Source/core/loader/DocumentThreadableLoader.cpp - Issue 389053003: Always report access control failure if accessing unsupported URL.

Side by Side Diff: Source/core/loader/DocumentThreadableLoader.cpp

Issue 389053003: Always report access control failure if accessing unsupported URL. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Include supported schemes in console error message Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « LayoutTests/http/tests/xmlhttprequest/workers/cross-origin-unsupported-url-expected.txt ('k') | Source/platform/weborigin/SchemeRegistry.h » ('j') | Source/platform/weborigin/SchemeRegistry.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.	2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.

3 * Copyright (C) 2013, Intel Corporation	3 * Copyright (C) 2013, Intel Corporation

4 *	4 *

5 * Redistribution and use in source and binary forms, with or without	5 * Redistribution and use in source and binary forms, with or without

6 * modification, are permitted provided that the following conditions are	6 * modification, are permitted provided that the following conditions are

7 * met:	7 * met:

8 *	8 *

9 * * Redistributions of source code must retain the above copyright	9 * * Redistributions of source code must retain the above copyright

10 * notice, this list of conditions and the following disclaimer.	10 * notice, this list of conditions and the following disclaimer.

(...skipping 93 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
104 return;	104 return;

105 }	105 }

106	106

107 makeCrossOriginAccessRequest(request);	107 makeCrossOriginAccessRequest(request);

108 }	108 }

109	109

110 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request)	110 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request)

111 {	111 {

112 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);	112 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);

113	113

	114 // Cross-origin requests are only allowed certain registered schemes.

	115 // We would catch this when checking response headers later, but there

	116 // is no reason to send a request, preflighted or not, that's guaranteed

	117 // to be denied.

	118 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protoco l())) {

	119 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIntern al, 0, request.url().string(), "Cross origin requests are only supported for pro tocol schemes: " + SchemeRegistry::listOfCORSEnabledURLSchemes() + "."));

	120 return;

	121 }

	122

114 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(request.httpMethod(), request.httpHeaderFields())) \|\| m_options.pref lightPolicy == PreventPreflight) {	123 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(request.httpMethod(), request.httpHeaderFields())) \|\| m_options.pref lightPolicy == PreventPreflight) {

115 // Cross-origin requests are only allowed for HTTP and registered scheme s. We would catch this when checking response headers later, but there is no rea son to send a request that's guaranteed to be denied.

116 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().pro tocol())) {

117 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP."));

118 return;

119 }

120

121 ResourceRequest crossOriginRequest(request);	124 ResourceRequest crossOriginRequest(request);

122 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);	125 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);

123 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe ctiveAllowCredentials());	126 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe ctiveAllowCredentials());

124 loadRequest(crossOriginRequest, crossOriginOptions);	127 loadRequest(crossOriginRequest, crossOriginOptions);

125 } else {	128 } else {

126 m_simpleRequest = false;	129 m_simpleRequest = false;

127	130

128 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request));	131 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request));

129 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource LoaderOptions(m_resourceLoaderOptions));	132 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource LoaderOptions(m_resourceLoaderOptions));

130 // Do not set the Origin header for preflight requests.	133 // Do not set the Origin header for preflight requests.

(...skipping 365 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
496 return DoNotAllowStoredCredentials;	499 return DoNotAllowStoredCredentials;

497 return m_resourceLoaderOptions.allowCredentials;	500 return m_resourceLoaderOptions.allowCredentials;

498 }	501 }

499	502

500 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const	503 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const

501 {	504 {

502 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin ();	505 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin ();

503 }	506 }

504	507

505 } // namespace WebCore	508 } // namespace WebCore

OLD	NEW