| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 66 if (!loader->resource()) | 66 if (!loader->resource()) |
| 67 loader = nullptr; | 67 loader = nullptr; |
| 68 return loader.release(); | 68 return loader.release(); |
| 69 } | 69 } |
| 70 | 70 |
| 71 DocumentThreadableLoader::DocumentThreadableLoader(Document& document, Threadabl
eLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest&
request, const ThreadableLoaderOptions& options, const ResourceLoaderOptions& r
esourceLoaderOptions) | 71 DocumentThreadableLoader::DocumentThreadableLoader(Document& document, Threadabl
eLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest&
request, const ThreadableLoaderOptions& options, const ResourceLoaderOptions& r
esourceLoaderOptions) |
| 72 : m_client(client) | 72 : m_client(client) |
| 73 , m_document(document) | 73 , m_document(document) |
| 74 , m_options(options) | 74 , m_options(options) |
| 75 , m_resourceLoaderOptions(resourceLoaderOptions) | 75 , m_resourceLoaderOptions(resourceLoaderOptions) |
| 76 , m_allowCredentials(m_resourceLoaderOptions.allowCredentials) | 76 , m_forceDoNotAllowStoredCredentials(false) |
| 77 , m_securityOrigin(m_resourceLoaderOptions.securityOrigin) | 77 , m_securityOrigin(m_resourceLoaderOptions.securityOrigin) |
| 78 , m_sameOriginRequest(securityOrigin()->canRequest(request.url())) | 78 , m_sameOriginRequest(securityOrigin()->canRequest(request.url())) |
| 79 , m_simpleRequest(true) | 79 , m_simpleRequest(true) |
| 80 , m_async(blockingBehavior == LoadAsynchronously) | 80 , m_async(blockingBehavior == LoadAsynchronously) |
| 81 , m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout) | 81 , m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout) |
| 82 { | 82 { |
| 83 ASSERT(client); | 83 ASSERT(client); |
| 84 // Setting an outgoing referer is only supported in the async code path. | 84 // Setting an outgoing referer is only supported in the async code path. |
| 85 ASSERT(m_async || request.httpReferrer().isEmpty()); | 85 ASSERT(m_async || request.httpReferrer().isEmpty()); |
| 86 | 86 |
| 87 // Save any CORS simple headers on the request here. If this request redirec
ts cross-origin, we cancel the old request | 87 // Save any CORS simple headers on the request here. If this request redirec
ts cross-origin, we cancel the old request |
| 88 // create a new one, and copy these headers. | 88 // create a new one, and copy these headers. |
| 89 const HTTPHeaderMap& headerMap = request.httpHeaderFields(); | 89 const HTTPHeaderMap& headerMap = request.httpHeaderFields(); |
| 90 HTTPHeaderMap::const_iterator end = headerMap.end(); | 90 HTTPHeaderMap::const_iterator end = headerMap.end(); |
| 91 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it)
{ | 91 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it)
{ |
| 92 if (isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value)) | 92 if (isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value)) |
| 93 m_simpleRequestHeaders.add(it->key, it->value); | 93 m_simpleRequestHeaders.add(it->key, it->value); |
| 94 } | 94 } |
| 95 | 95 |
| 96 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossO
riginRequests) { | 96 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossO
riginRequests) { |
| 97 loadRequest(request); | 97 loadRequest(request, m_resourceLoaderOptions); |
| 98 return; | 98 return; |
| 99 } | 99 } |
| 100 | 100 |
| 101 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { | 101 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { |
| 102 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url
().string(), "Cross origin requests are not supported.")); | 102 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url
().string(), "Cross origin requests are not supported.")); |
| 103 return; | 103 return; |
| 104 } | 104 } |
| 105 | 105 |
| 106 makeCrossOriginAccessRequest(request); | 106 makeCrossOriginAccessRequest(request); |
| 107 } | 107 } |
| 108 | 108 |
| 109 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques
t& request) | 109 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques
t& request) |
| 110 { | 110 { |
