Chromium Code Reviews Chromium Code Reviews
Issue 400903002:
Check that Service Workers are registered from secure origins. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2013 Google Inc. All rights reserved. | 2 * Copyright (C) 2013 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
| 6 * met: | 6 * met: |
| 7 * | 7 * |
| 8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 87 RegistrationOptionList options(dictionary); | 87 RegistrationOptionList options(dictionary); |
| 88 ASSERT(RuntimeEnabledFeatures::serviceWorkerEnabled()); | 88 ASSERT(RuntimeEnabledFeatures::serviceWorkerEnabled()); |
| 89 RefPtr<ScriptPromiseResolver> resolver = ScriptPromiseResolver::create(scrip tState); | 89 RefPtr<ScriptPromiseResolver> resolver = ScriptPromiseResolver::create(scrip tState); |
| 90 ScriptPromise promise = resolver->promise(); | 90 ScriptPromise promise = resolver->promise(); |
| 91 | 91 |
| 92 if (!m_provider) { | 92 if (!m_provider) { |
| 93 resolver->reject(DOMException::create(InvalidStateError, "No associated provider is available")); | 93 resolver->reject(DOMException::create(InvalidStateError, "No associated provider is available")); |
| 94 return promise; | 94 return promise; |
| 95 } | 95 } |
| 96 | 96 |
| 97 // FIXME: This should use the container's execution context, not | |
| 98 // the callers. | |
| 97 ExecutionContext* executionContext = scriptState->executionContext(); | 99 ExecutionContext* executionContext = scriptState->executionContext(); |
| 98 RefPtr<SecurityOrigin> documentOrigin = executionContext->securityOrigin(); | 100 RefPtr<SecurityOrigin> documentOrigin = executionContext->securityOrigin(); |
| 101 if (!documentOrigin->canAccessFeatureRequiringSecureOrigin()) { | |
| 102 resolver->reject(DOMException::create(SecurityError, "Service Workers ar e only supported over secure origins.")); | |
| 103 return promise; | |
| 104 } | |
| 105 | |
| 99 KURL patternURL = executionContext->completeURL(options.scope); | 106 KURL patternURL = executionContext->completeURL(options.scope); |
| 100 patternURL.removeFragmentIdentifier(); | 107 patternURL.removeFragmentIdentifier(); |
| 101 if (!documentOrigin->canRequest(patternURL)) { | 108 if (!documentOrigin->canRequest(patternURL)) { |
| 102 resolver->reject(DOMException::create(SecurityError, "Can only register for patterns in the document's origin.")); | 109 resolver->reject(DOMException::create(SecurityError, "The scope must mat ch the current origin.")); |
| 103 return promise; | 110 return promise; |
| 104 } | 111 } |
| 105 | 112 |
| 106 KURL scriptURL = executionContext->completeURL(url); | 113 KURL scriptURL = executionContext->completeURL(url); |
| 107 scriptURL.removeFragmentIdentifier(); | 114 scriptURL.removeFragmentIdentifier(); |
| 108 if (!documentOrigin->canRequest(scriptURL)) { | 115 if (!documentOrigin->canRequest(scriptURL)) { |
| 109 resolver->reject(DOMException::create(SecurityError, "Script must be in document's origin.")); | 116 resolver->reject(DOMException::create(SecurityError, "The origin of the script must match the current origin.")); |
| 110 return promise; | 117 return promise; |
| 111 } | 118 } |
| 112 | 119 |
| 113 m_provider->registerServiceWorker(patternURL, scriptURL, new CallbackPromise Adapter<ServiceWorker, ServiceWorkerError>(resolver)); | 120 m_provider->registerServiceWorker(patternURL, scriptURL, new CallbackPromise Adapter<ServiceWorker, ServiceWorkerError>(resolver)); |
| 114 return promise; | 121 return promise; |
| 115 } | 122 } |
| 116 | 123 |
| 117 class UndefinedValue { | 124 class UndefinedValue { |
| 118 public: | 125 public: |
