Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(32)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/fetch/ResourceFetcher.cpp

Issue 550083003: Revert of Mixed Content: Move subframe checks into ResourceFetcher. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/core/fetch/ResourceFetcher.h ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
7 7
8 This library is free software; you can redistribute it and/or 8 This library is free software; you can redistribute it and/or
9 modify it under the terms of the GNU Library General Public 9 modify it under the terms of the GNU Library General Public
10 License as published by the Free Software Foundation; either 10 License as published by the Free Software Foundation; either
(...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after
295 options.synchronousPolicy = RequestSynchronously; 295 options.synchronousPolicy = RequestSynchronously;
296 request.setOptions(options); 296 request.setOptions(options);
297 return requestResource(Resource::Raw, request); 297 return requestResource(Resource::Raw, request);
298 } 298 }
299 299
300 ResourcePtr<ImageResource> ResourceFetcher::fetchImage(FetchRequest& request) 300 ResourcePtr<ImageResource> ResourceFetcher::fetchImage(FetchRequest& request)
301 { 301 {
302 if (LocalFrame* f = frame()) { 302 if (LocalFrame* f = frame()) {
303 if (f->document()->pageDismissalEventBeingDispatched() != Document::NoDi smissal) { 303 if (f->document()->pageDismissalEventBeingDispatched() != Document::NoDi smissal) {
304 KURL requestURL = request.resourceRequest().url(); 304 KURL requestURL = request.resourceRequest().url();
305 if (requestURL.isValid() && canRequest(Resource::Image, request.reso urceRequest(), requestURL, request.options(), request.forPreload(), request.orig inRestriction())) 305 if (requestURL.isValid() && canRequest(Resource::Image, requestURL, request.options(), request.forPreload(), request.originRestriction()))
306 PingLoader::loadImage(f, requestURL); 306 PingLoader::loadImage(f, requestURL);
307 return 0; 307 return 0;
308 } 308 }
309 } 309 }
310 310
311 if (request.resourceRequest().url().protocolIsData()) 311 if (request.resourceRequest().url().protocolIsData())
312 preCacheDataURIImage(request); 312 preCacheDataURIImage(request);
313 313
314 request.setDefer(clientDefersImage(request.resourceRequest().url()) ? FetchR equest::DeferredByClient : FetchRequest::NoDefer); 314 request.setDefer(clientDefersImage(request.resourceRequest().url()) ? FetchR equest::DeferredByClient : FetchRequest::NoDefer);
315 ResourcePtr<Resource> resource = requestResource(Resource::Image, request); 315 ResourcePtr<Resource> resource = requestResource(Resource::Image, request);
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after
424 resource->setNeedsSynchronousCacheHit(substituteData.forceSynchronousLoad()) ; 424 resource->setNeedsSynchronousCacheHit(substituteData.forceSynchronousLoad()) ;
425 resource->setOptions(request.options()); 425 resource->setOptions(request.options());
426 resource->setDataBufferingPolicy(BufferData); 426 resource->setDataBufferingPolicy(BufferData);
427 resource->responseReceived(response); 427 resource->responseReceived(response);
428 if (substituteData.content()->size()) 428 if (substituteData.content()->size())
429 resource->setResourceBuffer(substituteData.content()); 429 resource->setResourceBuffer(substituteData.content());
430 resource->finish(); 430 resource->finish();
431 memoryCache()->add(resource.get()); 431 memoryCache()->add(resource.get());
432 } 432 }
433 433
434 bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url, LocalFrame* frame, MixedContentBlockingTreatment treatment) const 434 bool ResourceFetcher::checkInsecureContent(Resource::Type type, const KURL& url, MixedContentBlockingTreatment treatment) const
435 { 435 {
436 if (treatment == TreatAsDefaultForType) { 436 if (treatment == TreatAsDefaultForType) {
437 switch (type) { 437 switch (type) {
438 case Resource::XSLStyleSheet: 438 case Resource::XSLStyleSheet:
439 ASSERT(RuntimeEnabledFeatures::xsltEnabled()); 439 ASSERT(RuntimeEnabledFeatures::xsltEnabled());
440 case Resource::Script: 440 case Resource::Script:
441 case Resource::SVGDocument: 441 case Resource::SVGDocument:
442 case Resource::CSSStyleSheet: 442 case Resource::CSSStyleSheet:
443 case Resource::ImportResource: 443 case Resource::ImportResource:
444 // These resource can inject script into the current document (Scrip t, 444 // These resource can inject script into the current document (Scrip t,
(...skipping 16 matching lines...) Expand all
461 break; 461 break;
462 462
463 case Resource::MainResource: 463 case Resource::MainResource:
464 case Resource::LinkPrefetch: 464 case Resource::LinkPrefetch:
465 case Resource::LinkSubresource: 465 case Resource::LinkSubresource:
466 // These cannot affect the current document. 466 // These cannot affect the current document.
