| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) | 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) |
| 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) | 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) |
| 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) | 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) |
| 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All
rights reserved. | 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All
rights reserved. |
| 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ | 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ |
| 7 | 7 |
| 8 This library is free software; you can redistribute it and/or | 8 This library is free software; you can redistribute it and/or |
| 9 modify it under the terms of the GNU Library General Public | 9 modify it under the terms of the GNU Library General Public |
| 10 License as published by the Free Software Foundation; either | 10 License as published by the Free Software Foundation; either |
| (...skipping 260 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 271 options.synchronousPolicy = RequestSynchronously; | 271 options.synchronousPolicy = RequestSynchronously; |
| 272 request.setOptions(options); | 272 request.setOptions(options); |
| 273 return requestResource(Resource::Raw, request); | 273 return requestResource(Resource::Raw, request); |
| 274 } | 274 } |
| 275 | 275 |
| 276 ResourcePtr<ImageResource> ResourceFetcher::fetchImage(FetchRequest& request) | 276 ResourcePtr<ImageResource> ResourceFetcher::fetchImage(FetchRequest& request) |
| 277 { | 277 { |
| 278 if (Frame* f = frame()) { | 278 if (Frame* f = frame()) { |
| 279 if (f->document()->pageDismissalEventBeingDispatched() != Document::NoDi
smissal) { | 279 if (f->document()->pageDismissalEventBeingDispatched() != Document::NoDi
smissal) { |
| 280 KURL requestURL = request.resourceRequest().url(); | 280 KURL requestURL = request.resourceRequest().url(); |
| 281 if (requestURL.isValid() && canRequest(Resource::Image, requestURL,
request.options(), request.forPreload())) | 281 if (requestURL.isValid() && canRequest(Resource::Image, requestURL,
request.options(), request.forPreload(), request.originRestriction())) |
| 282 PingLoader::loadImage(f, requestURL); | 282 PingLoader::loadImage(f, requestURL); |
| 283 return 0; | 283 return 0; |
| 284 } | 284 } |
| 285 } | 285 } |
| 286 | 286 |
| 287 if (request.resourceRequest().url().protocolIsData()) | 287 if (request.resourceRequest().url().protocolIsData()) |
| 288 preCacheDataURIImage(request); | 288 preCacheDataURIImage(request); |
| 289 | 289 |
| 290 request.setDefer(clientDefersImage(request.resourceRequest().url()) ? FetchR
equest::DeferredByClient : FetchRequest::NoDefer); | 290 request.setDefer(clientDefersImage(request.resourceRequest().url()) ? FetchR
equest::DeferredByClient : FetchRequest::NoDefer); |
| 291 return static_cast<ImageResource*>(requestResource(Resource::Image, request)
.get()); | 291 return static_cast<ImageResource*>(requestResource(Resource::Image, request)
.get()); |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 326 ResourcePtr<CSSStyleSheetResource> ResourceFetcher::fetchUserCSSStyleSheet(Fetch
Request& request) | 326 ResourcePtr<CSSStyleSheetResource> ResourceFetcher::fetchUserCSSStyleSheet(Fetch
Request& request) |
| 327 { | 327 { |
| 328 KURL url = MemoryCache::removeFragmentIdentifierIfNeeded(request.resourceReq
uest().url()); | 328 KURL url = MemoryCache::removeFragmentIdentifierIfNeeded(request.resourceReq
uest().url()); |
| 329 | 329 |
| 330 if (Resource* existing = memoryCache()->resourceForURL(url)) { | 330 if (Resource* existing = memoryCache()->resourceForURL(url)) { |
| 331 if (existing->type() == Resource::CSSStyleSheet) | 331 if (existing->type() == Resource::CSSStyleSheet) |
| 332 return static_cast<CSSStyleSheetResource*>(existing); | 332 return static_cast<CSSStyleSheetResource*>(existing); |
| 333 memoryCache()->remove(existing); | 333 memoryCache()->remove(existing); |
| 334 } | 334 } |
| 335 | 335 |
