OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
7 * met: | 7 * met: |
8 * | 8 * |
9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
104 return; | 104 return; |
105 } | 105 } |
106 | 106 |
107 makeCrossOriginAccessRequest(request); | 107 makeCrossOriginAccessRequest(request); |
108 } | 108 } |
109 | 109 |
110 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques
t& request) | 110 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques
t& request) |
111 { | 111 { |
112 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); | 112 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); |
113 | 113 |
| 114 // Cross-origin requests are only allowed certain registered schemes. |
| 115 // We would catch this when checking response headers later, but there |
| 116 // is no reason to send a request, preflighted or not, that's guaranteed |
| 117 // to be denied. |
| 118 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protoco
l())) { |
| 119 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIntern
al, 0, request.url().string(), "Cross origin requests are only supported for pro
tocol schemes: " + SchemeRegistry::listOfCORSEnabledURLSchemes() + ".")); |
| 120 return; |
| 121 } |
| 122 |
114 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc
cessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.pref
lightPolicy == PreventPreflight) { | 123 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc
cessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.pref
lightPolicy == PreventPreflight) { |
115 // Cross-origin requests are only allowed for HTTP and registered scheme
s. We would catch this when checking response headers later, but there is no rea
son to send a request that's guaranteed to be denied. | |
116 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro
tocol())) { | |
117 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn
ternal, 0, request.url().string(), "Cross origin requests are only supported for
HTTP.")); | |
118 return; | |
119 } | |
120 | |
121 ResourceRequest crossOriginRequest(request); | 124 ResourceRequest crossOriginRequest(request); |
122 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions); | 125 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions); |
123 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe
ctiveAllowCredentials()); | 126 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe
ctiveAllowCredentials()); |
124 loadRequest(crossOriginRequest, crossOriginOptions); | 127 loadRequest(crossOriginRequest, crossOriginOptions); |
125 } else { | 128 } else { |
126 m_simpleRequest = false; | 129 m_simpleRequest = false; |
127 | 130 |
128 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques
t(request)); | 131 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques
t(request)); |
129 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource
LoaderOptions(m_resourceLoaderOptions)); | 132 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource
LoaderOptions(m_resourceLoaderOptions)); |
130 // Do not set the Origin header for preflight requests. | 133 // Do not set the Origin header for preflight requests. |
(...skipping 365 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
496 return DoNotAllowStoredCredentials; | 499 return DoNotAllowStoredCredentials; |
497 return m_resourceLoaderOptions.allowCredentials; | 500 return m_resourceLoaderOptions.allowCredentials; |
498 } | 501 } |
499 | 502 |
500 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const | 503 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const |
501 { | 504 { |
502 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin
(); | 505 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin
(); |
503 } | 506 } |
504 | 507 |
505 } // namespace WebCore | 508 } // namespace WebCore |
OLD | NEW |