Block execution of failed 'crossorigin' <script>s.

Source/core/fetch/ResourceFetcher.h

 /*
     Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
     Copyright (C) 2001 Dirk Mueller <mueller@kde.org>
     Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
     Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
 
     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Library General Public
     License as published by the Free Software Foundation; either
     version 2 of the License, or (at your option) any later version.
@@ skipping 43 matching lines @@
 class XSLStyleSheetResource;
 class Document;
 class DocumentLoader;
 class Frame;
 class FrameLoader;
 class ImageLoader;
 class KURL;
 class ResourceTimingInfo;
 class ResourceLoaderSet;
 
+enum OriginRestriction {

[sof, 2013/11/15 08:11:58]

Finding appropriate names for this one (and the one below) took quite some time.
I think they make sense now, but if people see better alternatives, I'll happily
rename.

+    UseDefaultOriginRestrictionForType,
+    RestrictToSameOrigin
+};
+
+enum CrossOriginEnabled {
+    NotCrossOriginEnabled,
+    PotentiallyCrossOriginEnabled // Indicates "potentially CORS-enabled fetch" in HTML standard.
+};
+
 // The ResourceFetcher provides a per-context interface to the MemoryCache
 // and enforces a bunch of security checks and rules for resource revalidation.
 // Its lifetime is roughly per-DocumentLoader, in that it is generally created
 // in the DocumentLoader constructor and loses its ability to generate network
 // requests when the DocumentLoader is destroyed. Documents also hold a
 // RefPtr<ResourceFetcher> for their lifetime (and will create one if they
 // are initialized without a Frame), so a Document can keep a ResourceFetcher
 // alive past detach if scripts still reference the Document.
 class ResourceFetcher : public RefCounted<ResourceFetcher>, public ResourceLoaderHost {
     WTF_MAKE_NONCOPYABLE(ResourceFetcher); WTF_MAKE_FAST_ALLOCATED;
 friend class ImageLoader;
 friend class ResourceCacheValidationSuppressor;
 
 public:
     static PassRefPtr<ResourceFetcher> create(DocumentLoader* documentLoader) { return adoptRef(new ResourceFetcher(documentLoader)); }
     virtual ~ResourceFetcher();
 
     using RefCounted<ResourceFetcher>::ref;
     using RefCounted<ResourceFetcher>::deref;
 
-    ResourcePtr<Resource> fetchSynchronously(FetchRequest&);
-    ResourcePtr<ImageResource> fetchImage(FetchRequest&);
+    ResourcePtr<Resource> fetchSynchronously(FetchRequest&, OriginRestriction = UseDefaultOriginRestrictionForType);
+    ResourcePtr<ImageResource> fetchImage(FetchRequest&, OriginRestriction = UseDefaultOriginRestrictionForType);

[sof, 2013/11/15 08:11:58]

Notice that none of the other fetch{ResourceType}() methods take this extra
argument. They could, but there's no need for its functionality by their
callers, so I held off. (And requestResource() provides full control in any
case.) 

[abarth-chromium, 2013/11/15 15:47:52]

These functions used to take a large number of parameters.  We created the
FetchRequest object to hold all these parameters.  Can we add this value to
FetchRequest?  The FetchRequest doesn't get stored in the cache, so different
callers can have different values for the origin restriction.

[sof, 2013/11/15 17:05:18]

Done. Thank you, sorry for not picking up on that practice. That does remove a
wart added. 