| 336 request.setOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, B
ufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCross
OriginCredentials, SkipSecurityCheck, CheckContentSecurityPolicy, UseDefaultOrig
inRestrictionsForType, DocumentContext)); | 336 request.setOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, B
ufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCross
OriginCredentials, SkipSecurityCheck, CheckContentSecurityPolicy, DocumentContex
t)); |
| 337 return static_cast<CSSStyleSheetResource*>(requestResource(Resource::CSSStyl
eSheet, request).get()); | 337 return static_cast<CSSStyleSheetResource*>(requestResource(Resource::CSSStyl
eSheet, request).get()); |
| 338 } | 338 } |
| 339 | 339 |
| 340 ResourcePtr<ScriptResource> ResourceFetcher::fetchScript(FetchRequest& request) | 340 ResourcePtr<ScriptResource> ResourceFetcher::fetchScript(FetchRequest& request) |
| 341 { | 341 { |
| 342 return static_cast<ScriptResource*>(requestResource(Resource::Script, reques
t).get()); | 342 return static_cast<ScriptResource*>(requestResource(Resource::Script, reques
t).get()); |
| 343 } | 343 } |
| 344 | 344 |
| 345 ResourcePtr<XSLStyleSheetResource> ResourceFetcher::fetchXSLStyleSheet(FetchRequ
est& request) | 345 ResourcePtr<XSLStyleSheetResource> ResourceFetcher::fetchXSLStyleSheet(FetchRequ
est& request) |
| 346 { | 346 { |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 415 Frame* top = f->tree().top(); | 415 Frame* top = f->tree().top(); |
| 416 if (!top->loader().mixedContentChecker()->canDisplayInsecureContent(
top->document()->securityOrigin(), url)) | 416 if (!top->loader().mixedContentChecker()->canDisplayInsecureContent(
top->document()->securityOrigin(), url)) |
| 417 return false; | 417 return false; |
| 418 } | 418 } |
| 419 } else { | 419 } else { |
| 420 ASSERT(treatment == TreatAsAlwaysAllowedContent); | 420 ASSERT(treatment == TreatAsAlwaysAllowedContent); |
| 421 } | 421 } |
| 422 return true; | 422 return true; |
| 423 } | 423 } |
| 424 | 424 |
| 425 bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
ourceLoaderOptions& options, bool forPreload) | 425 bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
ourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction or
iginRestriction) |
| 426 { | 426 { |
| 427 if (document() && !document()->securityOrigin()->canDisplay(url)) { | 427 if (document() && !document()->securityOrigin()->canDisplay(url)) { |
| 428 if (!forPreload) | 428 if (!forPreload) |
| 429 context().reportLocalLoadFailed(url); | 429 context().reportLocalLoadFailed(url); |
| 430 LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not allow
ed by SecurityOrigin::canDisplay"); | 430 LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not allow
ed by SecurityOrigin::canDisplay"); |
| 431 return 0; | 431 return 0; |
| 432 } | 432 } |
| 433 | 433 |
| 434 // FIXME: Convert this to check the isolated world's Content Security Policy
once webkit.org/b/104520 is solved. | 434 // FIXME: Convert this to check the isolated world's Content Security Policy
once webkit.org/b/104520 is solved. |
| 435 bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->scrip
t().shouldBypassMainWorldContentSecurityPolicy()) || (options.contentSecurityPol
icyOption == DoNotCheckContentSecurityPolicy); | 435 bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->scrip
t().shouldBypassMainWorldContentSecurityPolicy()) || (options.contentSecurityPol
icyOption == DoNotCheckContentSecurityPolicy); |
| 436 | 436 |
| 437 // Some types of resources can be loaded only from the same origin. Other | 437 // Some types of resources can be loaded only from the same origin. Other |
| 438 // types of resources, like Images, Scripts, and CSS, can be loaded from | 438 // types of resources, like Images, Scripts, and CSS, can be loaded from |
| 439 // any URL. | 439 // any URL. |
| 440 switch (type) { | 440 switch (type) { |
| 441 case Resource::MainResource: | 441 case Resource::MainResource: |
| 442 case Resource::Image: | 442 case Resource::Image: |
| 443 case Resource::CSSStyleSheet: | 443 case Resource::CSSStyleSheet: |