| 111 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); | 111 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); |
| 112 | 112 |
| 113 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc
cessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.pref
lightPolicy == PreventPreflight) { | 113 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc
cessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.pref
lightPolicy == PreventPreflight) { |
| 114 // Cross-origin requests are only allowed for HTTP and registered scheme
s. We would catch this when checking response headers later, but there is no rea
son to send a request that's guaranteed to be denied. | 114 // Cross-origin requests are only allowed for HTTP and registered scheme
s. We would catch this when checking response headers later, but there is no rea
son to send a request that's guaranteed to be denied. |
| 115 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro
tocol())) { | 115 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro
tocol())) { |
| 116 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn
ternal, 0, request.url().string(), "Cross origin requests are only supported for
HTTP.")); | 116 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn
ternal, 0, request.url().string(), "Cross origin requests are only supported for
HTTP.")); |
| 117 return; | 117 return; |
| 118 } | 118 } |
| 119 | 119 |
| 120 ResourceRequest crossOriginRequest(request); | 120 ResourceRequest crossOriginRequest(request); |
| 121 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), m_al
lowCredentials); | 121 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions); |
| 122 loadRequest(crossOriginRequest); | 122 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe
ctiveAllowCredentials()); |
| 123 loadRequest(crossOriginRequest, crossOriginOptions); |
| 123 } else { | 124 } else { |
| 124 m_simpleRequest = false; | 125 m_simpleRequest = false; |
| 125 | 126 |
| 126 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques
t(request)); | 127 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques
t(request)); |
| 128 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource
LoaderOptions(m_resourceLoaderOptions)); |
| 127 // Do not set the Origin header for preflight requests. | 129 // Do not set the Origin header for preflight requests. |
| 128 updateRequestForAccessControl(*crossOriginRequest, 0, m_allowCredentials
); | 130 updateRequestForAccessControl(*crossOriginRequest, 0, effectiveAllowCred
entials()); |
| 129 m_actualRequest = crossOriginRequest.release(); | 131 m_actualRequest = crossOriginRequest.release(); |
| 132 m_actualOptions = crossOriginOptions.release(); |
| 130 | 133 |
| 131 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO
rigin()->toString(), m_actualRequest->url(), m_allowCredentials, m_actualRequest
->httpMethod(), m_actualRequest->httpHeaderFields())) { | 134 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO
rigin()->toString(), m_actualRequest->url(), effectiveAllowCredentials(), m_actu
alRequest->httpMethod(), m_actualRequest->httpHeaderFields())) { |
| 132 loadActualRequest(); | 135 loadActualRequest(); |
| 133 } else { | 136 } else { |
| 134 ResourceRequest preflightRequest = createAccessControlPreflightReque
st(*m_actualRequest, securityOrigin()); | 137 ResourceRequest preflightRequest = createAccessControlPreflightReque
st(*m_actualRequest, securityOrigin()); |
| 135 loadRequest(preflightRequest); | 138 // Create a ResourceLoaderOptions for preflight. |
| 139 ResourceLoaderOptions preflightOptions = *m_actualOptions; |
| 140 preflightOptions.allowCredentials = DoNotAllowStoredCredentials; |
| 141 loadRequest(preflightRequest, preflightOptions); |
| 136 } | 142 } |
| 137 } | 143 } |
| 138 } | 144 } |
| 139 | 145 |
| 140 DocumentThreadableLoader::~DocumentThreadableLoader() | 146 DocumentThreadableLoader::~DocumentThreadableLoader() |
| 141 { | 147 { |
| 142 } | 148 } |
| 143 | 149 |
| 144 void DocumentThreadableLoader::cancel() | 150 void DocumentThreadableLoader::cancel() |
| 145 { | 151 { |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 194 // original request was not same-origin. | 200 // original request was not same-origin. |