467 treatment = TreatAsAlwaysAllowedContent; 467 treatment = TreatAsAlwaysAllowedContent;
468 break; 468 break;
469 } 469 }
470 } 470 }
471 if (treatment == TreatAsActiveContent) {
472 if (LocalFrame* f = frame()) {
473 if (!f->loader().mixedContentChecker()->canRunInsecureContent(m_docu ment->securityOrigin(), url))
474 return false;
475 }
476 } else if (treatment == TreatAsPassiveContent) {
477 if (LocalFrame* f = frame()) {
478 if (!f->loader().mixedContentChecker()->canDisplayInsecureContent(m_ document->securityOrigin(), url))
479 return false;
480 if (MixedContentChecker::isMixedContent(f->document()->securityOrigi n(), url) || MixedContentChecker::isMixedContent(toLocalFrame(frame()->tree().to p())->document()->securityOrigin(), url)) {
481 switch (type) {
482 case Resource::Raw:
483 UseCounter::count(f->document(), UseCounter::MixedContentRaw );
484 break;
471 485
472 // No frame, no mixed content. 486 case Resource::Image:
473 if (!frame) 487 UseCounter::count(f->document(), UseCounter::MixedContentIma ge);
474 return true; 488 break;
475 489
476 if (treatment == TreatAsActiveContent) { 490 case Resource::Media:
477 if (!frame->loader().mixedContentChecker()->canRunInsecureContent(frame- >document()->securityOrigin(), url)) 491 UseCounter::count(f->document(), UseCounter::MixedContentMed ia);
478 return false; 492 break;
479 } else if (treatment == TreatAsPassiveContent) {
480 if (!frame->loader().mixedContentChecker()->canDisplayInsecureContent(fr ame->document()->securityOrigin(), url))
481 return false;
482 if (MixedContentChecker::isMixedContent(frame->document()->securityOrigi n(), url) || MixedContentChecker::isMixedContent(toLocalFrame(frame->tree().top( ))->document()->securityOrigin(), url)) {
483 switch (type) {
484 case Resource::Raw:
485 UseCounter::count(frame->document(), UseCounter::MixedContentRaw );
486 break;
487 493
488 case Resource::Image: 494 default:
489 UseCounter::count(frame->document(), UseCounter::MixedContentIma ge); 495 ASSERT_NOT_REACHED();
490 break; 496 }
491
492 case Resource::Media:
493 UseCounter::count(frame->document(), UseCounter::MixedContentMed ia);
494 break;
495
496 default:
497 ASSERT_NOT_REACHED();
498 } 497 }
499 } 498 }
500 } else { 499 } else {
501 ASSERT(treatment == TreatAsAlwaysAllowedContent); 500 ASSERT(treatment == TreatAsAlwaysAllowedContent);
502 } 501 }
503 return true; 502 return true;
504 } 503 }
505 504
506 bool ResourceFetcher::canRequest(Resource::Type type, const ResourceRequest& res ourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPre load, FetchRequest::OriginRestriction originRestriction) const 505 bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res ourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction or iginRestriction) const
507 { 506 {
508 SecurityOrigin* securityOrigin = options.securityOrigin.get(); 507 SecurityOrigin* securityOrigin = options.securityOrigin.get();
509 if (!securityOrigin && document()) 508 if (!securityOrigin && document())
510 securityOrigin = document()->securityOrigin(); 509 securityOrigin = document()->securityOrigin();
511 510
512 if (originRestriction != FetchRequest::NoOriginRestriction && securityOrigin && !securityOrigin->canDisplay(url)) { 511 if (originRestriction != FetchRequest::NoOriginRestriction && securityOrigin && !securityOrigin->canDisplay(url)) {
513 if (!forPreload) 512 if (!forPreload)
514 context().reportLocalLoadFailed(url); 513 context().reportLocalLoadFailed(url);
515 WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not a llowed by SecurityOrigin::canDisplay"); 514 WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not a llowed by SecurityOrigin::canDisplay");
516 return 0; 515 return 0;
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after
617 // except for data urls. 616 // except for data urls.