| 444 case Resource::Script: | 444 case Resource::Script: |
| 445 case Resource::Font: | 445 case Resource::Font: |
| 446 case Resource::Raw: | 446 case Resource::Raw: |
| 447 case Resource::LinkPrefetch: | 447 case Resource::LinkPrefetch: |
| 448 case Resource::LinkSubresource: | 448 case Resource::LinkSubresource: |
| 449 case Resource::TextTrack: | 449 case Resource::TextTrack: |
| 450 case Resource::Shader: | 450 case Resource::Shader: |
| 451 case Resource::ImportResource: | 451 case Resource::ImportResource: |
| 452 // By default these types of resources can be loaded from any origin. | 452 // By default these types of resources can be loaded from any origin. |
| 453 // FIXME: Are we sure about Resource::Font? | 453 // FIXME: Are we sure about Resource::Font? |
| 454 if (options.requestOriginPolicy == RestrictToSameOrigin && !m_document->
securityOrigin()->canRequest(url)) { | 454 if (originRestriction == FetchRequest::RestrictToSameOrigin && !m_docume
nt->securityOrigin()->canRequest(url)) { |
| 455 printAccessDeniedMessage(url); | 455 printAccessDeniedMessage(url); |
| 456 return false; | 456 return false; |
| 457 } | 457 } |
| 458 break; | 458 break; |
| 459 case Resource::XSLStyleSheet: | 459 case Resource::XSLStyleSheet: |
| 460 ASSERT(RuntimeEnabledFeatures::xsltEnabled()); | 460 ASSERT(RuntimeEnabledFeatures::xsltEnabled()); |
| 461 case Resource::SVGDocument: | 461 case Resource::SVGDocument: |
| 462 if (!m_document->securityOrigin()->canRequest(url)) { | 462 if (!m_document->securityOrigin()->canRequest(url)) { |
| 463 printAccessDeniedMessage(url); | 463 printAccessDeniedMessage(url); |
| 464 return false; | 464 return false; |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 516 // folks block insecure content with a CSP policy, they don't get a warning. | 516 // folks block insecure content with a CSP policy, they don't get a warning. |
| 517 // They'll still get a warning in the console about CSP blocking the load. | 517 // They'll still get a warning in the console about CSP blocking the load. |
| 518 | 518 |
| 519 // FIXME: Should we consider forPreload here? | 519 // FIXME: Should we consider forPreload here? |
| 520 if (!checkInsecureContent(type, url, options.mixedContentBlockingTreatment)) | 520 if (!checkInsecureContent(type, url, options.mixedContentBlockingTreatment)) |
| 521 return false; | 521 return false; |
| 522 | 522 |
| 523 return true; | 523 return true; |
| 524 } | 524 } |
| 525 | 525 |
| 526 bool ResourceFetcher::canAccess(Resource* resource) | 526 bool ResourceFetcher::canAccess(Resource* resource, CORSEnabled corsEnabled, Fet
chRequest::OriginRestriction originRestriction) |
| 527 { | 527 { |
| 528 // Redirects can change the response URL different from one of request. | 528 // Redirects can change the response URL different from one of request. |
| 529 if (!canRequest(resource->type(), resource->response().url(), resource->opti
ons(), false)) | 529 if (!canRequest(resource->type(), resource->response().url(), resource->opti
ons(), false, originRestriction)) |
| 530 return false; | 530 return false; |
| 531 | 531 |
| 532 String error; | 532 String error; |
| 533 switch (resource->type()) { | 533 switch (resource->type()) { |
| 534 case Resource::Script: | 534 case Resource::Script: |
| 535 case Resource::ImportResource: | 535 case Resource::ImportResource: |
| 536 if (resource->options().requestOriginPolicy == PotentiallyCrossOriginEna
bled | 536 if (corsEnabled == PotentiallyCORSEnabled |
| 537 && !m_document->securityOrigin()->canRequest(resource->response().ur
l()) | 537 && !m_document->securityOrigin()->canRequest(resource->response().ur
l()) |
| 538 && !resource->passesAccessControlCheck(m_document->securityOrigin(),
error)) { | 538 && !resource->passesAccessControlCheck(m_document->securityOrigin(),
error)) { |
| 539 if (frame() && frame()->document()) | 539 if (frame() && frame()->document()) |
| 540 frame()->document()->addConsoleMessage(JSMessageSource, ErrorMes
sageLevel, "Script from origin '" + SecurityOrigin::create(resource->response().