| 195 if (m_options.crossOriginRequestPolicy == UseAccessControl) { | 201 if (m_options.crossOriginRequestPolicy == UseAccessControl) { |
| 196 | 202 |
| 197 InspectorInstrumentation::didReceiveCORSRedirectResponse(m_document.fram
e(), resource->identifier(), m_document.frame()->loader().documentLoader(), redi
rectResponse, 0); | 203 InspectorInstrumentation::didReceiveCORSRedirectResponse(m_document.fram
e(), resource->identifier(), m_document.frame()->loader().documentLoader(), redi
rectResponse, 0); |
| 198 | 204 |
| 199 bool allowRedirect = false; | 205 bool allowRedirect = false; |
| 200 String accessControlErrorDescription; | 206 String accessControlErrorDescription; |
| 201 | 207 |
| 202 if (m_simpleRequest) { | 208 if (m_simpleRequest) { |
| 203 allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(re
quest.url(), accessControlErrorDescription) | 209 allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(re
quest.url(), accessControlErrorDescription) |
| 204 && (m_sameOriginRequest || passesAccessControlCheck(redirectResp
onse, m_allowCredentials, securityOrigin(), accessControlErrorDescription)); | 210 && (m_sameOriginRequest || passesAccessControlCheck(redirectResp
onse, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescripti
on)); |
| 205 } else { | 211 } else { |
| 206 accessControlErrorDescription = "The request was redirected to '"+ r
equest.url().string() + "', which is disallowed for cross-origin requests that r
equire preflight."; | 212 accessControlErrorDescription = "The request was redirected to '"+ r
equest.url().string() + "', which is disallowed for cross-origin requests that r
equire preflight."; |
| 207 } | 213 } |
| 208 | 214 |
| 209 if (allowRedirect) { | 215 if (allowRedirect) { |
| 210 // FIXME: consider combining this with CORS redirect handling perfor
med by | 216 // FIXME: consider combining this with CORS redirect handling perfor
med by |
| 211 // CrossOriginAccessControl::handleRedirect(). | 217 // CrossOriginAccessControl::handleRedirect(). |
| 212 clearResource(); | 218 clearResource(); |
| 213 | 219 |
| 214 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redir
ectResponse.url()); | 220 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redir
ectResponse.url()); |
| 215 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(reques
t.url()); | 221 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(reques
t.url()); |
| 216 // If the original request wasn't same-origin, then if the request U
RL origin is not same origin with the original URL origin, | 222 // If the original request wasn't same-origin, then if the request U
RL origin is not same origin with the original URL origin, |
| 217 // set the source origin to a globally unique identifier. (If the or
iginal request was same-origin, the origin of the new request | 223 // set the source origin to a globally unique identifier. (If the or
iginal request was same-origin, the origin of the new request |
| 218 // should be the original URL origin.) | 224 // should be the original URL origin.) |
| 219 if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(re
questOrigin.get())) | 225 if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(re
questOrigin.get())) |
| 220 m_securityOrigin = SecurityOrigin::createUnique(); | 226 m_securityOrigin = SecurityOrigin::createUnique(); |
| 221 // Force any subsequent requests to use these checks. | 227 // Force any subsequent requests to use these checks. |
| 222 m_sameOriginRequest = false; | 228 m_sameOriginRequest = false; |
| 223 | 229 |
| 224 // Since the request is no longer same-origin, if the user didn't re
quest credentials in | 230 // Since the request is no longer same-origin, if the user didn't re
quest credentials in |
| 225 // the first place, update our state so we neither request them nor
expect they must be allowed. | 231 // the first place, update our state so we neither request them nor
expect they must be allowed. |
| 226 if (m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequ
estCredentials) | 232 if (m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequ
estCredentials) |