| 119 typedef WebServiceWorker WebType; | 126 typedef WebServiceWorker WebType; |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 131 { | 138 { |
| 132 ASSERT(RuntimeEnabledFeatures::serviceWorkerEnabled()); | 139 ASSERT(RuntimeEnabledFeatures::serviceWorkerEnabled()); |
| 133 RefPtr<ScriptPromiseResolver> resolver = ScriptPromiseResolver::create(scrip tState); | 140 RefPtr<ScriptPromiseResolver> resolver = ScriptPromiseResolver::create(scrip tState); |
| 134 ScriptPromise promise = resolver->promise(); | 141 ScriptPromise promise = resolver->promise(); |
| 135 | 142 |
| 136 if (!m_provider) { | 143 if (!m_provider) { |
| 137 resolver->reject(DOMException::create(InvalidStateError, "No associated provider is available")); | 144 resolver->reject(DOMException::create(InvalidStateError, "No associated provider is available")); |
| 138 return promise; | 145 return promise; |
| 139 } | 146 } |
| 140 | 147 |
| 148 // FIXME: This should use the container's execution context, not | |
| 149 // the callers. | |
| 141 RefPtr<SecurityOrigin> documentOrigin = scriptState->executionContext()->sec urityOrigin(); | 150 RefPtr<SecurityOrigin> documentOrigin = scriptState->executionContext()->sec urityOrigin(); |
| 151 if (!documentOrigin->canAccessFeatureRequiringSecureOrigin()) { | |
|
horo
2014/07/22 06:18:22
Why do you check it here?
I think we don't need to
| |
| 152 resolver->reject(DOMException::create(SecurityError, "Service Workers ar e only supported over secure origins.")); | |
| 153 return promise; | |
| 154 } | |
| 155 | |
| 142 KURL patternURL = scriptState->executionContext()->completeURL(pattern); | 156 KURL patternURL = scriptState->executionContext()->completeURL(pattern); |
| 143 patternURL.removeFragmentIdentifier(); | 157 patternURL.removeFragmentIdentifier(); |
| 144 if (!pattern.isEmpty() && !documentOrigin->canRequest(patternURL)) { | 158 if (!pattern.isEmpty() && !documentOrigin->canRequest(patternURL)) { |
| 145 resolver->reject(DOMException::create(SecurityError, "Can only unregiste r for patterns in the document's origin.")); | 159 resolver->reject(DOMException::create(SecurityError, "The scope must mat ch the current origin.")); |
| 146 return promise; | 160 return promise; |
| 147 } | 161 } |
| 148 | 162 |
| 149 m_provider->unregisterServiceWorker(patternURL, new CallbackPromiseAdapter<U ndefinedValue, ServiceWorkerError>(resolver)); | 163 m_provider->unregisterServiceWorker(patternURL, new CallbackPromiseAdapter<U ndefinedValue, ServiceWorkerError>(resolver)); |
| 150 return promise; | 164 return promise; |
| 151 } | 165 } |
| 152 | 166 |
| 153 PassRefPtrWillBeRawPtr<ServiceWorkerContainer::ReadyProperty> ServiceWorkerConta iner::createReadyProperty() | 167 PassRefPtrWillBeRawPtr<ServiceWorkerContainer::ReadyProperty> ServiceWorkerConta iner::createReadyProperty() |
| 154 { | 168 { |
| 155 return ReadyProperty::create(executionContext(), this, ReadyProperty::Ready) ; | 169 return ReadyProperty::create(executionContext(), this, ReadyProperty::Ready) ; |
| (...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 255 m_ready = createReadyProperty(); | 269 m_ready = createReadyProperty(); |
| 256 | 270 |
| 257 if (ServiceWorkerContainerClient* client = ServiceWorkerContainerClient::fro m(executionContext)) { | 271 if (ServiceWorkerContainerClient* client = ServiceWorkerContainerClient::fro m(executionContext)) { |
| 258 m_provider = client->provider(); | 272 m_provider = client->provider(); |
| 259 if (m_provider) | 273 if (m_provider) |
| 260 m_provider->setClient(this); | 274 m_provider->setClient(this); |
| 261 } | 275 } |
| 262 } | 276 } |
| 263 | 277 |
| 264 } // namespace blink | 278 } // namespace blink |
| OLD | NEW |