618 if (type != Resource::MainResource) { 617 if (type != Resource::MainResource) {
619 if (frame() && frame()->chromeClient().isSVGImageChromeClient() && !url. protocolIsData()) 618 if (frame() && frame()->chromeClient().isSVGImageChromeClient() && !url. protocolIsData())
620 return false; 619 return false;
621 } 620 }
622 621
623 // Last of all, check for insecure content. We do this last so that when 622 // Last of all, check for insecure content. We do this last so that when
624 // folks block insecure content with a CSP policy, they don't get a warning. 623 // folks block insecure content with a CSP policy, they don't get a warning.
625 // They'll still get a warning in the console about CSP blocking the load. 624 // They'll still get a warning in the console about CSP blocking the load.
626 625
627 // If we're loading the main resource of a subframe, ensure that we treat th e resource as active
628 // content for the purposes of mixed content checks, and that we check again st the parent of the
629 // active frame, rather than the frame itself.
630 LocalFrame* effectiveFrame = frame();
631 MixedContentBlockingTreatment effectiveTreatment = options.mixedContentBlock ingTreatment;
632 if (resourceRequest.frameType() == WebURLRequest::FrameTypeNested) {
633 effectiveTreatment = TreatAsActiveContent;
634 // FIXME: Deal with RemoteFrames.
635 if (frame()->tree().parent()->isLocalFrame())
636 effectiveFrame = toLocalFrame(frame()->tree().parent());
637 }
638
639 // FIXME: Should we consider forPreload here? 626 // FIXME: Should we consider forPreload here?
640 if (!checkInsecureContent(type, url, effectiveFrame, effectiveTreatment)) 627 if (!checkInsecureContent(type, url, options.mixedContentBlockingTreatment))
641 return false; 628 return false;
642 629
643 return true; 630 return true;
644 } 631 }
645 632
646 bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sour ceOrigin, const KURL& url) const 633 bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sour ceOrigin, const KURL& url) const
647 { 634 {
648 // Redirects can change the response URL different from one of request. 635 // Redirects can change the response URL different from one of request.