| 227 m_allowCredentials = DoNotAllowStoredCredentials; | 233 m_forceDoNotAllowStoredCredentials = true; |
| 228 | 234 |
| 229 // Remove any headers that may have been added by the network layer
that cause access control to fail. | 235 // Remove any headers that may have been added by the network layer
that cause access control to fail. |
| 230 request.clearHTTPReferrer(); | 236 request.clearHTTPReferrer(); |
| 231 request.clearHTTPOrigin(); | 237 request.clearHTTPOrigin(); |
| 232 request.clearHTTPUserAgent(); | 238 request.clearHTTPUserAgent(); |
| 233 // Add any CORS simple request headers which we previously saved fro
m the original request. | 239 // Add any CORS simple request headers which we previously saved fro
m the original request. |
| 234 HTTPHeaderMap::const_iterator end = m_simpleRequestHeaders.end(); | 240 HTTPHeaderMap::const_iterator end = m_simpleRequestHeaders.end(); |
| 235 for (HTTPHeaderMap::const_iterator it = m_simpleRequestHeaders.begin
(); it != end; ++it) { | 241 for (HTTPHeaderMap::const_iterator it = m_simpleRequestHeaders.begin
(); it != end; ++it) { |
| 236 request.setHTTPHeaderField(it->key, it->value); | 242 request.setHTTPHeaderField(it->key, it->value); |
| 237 } | 243 } |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 275 // cause the underlying ResourceLoader to be cancelled before it tells the i
nspector about the response. | 281 // cause the underlying ResourceLoader to be cancelled before it tells the i
nspector about the response. |
| 276 // In that case, if we don't tell the inspector about the response now, the
resource type in the inspector | 282 // In that case, if we don't tell the inspector about the response now, the
resource type in the inspector |
| 277 // will default to "other" instead of something more descriptive. | 283 // will default to "other" instead of something more descriptive. |
| 278 DocumentLoader* loader = m_document.frame()->loader().documentLoader(); | 284 DocumentLoader* loader = m_document.frame()->loader().documentLoader(); |
| 279 TRACE_EVENT_INSTANT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline"), "Resour
ceReceiveResponse", "data", InspectorReceiveResponseEvent::data(identifier, m_do
cument.frame(), response)); | 285 TRACE_EVENT_INSTANT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline"), "Resour
ceReceiveResponse", "data", InspectorReceiveResponseEvent::data(identifier, m_do
cument.frame(), response)); |
| 280 // FIXME(361045): remove InspectorInstrumentation calls once DevTools Timeli
ne migrates to tracing. | 286 // FIXME(361045): remove InspectorInstrumentation calls once DevTools Timeli
ne migrates to tracing. |
| 281 InspectorInstrumentation::didReceiveResourceResponse(m_document.frame(), ide
ntifier, loader, response, resource() ? resource()->loader() : 0); | 287 InspectorInstrumentation::didReceiveResourceResponse(m_document.frame(), ide
ntifier, loader, response, resource() ? resource()->loader() : 0); |
| 282 | 288 |
| 283 String accessControlErrorDescription; | 289 String accessControlErrorDescription; |
| 284 | 290 |
| 285 if (!passesAccessControlCheck(response, m_allowCredentials, securityOrigin()
, accessControlErrorDescription)) { | 291 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securit
yOrigin(), accessControlErrorDescription)) { |
| 286 handlePreflightFailure(response.url().string(), accessControlErrorDescri
ption); | 292 handlePreflightFailure(response.url().string(), accessControlErrorDescri
ption); |
| 287 return; | 293 return; |
| 288 } | 294 } |
| 289 | 295 |
| 290 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { | 296 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { |
| 291 handlePreflightFailure(response.url().string(), accessControlErrorDescri
ption); | 297 handlePreflightFailure(response.url().string(), accessControlErrorDescri
ption); |
| 292 return; | 298 return; |
| 293 } | 299 } |
| 294 | 300 |
| 295 OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new C
rossOriginPreflightResultCacheItem(m_allowCredentials)); | 301 OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new C
rossOriginPreflightResultCacheItem(effectiveAllowCredentials())); |
