Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(967)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/fetch/ResourceFetcher.cpp

Issue 398313002: Teach ContentSecurityPolicy about WebURLRequest::RequestContext. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: UseCounter Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/fetch/ResourceFetcher.h ('k') | Source/core/frame/UseCounter.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/fetch/ResourceFetcher.cpp
diff --git a/Source/core/fetch/ResourceFetcher.cpp b/Source/core/fetch/ResourceFetcher.cpp
index 3bd9550a71935ed145041bc6ca7088ad3d98d5df..6b2bfe97fc9e3b61441668040af29eb7048911f6 100644
--- a/Source/core/fetch/ResourceFetcher.cpp
+++ b/Source/core/fetch/ResourceFetcher.cpp
@@ -68,7 +68,6 @@
#include "platform/weborigin/SecurityPolicy.h"
#include "public/platform/Platform.h"
#include "public/platform/WebURL.h"
-#include "public/platform/WebURLRequest.h"
#include "wtf/text/CString.h"
#include "wtf/text/WTFString.h"
@@ -285,10 +284,11 @@ ResourcePtr<Resource> ResourceFetcher::fetchSynchronously(FetchRequest& request)
ResourcePtr<ImageResource> ResourceFetcher::fetchImage(FetchRequest& request)
{
+ request.mutableResourceRequest().setRequestContext(WebURLRequest::RequestContextImage);
if (LocalFrame* f = frame()) {
if (f->document()->pageDismissalEventBeingDispatched() != Document::NoDismissal) {
KURL requestURL = request.resourceRequest().url();
- if (requestURL.isValid() && canRequest(Resource::Image, requestURL, request.options(), request.forPreload(), request.originRestriction()))
+ if (requestURL.isValid() && canRequest(Resource::Image, WebURLRequest::RequestContextPing, requestURL, request.options(), request.forPreload(), request.originRestriction()))
PingLoader::loadImage(f, requestURL);
return 0;
}
@@ -504,8 +504,9 @@ bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url,
return true;
}
-bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction) const
+bool ResourceFetcher::canRequest(Resource::Type type, WebURLRequest::RequestContext requestContext, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction) const
{
+ ASSERT(requestContext != blink::WebURLRequest::RequestContextUnspecified);
SecurityOrigin* securityOrigin = options.securityOrigin.get();
if (!securityOrigin && document())
securityOrigin = document()->securityOrigin();
@@ -556,25 +557,10 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ?
ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
- // m_document can be null, but not in any of the cases where csp is actually used below.
- // ImageResourceTest.MultipartImage crashes w/o the m_document null check.
- // I believe it's the Resource::Raw case.
- const ContentSecurityPolicy* csp = m_document ? m_document->contentSecurityPolicy() : nullptr;
-
- // FIXME: This would be cleaner if moved this switch into an allowFromSource()
- // helper on this object which took a Resource::Type, then this block would
- // collapse to about 10 lines for handling Raw and Script special cases.
- switch (type) {
- case Resource::XSLStyleSheet:
- ASSERT(RuntimeEnabledFeatures::xsltEnabled());
- if (!shouldBypassMainWorldCSP && !csp->allowScriptFromSource(url, cspReporting))
- return false;
- break;
- case Resource::Script:
- case Resource::ImportResource:
- if (!shouldBypassMainWorldCSP && !csp->allowScriptFromSource(url, cspReporting))
- return false;
+ if (!shouldBypassMainWorldCSP && m_document && !m_document->contentSecurityPolicy()->allowFromSource(url, requestContext, cspReporting))
+ return false;
+ if (type == Resource::Script || type == Resource::ImportResource) {
if (frame()) {
Settings* settings = frame()->settings();
if (!frame()->loader().client()->allowScriptFromSource(!settings || settings->scriptEnabled(), url)) {
@@ -582,36 +568,13 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
return false;
}
}
- break;
- case Resource::CSSStyleSheet:
- if (!shouldBypassMainWorldCSP && !csp->allowStyleFromSource(url, cspReporting))
- return false;
- break;
- case Resource::SVGDocument:
- case Resource::Image:
- if (!shouldBypassMainWorldCSP && !csp->allowImageFromSource(url, cspReporting))
- return false;
- break;
- case Resource::Font: {
- if (!shouldBypassMainWorldCSP && !csp->allowFontFromSource(url, cspReporting))
- return false;
- break;
}
- case Resource::MainResource:
- case Resource::Raw:
- case Resource::LinkPrefetch:
- case Resource::LinkSubresource:
- break;
- case Resource::Media:
- case Resource::TextTrack:
- if (!shouldBypassMainWorldCSP && !csp->allowMediaFromSource(url, cspReporting))
- return false;
+ if (type == Resource::Media || type == Resource::TextTrack) {
if (frame()) {
if (!frame()->loader().client()->allowMedia(url))
return false;
}
- break;
}
// SVG Images have unique security rules that prevent all subresource requests
@@ -635,7 +598,7 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sourceOrigin, const KURL& url) const
{
// Redirects can change the response URL different from one of request.
- if (!canRequest(resource->type(), url, resource->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
+ if (!canRequest(resource->type(), resource->resourceRequest().requestContext(), url, resource->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
return false;
if (!sourceOrigin && document())
@@ -715,7 +678,7 @@ ResourcePtr<Resource> ResourceFetcher::requestResource(Resource::Type type, Fetc
if (!url.isValid())
return 0;
- if (!canRequest(type, url, request.options(), request.forPreload(), request.originRestriction()))
+ if (!canRequest(type, request.resourceRequest().requestContext(), url, request.options(), request.forPreload(), request.originRestriction()))
return 0;
if (LocalFrame* f = frame())
@@ -1422,7 +1385,7 @@ bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const
bool ResourceFetcher::canAccessRedirect(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options)
{
- if (!canRequest(resource->type(), request.url(), options, resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
+ if (!canRequest(resource->type(), request.requestContext(), request.url(), options, resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
return false;
if (options.corsEnabled == IsCORSEnabled) {
SecurityOrigin* sourceOrigin = options.securityOrigin.get();
« no previous file with comments | « Source/core/fetch/ResourceFetcher.h ('k') | Source/core/frame/UseCounter.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698