649 if (!canRequest(resource->type(), resource->resourceRequest(), url, resource ->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrict ionForType)) 636 if (!canRequest(resource->type(), url, resource->options(), resource->isUnus edPreload(), FetchRequest::UseDefaultOriginRestrictionForType))
650 return false; 637 return false;
651 638
652 if (!sourceOrigin && document()) 639 if (!sourceOrigin && document())
653 sourceOrigin = document()->securityOrigin(); 640 sourceOrigin = document()->securityOrigin();
654 641
655 if (sourceOrigin->canRequest(url)) 642 if (sourceOrigin->canRequest(url))
656 return true; 643 return true;
657 644
658 String errorDescription; 645 String errorDescription;
659 if (!resource->passesAccessControlCheck(sourceOrigin, errorDescription)) { 646 if (!resource->passesAccessControlCheck(sourceOrigin, errorDescription)) {
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after
719 KURL url = request.resourceRequest().url(); 706 KURL url = request.resourceRequest().url();
720 707
721 WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource '%s', charset '%s ', priority=%d, forPreload=%u, type=%s", url.elidedString().latin1().data(), req uest.charset().latin1().data(), request.priority(), request.forPreload(), Resour ceTypeName(type)); 708 WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource '%s', charset '%s ', priority=%d, forPreload=%u, type=%s", url.elidedString().latin1().data(), req uest.charset().latin1().data(), request.priority(), request.forPreload(), Resour ceTypeName(type));
722 709
723 // If only the fragment identifiers differ, it is the same resource. 710 // If only the fragment identifiers differ, it is the same resource.
724 url = MemoryCache::removeFragmentIdentifierIfNeeded(url); 711 url = MemoryCache::removeFragmentIdentifierIfNeeded(url);
725 712
726 if (!url.isValid()) 713 if (!url.isValid())
727 return 0; 714 return 0;
728 715
729 if (!canRequest(type, request.resourceRequest(), url, request.options(), req uest.forPreload(), request.originRestriction())) 716 if (!canRequest(type, url, request.options(), request.forPreload(), request. originRestriction()))
730 return 0; 717 return 0;
731 718
732 if (LocalFrame* f = frame()) 719 if (LocalFrame* f = frame())
733 f->loader().client()->dispatchWillRequestResource(&request); 720 f->loader().client()->dispatchWillRequestResource(&request);
734 721
735 if (!request.forPreload()) { 722 if (!request.forPreload()) {
736 V8DOMActivityLogger* activityLogger = 0; 723 V8DOMActivityLogger* activityLogger = 0;
737 if (request.options().initiatorInfo.name == FetchInitiatorTypeNames::xml httprequest) 724 if (request.options().initiatorInfo.name == FetchInitiatorTypeNames::xml httprequest)
738 activityLogger = V8DOMActivityLogger::currentActivityLogger(); 725 activityLogger = V8DOMActivityLogger::currentActivityLogger();
739 else 726 else
(...skipping 602 matching lines...) Expand 10 before | Expand all | Expand 10 after
1342 1329
1343 void ResourceFetcher::willSendRequest(unsigned long identifier, ResourceRequest& request, const ResourceResponse& redirectResponse, const FetchInitiatorInfo& in itiatorInfo) 1330 void ResourceFetcher::willSendRequest(unsigned long identifier, ResourceRequest& request, const ResourceResponse& redirectResponse, const FetchInitiatorInfo& in itiatorInfo)
1344 { 1331 {
1345 context().dispatchWillSendRequest(m_documentLoader, identifier, request, red irectResponse, initiatorInfo); 1332 context().dispatchWillSendRequest(m_documentLoader, identifier, request, red irectResponse, initiatorInfo);
1346 } 1333 }
1347 1334
1348 void ResourceFetcher::didReceiveResponse(const Resource* resource, const Resourc eResponse& response) 1335 void ResourceFetcher::didReceiveResponse(const Resource* resource, const Resourc eResponse& response)
1349 { 1336 {
1350 // If the response is fetched via ServiceWorker, the original URL of the res ponse could be different from the URL of the request. 1337 // If the response is fetched via ServiceWorker, the original URL of the res ponse could be different from the URL of the request.