     ResourcePtr<CSSStyleSheetResource> fetchCSSStyleSheet(FetchRequest&);
     ResourcePtr<CSSStyleSheetResource> fetchUserCSSStyleSheet(FetchRequest&);
     ResourcePtr<ScriptResource> fetchScript(FetchRequest&);
     ResourcePtr<FontResource> fetchFont(FetchRequest&);
     ResourcePtr<RawResource> fetchRawResource(FetchRequest&);
     ResourcePtr<RawResource> fetchMainResource(FetchRequest&);
     ResourcePtr<DocumentResource> fetchSVGDocument(FetchRequest&);
     ResourcePtr<XSLStyleSheetResource> fetchXSLStyleSheet(FetchRequest&);
     ResourcePtr<Resource> fetchLinkResource(Resource::Type, FetchRequest&);
     ResourcePtr<TextTrackResource> fetchTextTrack(FetchRequest&);
@@ skipping 27 matching lines @@
     void garbageCollectDocumentResources();
 
     int requestCount() const { return m_requestCount; }
 
     bool isPreloaded(const String& urlString) const;
     void clearPreloads();
     void clearPendingPreloads();
     void preload(Resource::Type, FetchRequest&, const String& charset);
     void checkForPendingPreloads();
     void printPreloadStats();
-    bool canAccess(Resource*);
+    bool canAccess(Resource*, CrossOriginEnabled, OriginRestriction = UseDefaultOriginRestrictionForType);
 
     void setDefersLoading(bool);
     void stopFetching();
     bool isFetching() const;
 
     // ResourceLoaderHost
     virtual void incrementRequestCount(const Resource*) OVERRIDE;
     virtual void decrementRequestCount(const Resource*) OVERRIDE;
     virtual void didLoadResource(Resource*) OVERRIDE;
     virtual void redirectReceived(Resource*, const ResourceResponse&) OVERRIDE;
@@ skipping 13 matching lines @@
     virtual void refResourceLoaderHost() OVERRIDE;
     virtual void derefResourceLoaderHost() OVERRIDE;
 
     static const ResourceLoaderOptions& defaultResourceOptions();
 private:
 
     explicit ResourceFetcher(DocumentLoader*);
 
     bool shouldLoadNewResource() const;
 
-    ResourcePtr<Resource> requestResource(Resource::Type, FetchRequest&);
+    ResourcePtr<Resource> requestResource(Resource::Type, FetchRequest&, OriginRestriction = UseDefaultOriginRestrictionForType);
     ResourcePtr<Resource> revalidateResource(const FetchRequest&, Resource*);
     ResourcePtr<Resource> loadResource(Resource::Type, FetchRequest&, const String& charset);
     void preCacheDataURIImage(const FetchRequest&);
     void storeResourceTimingInitiatorInformation(const ResourcePtr<Resource>&, const FetchRequest&);
     void requestPreload(Resource::Type, FetchRequest&, const String& charset);
 
     enum RevalidationPolicy { Use, Revalidate, Reload, Load };
     RevalidationPolicy determineRevalidationPolicy(Resource::Type, ResourceRequest&, bool forPreload, Resource* existingResource, FetchRequest::DeferOption) const;
 
     void determineTargetType(ResourceRequest&, Resource::Type);
     ResourceRequestCachePolicy resourceRequestCachePolicy(const ResourceRequest&, Resource::Type);
     void addAdditionalRequestHeaders(ResourceRequest&, Resource::Type);
 
-    bool canRequest(Resource::Type, const KURL&, const ResourceLoaderOptions&, bool forPreload = false);
+    bool canRequest(Resource::Type, const KURL&, const ResourceLoaderOptions&, bool forPreload, OriginRestriction);
     bool checkInsecureContent(Resource::Type, const KURL&, MixedContentBlockingTreatment) const;
 
     static bool resourceNeedsLoad(Resource*, const FetchRequest&, RevalidationPolicy);
 
     void notifyLoadedFromMemoryCache(Resource*);
 
     void garbageCollectDocumentResourcesTimerFired(Timer<ResourceFetcher>*);
     void performPostLoadActions();
 
     bool clientDefersImage(const KURL&) const;
@@ skipping 47 matching lines @@
             m_loader->m_allowStaleResources = m_previousState;
     }
 private:
     ResourceFetcher* m_loader;
     bool m_previousState;
 };
 
 } // namespace WebCore
 
 #endif