Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(335)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: trunk/Source/core/fetch/ResourceFetcher.cpp

Issue 418783002: Revert 178571 "Teach ContentSecurityPolicy about WebURLRequest::..." (Closed) Base URL: svn://svn.chromium.org/blink/
Patch Set: Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « trunk/Source/core/fetch/ResourceFetcher.h ('k') | trunk/Source/core/frame/UseCounter.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: trunk/Source/core/fetch/ResourceFetcher.cpp
===================================================================
--- trunk/Source/core/fetch/ResourceFetcher.cpp (revision 178796)
+++ trunk/Source/core/fetch/ResourceFetcher.cpp (working copy)
@@ -68,6 +68,7 @@
#include "platform/weborigin/SecurityPolicy.h"
#include "public/platform/Platform.h"
#include "public/platform/WebURL.h"
+#include "public/platform/WebURLRequest.h"
#include "wtf/text/CString.h"
#include "wtf/text/WTFString.h"
@@ -284,11 +285,10 @@
ResourcePtr<ImageResource> ResourceFetcher::fetchImage(FetchRequest& request)
{
- request.mutableResourceRequest().setRequestContext(WebURLRequest::RequestContextImage);
if (LocalFrame* f = frame()) {
if (f->document()->pageDismissalEventBeingDispatched() != Document::NoDismissal) {
KURL requestURL = request.resourceRequest().url();
- if (requestURL.isValid() && canRequest(Resource::Image, WebURLRequest::RequestContextPing, requestURL, request.options(), request.forPreload(), request.originRestriction()))
+ if (requestURL.isValid() && canRequest(Resource::Image, requestURL, request.options(), request.forPreload(), request.originRestriction()))
PingLoader::loadImage(f, requestURL);
return 0;
}
@@ -504,9 +504,8 @@
return true;
}
-bool ResourceFetcher::canRequest(Resource::Type type, WebURLRequest::RequestContext requestContext, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction) const
+bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction) const
{
- ASSERT(requestContext != blink::WebURLRequest::RequestContextUnspecified);
SecurityOrigin* securityOrigin = options.securityOrigin.get();
if (!securityOrigin && document())
securityOrigin = document()->securityOrigin();
@@ -557,10 +556,25 @@
ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ?
ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
- if (!shouldBypassMainWorldCSP && m_document && !m_document->contentSecurityPolicy()->allowFromSource(url, requestContext, cspReporting))
- return false;
+ // m_document can be null, but not in any of the cases where csp is actually used below.
+ // ImageResourceTest.MultipartImage crashes w/o the m_document null check.
+ // I believe it's the Resource::Raw case.
+ const ContentSecurityPolicy* csp = m_document ? m_document->contentSecurityPolicy() : nullptr;
- if (type == Resource::Script || type == Resource::ImportResource) {
+ // FIXME: This would be cleaner if moved this switch into an allowFromSource()
+ // helper on this object which took a Resource::Type, then this block would
+ // collapse to about 10 lines for handling Raw and Script special cases.
+ switch (type) {
+ case Resource::XSLStyleSheet:
+ ASSERT(RuntimeEnabledFeatures::xsltEnabled());
+ if (!shouldBypassMainWorldCSP && !csp->allowScriptFromSource(url, cspReporting))
+ return false;
+ break;
+ case Resource::Script:
+ case Resource::ImportResource:
+ if (!shouldBypassMainWorldCSP && !csp->allowScriptFromSource(url, cspReporting))
+ return false;
+
if (frame()) {
Settings* settings = frame()->settings();
if (!frame()->loader().client()->allowScriptFromSource(!settings || settings->scriptEnabled(), url)) {
@@ -568,13 +582,36 @@
return false;
}
}
+ break;
+ case Resource::CSSStyleSheet:
+ if (!shouldBypassMainWorldCSP && !csp->allowStyleFromSource(url, cspReporting))
+ return false;
+ break;
+ case Resource::SVGDocument:
+ case Resource::Image:
+ if (!shouldBypassMainWorldCSP && !csp->allowImageFromSource(url, cspReporting))
+ return false;
+ break;
+ case Resource::Font: {
+ if (!shouldBypassMainWorldCSP && !csp->allowFontFromSource(url, cspReporting))
+ return false;
+ break;
}
+ case Resource::MainResource:
+ case Resource::Raw:
+ case Resource::LinkPrefetch:
+ case Resource::LinkSubresource:
+ break;
+ case Resource::Media:
+ case Resource::TextTrack:
+ if (!shouldBypassMainWorldCSP && !csp->allowMediaFromSource(url, cspReporting))
+ return false;
- if (type == Resource::Media || type == Resource::TextTrack) {
if (frame()) {
if (!frame()->loader().client()->allowMedia(url))
return false;
}
+ break;
}
// SVG Images have unique security rules that prevent all subresource requests
@@ -598,7 +635,7 @@
bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sourceOrigin, const KURL& url) const
{
// Redirects can change the response URL different from one of request.
- if (!canRequest(resource->type(), resource->resourceRequest().requestContext(), url, resource->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
+ if (!canRequest(resource->type(), url, resource->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
return false;
if (!sourceOrigin && document())
@@ -678,7 +715,7 @@
if (!url.isValid())
return 0;
- if (!canRequest(type, request.resourceRequest().requestContext(), url, request.options(), request.forPreload(), request.originRestriction()))
+ if (!canRequest(type, url, request.options(), request.forPreload(), request.originRestriction()))
return 0;
if (LocalFrame* f = frame())
@@ -1385,7 +1422,7 @@
bool ResourceFetcher::canAccessRedirect(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options)
{
- if (!canRequest(resource->type(), request.requestContext(), request.url(), options, resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
+ if (!canRequest(resource->type(), request.url(), options, resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
return false;
if (options.corsEnabled == IsCORSEnabled) {
SecurityOrigin* sourceOrigin = options.securityOrigin.get();
« no previous file with comments | « trunk/Source/core/fetch/ResourceFetcher.h ('k') | trunk/Source/core/frame/UseCounter.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698