1351 if (response.wasFetchedViaServiceWorker()) { 1338 if (response.wasFetchedViaServiceWorker()) {
1352 if (!canRequest(resource->type(), resource->resourceRequest(), response. url(), resource->options(), false, FetchRequest::UseDefaultOriginRestrictionForT ype)) { 1339 if (!canRequest(resource->type(), response.url(), resource->options(), f alse, FetchRequest::UseDefaultOriginRestrictionForType)) {
1353 resource->loader()->cancel(); 1340 resource->loader()->cancel();
1354 context().dispatchDidFail(m_documentLoader, resource->identifier(), ResourceError(errorDomainBlinkInternal, 0, response.url().string(), "Unsafe atte mpt to load URL " + response.url().elidedString() + " fetched by a ServiceWorker .")); 1341 context().dispatchDidFail(m_documentLoader, resource->identifier(), ResourceError(errorDomainBlinkInternal, 0, response.url().string(), "Unsafe atte mpt to load URL " + response.url().elidedString() + " fetched by a ServiceWorker ."));
1355 return; 1342 return;
1356 } 1343 }
1357 } 1344 }
1358 context().dispatchDidReceiveResponse(m_documentLoader, resource->identifier( ), response, resource->loader()); 1345 context().dispatchDidReceiveResponse(m_documentLoader, resource->identifier( ), response, resource->loader());
1359 } 1346 }
1360 1347
1361 void ResourceFetcher::didReceiveData(const Resource* resource, const char* data, int dataLength, int encodedDataLength) 1348 void ResourceFetcher::didReceiveData(const Resource* resource, const char* data, int dataLength, int encodedDataLength)
1362 { 1349 {
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after
1433 return false; 1420 return false;
1434 } 1421 }
1435 1422
1436 bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const 1423 bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const
1437 { 1424 {
1438 return this == possibleOwner; 1425 return this == possibleOwner;
1439 } 1426 }
1440 1427
1441 bool ResourceFetcher::canAccessRedirect(Resource* resource, ResourceRequest& req uest, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options) 1428 bool ResourceFetcher::canAccessRedirect(Resource* resource, ResourceRequest& req uest, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options)
1442 { 1429 {
1443 if (!canRequest(resource->type(), request, request.url(), options, resource- >isUnusedPreload(), FetchRequest::UseDefaultOriginRestrictionForType)) 1430 if (!canRequest(resource->type(), request.url(), options, resource->isUnused Preload(), FetchRequest::UseDefaultOriginRestrictionForType))
1444 return false; 1431 return false;
1445 if (options.corsEnabled == IsCORSEnabled) { 1432 if (options.corsEnabled == IsCORSEnabled) {
1446 SecurityOrigin* sourceOrigin = options.securityOrigin.get(); 1433 SecurityOrigin* sourceOrigin = options.securityOrigin.get();
1447 if (!sourceOrigin && document()) 1434 if (!sourceOrigin && document())
1448 sourceOrigin = document()->securityOrigin(); 1435 sourceOrigin = document()->securityOrigin();
1449 1436
1450 String errorMessage; 1437 String errorMessage;
1451 if (!CrossOriginAccessControl::handleRedirect(resource, sourceOrigin, re quest, redirectResponse, options, errorMessage)) { 1438 if (!CrossOriginAccessControl::handleRedirect(resource, sourceOrigin, re quest, redirectResponse, options, errorMessage)) {
1452 if (resource->type() == Resource::Font) 1439 if (resource->type() == Resource::Font)
1453 toFontResource(resource)->setCORSFailed(); 1440 toFontResource(resource)->setCORSFailed();
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after
1566 1553
1567 void ResourceFetcher::trace(Visitor* visitor) 1554 void ResourceFetcher::trace(Visitor* visitor)
1568 { 1555 {
1569 visitor->trace(m_document); 1556 visitor->trace(m_document);
1570 visitor->trace(m_loaders); 1557 visitor->trace(m_loaders);
1571 visitor->trace(m_multipartLoaders); 1558 visitor->trace(m_multipartLoaders);
1572 ResourceLoaderHost::trace(visitor); 1559 ResourceLoaderHost::trace(visitor);
1573 } 1560 }
1574 1561
1575 } 1562 }
OLDNEW
« no previous file with comments | « Source/core/fetch/ResourceFetcher.h ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698