::data(identifier, m_do cument.frame(), response)); | 285 TRACE_EVENT_INSTANT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline"), "Resour ceReceiveResponse", "data", InspectorReceiveResponseEvent::data(identifier, m_do cument.frame(), response)); |
280 // FIXME(361045): remove InspectorInstrumentation calls once DevTools Timeli ne migrates to tracing. | 286 // FIXME(361045): remove InspectorInstrumentation calls once DevTools Timeli ne migrates to tracing. |
281 InspectorInstrumentation::didReceiveResourceResponse(m_document.frame(), ide ntifier, loader, response, resource() ? resource()->loader() : 0); | 287 InspectorInstrumentation::didReceiveResourceResponse(m_document.frame(), ide ntifier, loader, response, resource() ? resource()->loader() : 0); |
282 | 288 |
283 String accessControlErrorDescription; | 289 String accessControlErrorDescription; |
284 | 290 |
285 if (!passesAccessControlCheck(response, m_allowCredentials, securityOrigin() , accessControlErrorDescription)) { | 291 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securit yOrigin(), accessControlErrorDescription)) { |
286 handlePreflightFailure(response.url().string(), accessControlErrorDescri ption); | 292 handlePreflightFailure(response.url().string(), accessControlErrorDescri ption); |
287 return; | 293 return; |
288 } | 294 } |
289 | 295 |
290 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { | 296 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { |
291 handlePreflightFailure(response.url().string(), accessControlErrorDescri ption); | 297 handlePreflightFailure(response.url().string(), accessControlErrorDescri ption); |
292 return; | 298 return; |
293 } | 299 } |
294 | 300 |
295 OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new C rossOriginPreflightResultCacheItem(m_allowCredentials)); | 301 OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new C rossOriginPreflightResultCacheItem(effectiveAllowCredentials())); |
296 if (!preflightResult->parse(response, accessControlErrorDescription) | 302 if (!preflightResult->parse(response, accessControlErrorDescription) |
297 || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod (), accessControlErrorDescription) | 303 || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod (), accessControlErrorDescription) |
298 || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeade rFields(), accessControlErrorDescription)) { | 304 || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeade rFields(), accessControlErrorDescription)) { |
299 handlePreflightFailure(response.url().string(), accessControlErrorDescri ption); | 305 handlePreflightFailure(response.url().string(), accessControlErrorDescri ption); |
300 return; | 306 return; |
301 } | 307 } |
302 | 308 |
303 CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toSt ring(), m_actualRequest->url(), preflightResult.release()); | 309 CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toSt ring(), m_actualRequest->url(), preflightResult.release()); |
304 } | 310 } |
305 | 311 |
306 void DocumentThreadableLoader::handleResponse(unsigned long identifier, const Re sourceResponse& response) | 312 void DocumentThreadableLoader::handleResponse(unsigned long identifier, const Re sourceResponse& response) |
307 { | 313 { |
308 ASSERT(m_client); | 314 ASSERT(m_client); |
309 | 315 |
310 if (m_actualRequest) { | 316 if (m_actualRequest) { |
311 handlePreflightResponse(identifier, response); | 317 handlePreflightResponse(identifier, response); |
312 return; | 318 return; |
313 } | 319 } |
314 | 320 |
315 if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessC ontrol) { | 321 if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessC ontrol) { |
316 String accessControlErrorDescription; | 322 String accessControlErrorDescription; |
317 if (!passesAccessControlCheck(response, m_allowCredentials, securityOrig in(), accessControlErrorDescription)) { | 323 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), sec urityOrigin(), accessControlErrorDescription)) { |
318 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, response.url().string(), accessControlErrorDescription)); | 324 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, response.url().string(), accessControlErrorDescription)); |
319 return; | 325 return; |
320 } | 326 } |
321 } | 327 } |
322 | 328 |
323 m_client->didReceiveResponse(identifier, response); | 329 m_client->didReceiveResponse(identifier, response); |
324 } | 330 } |
325 | 331 |
326 void DocumentThreadableLoader::dataReceived(Resource* resource, const char* data , int dataLength) | 332 void DocumentThreadableLoader::dataReceived(Resource* resource, const char* data , int dataLength) |
327 { | 333 { |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
369 static const int timeoutError = -7; | 375 static const int timeoutError = -7; |
370 ResourceError error("net", timeoutError, resource()->url(), String()); | 376 ResourceError error("net", timeoutError, resource()->url(), String()); |
371 error.setIsTimeout(true); | 377 error.setIsTimeout(true); |
372 cancelWithError(error); | 378 cancelWithError(error); |
373 } | 379 } |
374 | 380 |
375 void DocumentThreadableLoader::loadActualRequest() | 381 void DocumentThreadableLoader::loadActualRequest() |
376 { | 382 { |
377 OwnPtr<ResourceRequest> actualRequest; | 383 OwnPtr<ResourceRequest> actualRequest; |
378 actualRequest.swap(m_actualRequest); | 384 actualRequest.swap(m_actualRequest); |
385 OwnPtr<ResourceLoaderOptions> actualOptions; | |
386 actualOptions.swap(m_actualOptions); | |
379 | 387 |
380 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString()); | 388 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString()); |
381 | 389 |
382 clearResource(); | 390 clearResource(); |
383 | 391 |
384 loadRequest(*actualRequest); | 392 loadRequest(*actualRequest.get(), *actualOptions.get()); |
Nate Chapin
2014/06/04 16:08:21
I think I lead you astray :(
The cases were we us
tyoshino (SeeGerritForStatus)
2014/06/05 02:10:49
Ah, ok. Reverted.