| 296 if (!preflightResult->parse(response, accessControlErrorDescription) | 302 if (!preflightResult->parse(response, accessControlErrorDescription) |
| 297 || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod
(), accessControlErrorDescription) | 303 || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod
(), accessControlErrorDescription) |
| 298 || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeade
rFields(), accessControlErrorDescription)) { | 304 || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeade
rFields(), accessControlErrorDescription)) { |
| 299 handlePreflightFailure(response.url().string(), accessControlErrorDescri
ption); | 305 handlePreflightFailure(response.url().string(), accessControlErrorDescri
ption); |
| 300 return; | 306 return; |
| 301 } | 307 } |
| 302 | 308 |
| 303 CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toSt
ring(), m_actualRequest->url(), preflightResult.release()); | 309 CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toSt
ring(), m_actualRequest->url(), preflightResult.release()); |
| 304 } | 310 } |
| 305 | 311 |
| 306 void DocumentThreadableLoader::handleResponse(unsigned long identifier, const Re
sourceResponse& response) | 312 void DocumentThreadableLoader::handleResponse(unsigned long identifier, const Re
sourceResponse& response) |
| 307 { | 313 { |
| 308 ASSERT(m_client); | 314 ASSERT(m_client); |
| 309 | 315 |
| 310 if (m_actualRequest) { | 316 if (m_actualRequest) { |
| 311 handlePreflightResponse(identifier, response); | 317 handlePreflightResponse(identifier, response); |
| 312 return; | 318 return; |
| 313 } | 319 } |
| 314 | 320 |
| 315 if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessC
ontrol) { | 321 if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessC
ontrol) { |
| 316 String accessControlErrorDescription; | 322 String accessControlErrorDescription; |
| 317 if (!passesAccessControlCheck(response, m_allowCredentials, securityOrig
in(), accessControlErrorDescription)) { | 323 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), sec
urityOrigin(), accessControlErrorDescription)) { |
| 318 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn
ternal, 0, response.url().string(), accessControlErrorDescription)); | 324 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn
ternal, 0, response.url().string(), accessControlErrorDescription)); |
| 319 return; | 325 return; |
| 320 } | 326 } |
| 321 } | 327 } |
| 322 | 328 |
| 323 m_client->didReceiveResponse(identifier, response); | 329 m_client->didReceiveResponse(identifier, response); |
| 324 } | 330 } |
| 325 | 331 |
| 326 void DocumentThreadableLoader::dataReceived(Resource* resource, const char* data
, int dataLength) | 332 void DocumentThreadableLoader::dataReceived(Resource* resource, const char* data
, int dataLength) |
| 327 { | 333 { |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 369 static const int timeoutError = -7; | 375 static const int timeoutError = -7; |
| 370 ResourceError error("net", timeoutError, resource()->url(), String()); | 376 ResourceError error("net", timeoutError, resource()->url(), String()); |
| 371 error.setIsTimeout(true); | 377 error.setIsTimeout(true); |
| 372 cancelWithError(error); | 378 cancelWithError(error); |
| 373 } | 379 } |
| 374 | 380 |
| 375 void DocumentThreadableLoader::loadActualRequest() | 381 void DocumentThreadableLoader::loadActualRequest() |
| 376 { | 382 { |
| 377 OwnPtr<ResourceRequest> actualRequest; | 383 OwnPtr<ResourceRequest> actualRequest; |
| 378 actualRequest.swap(m_actualRequest); | 384 actualRequest.swap(m_actualRequest); |
| 385 OwnPtr<ResourceLoaderOptions> actualOptions; |
| 386 actualOptions.swap(m_actualOptions); |
| 379 | 387 |
| 380 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString()); | 388 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString()); |
| 381 | 389 |
| 382 clearResource(); | 390 clearResource(); |
| 383 | 391 |
| 384 loadRequest(*actualRequest); | 392 loadRequest(*actualRequest, *actualOptions); |
| 385 } | 393 } |
| 386 | 394 |
| 387 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const S