url())->toString() + "' has been blocked from loading by Cross-Origin Resource S
haring policy: " + error); | 540 frame()->document()->addConsoleMessage(JSMessageSource, ErrorMes
sageLevel, "Script from origin '" + SecurityOrigin::create(resource->response().
url())->toString() + "' has been blocked from loading by Cross-Origin Resource S
haring policy: " + error); |
| 541 return false; | 541 return false; |
| 542 } | 542 } |
| 543 | 543 |
| 544 break; | 544 break; |
| 545 default: | 545 default: |
| 546 ASSERT_NOT_REACHED(); // FIXME: generalize to non-script resources | 546 ASSERT_NOT_REACHED(); // FIXME: generalize to non-script resources |
| (...skipping 30 matching lines...) Expand all Loading... |
| 577 KURL url = request.resourceRequest().url(); | 577 KURL url = request.resourceRequest().url(); |
| 578 | 578 |
| 579 LOG(ResourceLoading, "ResourceFetcher::requestResource '%s', charset '%s', p
riority=%d, forPreload=%u, type=%s", url.elidedString().latin1().data(), request
.charset().latin1().data(), request.priority(), request.forPreload(), ResourceTy
peName(type)); | 579 LOG(ResourceLoading, "ResourceFetcher::requestResource '%s', charset '%s', p
riority=%d, forPreload=%u, type=%s", url.elidedString().latin1().data(), request
.charset().latin1().data(), request.priority(), request.forPreload(), ResourceTy
peName(type)); |
| 580 | 580 |
| 581 // If only the fragment identifiers differ, it is the same resource. | 581 // If only the fragment identifiers differ, it is the same resource. |
| 582 url = MemoryCache::removeFragmentIdentifierIfNeeded(url); | 582 url = MemoryCache::removeFragmentIdentifierIfNeeded(url); |
| 583 | 583 |
| 584 if (!url.isValid()) | 584 if (!url.isValid()) |
| 585 return 0; | 585 return 0; |
| 586 | 586 |
| 587 if (!canRequest(type, url, request.options(), request.forPreload())) | 587 if (!canRequest(type, url, request.options(), request.forPreload(), request.
originRestriction())) |
| 588 return 0; | 588 return 0; |
| 589 | 589 |
| 590 if (Frame* f = frame()) | 590 if (Frame* f = frame()) |
| 591 f->loader().client()->dispatchWillRequestResource(&request); | 591 f->loader().client()->dispatchWillRequestResource(&request); |
| 592 | 592 |
| 593 // See if we can use an existing resource from the cache. | 593 // See if we can use an existing resource from the cache. |
| 594 ResourcePtr<Resource> resource = memoryCache()->resourceForURL(url); | 594 ResourcePtr<Resource> resource = memoryCache()->resourceForURL(url); |
| 595 | 595 |
| 596 const RevalidationPolicy policy = determineRevalidationPolicy(type, request.
mutableResourceRequest(), request.forPreload(), resource.get(), request.defer())
; | 596 const RevalidationPolicy policy = determineRevalidationPolicy(type, request.