| |
385 } | 393 } |
386 | 394 |
387 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const S tring& errorDescription) | 395 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const S tring& errorDescription) |
388 { | 396 { |
389 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription); | 397 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription); |
390 | 398 |
391 // Prevent handleSuccessfulFinish() from bypassing access check. | 399 // Prevent handleSuccessfulFinish() from bypassing access check. |
392 m_actualRequest = nullptr; | 400 m_actualRequest = nullptr; |
393 | 401 |
394 m_client->didFailAccessControlCheck(error); | 402 m_client->didFailAccessControlCheck(error); |
395 } | 403 } |
396 | 404 |
397 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request) | 405 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, Resou rceLoaderOptions resourceLoaderOptions) |
398 { | 406 { |
399 // Any credential should have been removed from the cross-site requests. | 407 // Any credential should have been removed from the cross-site requests. |
400 const KURL& requestURL = request.url(); | 408 const KURL& requestURL = request.url(); |
401 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); | 409 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); |
402 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); | 410 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); |
403 | 411 |
404 ResourceLoaderOptions resourceLoaderOptions = m_resourceLoaderOptions; | |
405 // Update resourceLoaderOptions with enforced values. | 412 // Update resourceLoaderOptions with enforced values. |
406 resourceLoaderOptions.allowCredentials = m_allowCredentials; | 413 if (m_forceDoNotAllowStoredCredentials) |
414 resourceLoaderOptions.allowCredentials = DoNotAllowStoredCredentials; | |
407 resourceLoaderOptions.securityOrigin = m_securityOrigin; | 415 resourceLoaderOptions.securityOrigin = m_securityOrigin; |
408 if (m_async) { | 416 if (m_async) { |
409 if (m_actualRequest) { | 417 if (m_actualRequest) { |
410 resourceLoaderOptions.sniffContent = DoNotSniffContent; | 418 resourceLoaderOptions.sniffContent = DoNotSniffContent; |
411 resourceLoaderOptions.dataBufferingPolicy = BufferData; | 419 resourceLoaderOptions.dataBufferingPolicy = BufferData; |
412 } | 420 } |
413 | 421 |
414 if (m_options.timeoutMilliseconds > 0) | 422 if (m_options.timeoutMilliseconds > 0) |
415 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0, FROM_HERE); | 423 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0, FROM_HERE); |
416 | 424 |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
472 return m_sameOriginRequest && securityOrigin()->canRequest(url); | 480 return m_sameOriginRequest && securityOrigin()->canRequest(url); |
473 } | 481 } |
474 | 482 |
475 bool DocumentThreadableLoader::isAllowedByPolicy(const KURL& url) const | 483 bool DocumentThreadableLoader::isAllowedByPolicy(const KURL& url) const |
476 { | 484 { |
477 if (m_options.contentSecurityPolicyEnforcement != EnforceConnectSrcDirective ) | 485 if (m_options.contentSecurityPolicyEnforcement != EnforceConnectSrcDirective ) |
478 return true; | 486 return true; |
479 return m_document.contentSecurityPolicy()->allowConnectToSource(url); | 487 return m_document.contentSecurityPolicy()->allowConnectToSource(url); |
480 } | 488 } |
481 | 489 |
490 StoredCredentials DocumentThreadableLoader::effectiveAllowCredentials() const | |
491 { | |
492 if (m_forceDoNotAllowStoredCredentials) | |
493 return DoNotAllowStoredCredentials; | |
494 return m_resourceLoaderOptions.allowCredentials; | |
495 } | |
496 | |
482 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const | 497 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const |
483 { | 498 { |
484 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin (); | 499 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin (); |
485 } | 500 } |
486 | 501 |
487 } // namespace WebCore | 502 } // namespace WebCore |
OLD | NEW |