tring& errorDescription) | 395 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const S
tring& errorDescription) |
| 388 { | 396 { |
| 389 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription); | 397 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription); |
| 390 | 398 |
| 391 // Prevent handleSuccessfulFinish() from bypassing access check. | 399 // Prevent handleSuccessfulFinish() from bypassing access check. |
| 392 m_actualRequest = nullptr; | 400 m_actualRequest = nullptr; |
| 393 | 401 |
| 394 m_client->didFailAccessControlCheck(error); | 402 m_client->didFailAccessControlCheck(error); |
| 395 } | 403 } |
| 396 | 404 |
| 397 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request) | 405 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, Resou
rceLoaderOptions resourceLoaderOptions) |
| 398 { | 406 { |
| 399 // Any credential should have been removed from the cross-site requests. | 407 // Any credential should have been removed from the cross-site requests. |
| 400 const KURL& requestURL = request.url(); | 408 const KURL& requestURL = request.url(); |
| 401 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); | 409 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); |
| 402 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); | 410 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); |
| 403 | 411 |
| 404 ResourceLoaderOptions resourceLoaderOptions = m_resourceLoaderOptions; | |
| 405 // Update resourceLoaderOptions with enforced values. | 412 // Update resourceLoaderOptions with enforced values. |
| 406 resourceLoaderOptions.allowCredentials = m_allowCredentials; | 413 if (m_forceDoNotAllowStoredCredentials) |
| 414 resourceLoaderOptions.allowCredentials = DoNotAllowStoredCredentials; |
| 407 resourceLoaderOptions.securityOrigin = m_securityOrigin; | 415 resourceLoaderOptions.securityOrigin = m_securityOrigin; |
| 408 if (m_async) { | 416 if (m_async) { |
| 409 if (m_actualRequest) { | 417 if (m_actualRequest) { |
| 410 resourceLoaderOptions.sniffContent = DoNotSniffContent; | 418 resourceLoaderOptions.sniffContent = DoNotSniffContent; |
| 411 resourceLoaderOptions.dataBufferingPolicy = BufferData; | 419 resourceLoaderOptions.dataBufferingPolicy = BufferData; |
| 412 } | 420 } |
| 413 | 421 |
| 414 if (m_options.timeoutMilliseconds > 0) | 422 if (m_options.timeoutMilliseconds > 0) |
| 415 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0,
FROM_HERE); | 423 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0,
FROM_HERE); |
| 416 | 424 |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 472 return m_sameOriginRequest && securityOrigin()->canRequest(url); | 480 return m_sameOriginRequest && securityOrigin()->canRequest(url); |
| 473 } | 481 } |
| 474 | 482 |
| 475 bool DocumentThreadableLoader::isAllowedByPolicy(const KURL& url) const | 483 bool DocumentThreadableLoader::isAllowedByPolicy(const KURL& url) const |
| 476 { | 484 { |
| 477 if (m_options.contentSecurityPolicyEnforcement != EnforceConnectSrcDirective
) | 485 if (m_options.contentSecurityPolicyEnforcement != EnforceConnectSrcDirective
) |
| 478 return true; | 486 return true; |
| 479 return m_document.contentSecurityPolicy()->allowConnectToSource(url); | 487 return m_document.contentSecurityPolicy()->allowConnectToSource(url); |
| 480 } | 488 } |
| 481 | 489 |
| 490 StoredCredentials DocumentThreadableLoader::effectiveAllowCredentials() const |
| 491 { |
| 492 if (m_forceDoNotAllowStoredCredentials) |
| 493 return DoNotAllowStoredCredentials; |
| 494 return m_resourceLoaderOptions.allowCredentials; |
| 495 } |
| 496 |
| 482 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const | 497 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const |
| 483 { | 498 { |
| 484 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin
(); | 499 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin
(); |
| 485 } | 500 } |
| 486 | 501 |
| 487 } // namespace WebCore | 502 } // namespace WebCore |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 312653002:
ResourceLoaderOptions also must be updated by updateRequestForAccessControl() (Closed)
Base URL: svn://svn.chromium.org/blink/trunk