mutableResourceRequest(), request.forPreload(), resource.get(), request.defer())
; |
| 597 switch (policy) { | 597 switch (policy) { |
| (...skipping 650 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1248 return false; | 1248 return false; |
| 1249 } | 1249 } |
| 1250 | 1250 |
| 1251 bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const | 1251 bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const |
| 1252 { | 1252 { |
| 1253 return this == possibleOwner; | 1253 return this == possibleOwner; |
| 1254 } | 1254 } |
| 1255 | 1255 |
| 1256 bool ResourceFetcher::shouldRequest(Resource* resource, const ResourceRequest& r
equest, const ResourceLoaderOptions& options) | 1256 bool ResourceFetcher::shouldRequest(Resource* resource, const ResourceRequest& r
equest, const ResourceLoaderOptions& options) |
| 1257 { | 1257 { |
| 1258 if (!canRequest(resource->type(), request.url(), options)) | 1258 if (!canRequest(resource->type(), request.url(), options, false, FetchReques
t::UseDefaultOriginRestrictionForType)) |
| 1259 return false; | 1259 return false; |
| 1260 if (resource->type() == Resource::Image && shouldDeferImageLoad(request.url(
))) | 1260 if (resource->type() == Resource::Image && shouldDeferImageLoad(request.url(
))) |
| 1261 return false; | 1261 return false; |
| 1262 return true; | 1262 return true; |
| 1263 } | 1263 } |
| 1264 | 1264 |
| 1265 void ResourceFetcher::refResourceLoaderHost() | 1265 void ResourceFetcher::refResourceLoaderHost() |
| 1266 { | 1266 { |
| 1267 ref(); | 1267 ref(); |
| 1268 } | 1268 } |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1316 printf("SCRIPTS: %d (%d hits, hit rate %d%%)\n", scripts, scripts - scri
ptMisses, (scripts - scriptMisses) * 100 / scripts); | 1316 printf("SCRIPTS: %d (%d hits, hit rate %d%%)\n", scripts, scripts - scri
ptMisses, (scripts - scriptMisses) * 100 / scripts); |
| 1317 if (stylesheets) | 1317 if (stylesheets) |
| 1318 printf("STYLESHEETS: %d (%d hits, hit rate %d%%)\n", stylesheets, styles
heets - stylesheetMisses, (stylesheets - stylesheetMisses) * 100 / stylesheets); | 1318 printf("STYLESHEETS: %d (%d hits, hit rate %d%%)\n", stylesheets, styles
heets - stylesheetMisses, (stylesheets - stylesheetMisses) * 100 / stylesheets); |
| 1319 if (images) | 1319 if (images) |
| 1320 printf("IMAGES: %d (%d hits, hit rate %d%%)\n", images, images - imageM
isses, (images - imageMisses) * 100 / images); | 1320 printf("IMAGES: %d (%d hits, hit rate %d%%)\n", images, images - imageM
isses, (images - imageMisses) * 100 / images); |
| 1321 } | 1321 } |
| 1322 #endif | 1322 #endif |
| 1323 | 1323 |
| 1324 const ResourceLoaderOptions& ResourceFetcher::defaultResourceOptions() | 1324 const ResourceLoaderOptions& ResourceFetcher::defaultResourceOptions() |
| 1325 { | 1325 { |
| 1326 DEFINE_STATIC_LOCAL(ResourceLoaderOptions, options, (SendCallbacks, SniffCon
tent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientF
orCrossOriginCredentials, DoSecurityCheck, CheckContentSecurityPolicy, UseDefaul
tOriginRestrictionsForType, DocumentContext)); | 1326 DEFINE_STATIC_LOCAL(ResourceLoaderOptions, options, (SendCallbacks, SniffCon
tent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientF
orCrossOriginCredentials, DoSecurityCheck, CheckContentSecurityPolicy, DocumentC
ontext)); |
| 1327 return options; | 1327 return options; |
| 1328 } | 1328 } |
| 1329 | 1329 |
| 1330 } | 1330 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 47923008:
Block execution of failed 'crossorigin' <script>s. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master