[ServiceWorker] Set FetchRequestMode and handle wasFetchedViaServiceWorker.

Source/core/loader/DocumentThreadableLoader.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2013, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
@@ skipping 28 matching lines @@
 #include "core/fetch/Resource.h"
 #include "core/fetch/ResourceFetcher.h"
 #include "core/frame/FrameConsole.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/inspector/InspectorInstrumentation.h"
 #include "core/inspector/InspectorTraceEvents.h"
 #include "core/loader/CrossOriginPreflightResultCache.h"
 #include "core/loader/DocumentThreadableLoaderClient.h"
 #include "core/loader/FrameLoader.h"
+#include "core/loader/FrameLoaderClient.h"
 #include "core/loader/ThreadableLoaderClient.h"
 #include "platform/SharedBuffer.h"
 #include "platform/network/ResourceRequest.h"
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/WebURLRequest.h"
 #include "wtf/Assertions.h"
 
 namespace blink {
 
@@ skipping 33 matching lines @@
 
     // Save any CORS simple headers on the request here. If this request redirects cross-origin, we cancel the old request
     // create a new one, and copy these headers.
     const HTTPHeaderMap& headerMap = request.httpHeaderFields();
     HTTPHeaderMap::const_iterator end = headerMap.end();
     for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) {
         if (FetchUtils::isSimpleHeader(it->key, it->value))
             m_simpleRequestHeaders.add(it->key, it->value);
     }
 
+    // If the fetch request will be handled by the ServiceWorker, the
+    // FetchRequestMode of the request must be FetchRequestModeCORS or
+    // FetchRequestModeCORSWithForcedPreflight. Otherwise the ServiceWorker can
+    // return a opaque response which is from the other origin site and the
+    // script in the page can read the content.
+    if (m_async && !request.skipServiceWorker() && m_document.fetcher()->isControlledByServiceWorker()) {
+        if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {
+            m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are not supported."));
+            return;
+        }
+        ResourceRequest newRequest(request);
+        // FetchRequestMode should be set by the caller. But the expected value
+        // of FetchRequestMode is not speced yet except for XHR. So we set here.
+        // FIXME: When we support fetch API in document, this value should not
+        // be overridden here.
+        if (options.preflightPolicy == ForcePreflight)
+            newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORSWithForcedPreflight);
+        else
+            newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORS);
+
+        m_fallbackRequestForServiceWorker = adoptPtr(new ResourceRequest(request));
+        m_fallbackRequestForServiceWorker->setSkipServiceWorker(true);
+
+        loadRequest(newRequest, m_resourceLoaderOptions);
+        return;
+    }
+
     if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
         loadRequest(request, m_resourceLoaderOptions);
         return;
     }
 
     if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {
         m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are not supported."));
         return;
     }
 
@@ skipping 243 matching lines @@
 void DocumentThreadableLoader::handleResponse(unsigned long identifier, const ResourceResponse& response)
 {
     ASSERT(m_client);
 
     if (m_actualRequest) {
         notifyResponseReceived(identifier, response);
         handlePreflightResponse(response);
         return;
     }
 
-    // If the response is fetched via ServiceWorker, the original URL of the response could be different from the URL of the request.
-    bool isCrossOriginResponse = false;
     if (response.wasFetchedViaServiceWorker()) {
-        if (!isAllowedByPolicy(response.url())) {
-            notifyResponseReceived(identifier, response);
-            m_client->didFailRedirectCheck();
+        if (response.wasFallbackRequiredByServiceWorker()) {
+            ASSERT(m_fallbackRequestForServiceWorker);
+            loadFallbackRequestForServiceWorker();
             return;
         }
-        isCrossOriginResponse = !securityOrigin()->canRequest(response.url());
-        if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests && isCrossOriginResponse) {
-            notifyResponseReceived(identifier, response);
-            m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), "Cross origin requests are not supported."));
-            return;
-        }
-        if (isCrossOriginResponse && m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequestCredentials) {
-            // Since the request is no longer same-origin, if the user didn't request credentials in
-            // the first place, update our state so we neither request them nor expect they must be allowed.
-            m_forceDoNotAllowStoredCredentials = true;
-        }
-    } else {
-        isCrossOriginResponse = !m_sameOriginRequest;
+        m_fallbackRequestForServiceWorker = nullptr;
+        m_client->didReceiveResponse(identifier, response);
+        return;
     }
-    if (isCrossOriginResponse && m_options.crossOriginRequestPolicy == UseAccessControl) {
+
+    if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessControl) {
         String accessControlErrorDescription;
         if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription)) {
             notifyResponseReceived(identifier, response);
             m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription));
             return;
         }
     }
 
     m_client->didReceiveResponse(identifier, response);
 }
 
 void DocumentThreadableLoader::dataReceived(Resource* resource, const char* data, unsigned dataLength)
 {
     ASSERT_UNUSED(resource, resource == this->resource());
     handleReceivedData(data, dataLength);
 }
 
 void DocumentThreadableLoader::handleReceivedData(const char* data, unsigned dataLength)
 {
     ASSERT(m_client);
     // Preflight data should be invisible to clients.
-    if (!m_actualRequest)
+    if (!m_actualRequest && !m_fallbackRequestForServiceWorker)
         m_client->didReceiveData(data, dataLength);
 }
 
 void DocumentThreadableLoader::notifyFinished(Resource* resource)
 {
     ASSERT(m_client);
     ASSERT(resource == this->resource());
 
     m_timeoutTimer.stop();
 
@@ skipping 21 matching lines @@
     ASSERT_UNUSED(timer, timer == &m_timeoutTimer);
 
     // Using values from net/base/net_error_list.h ERR_TIMED_OUT,
     // Same as existing FIXME above - this error should be coming from FrameLoaderClient to be identifiable.
     static const int timeoutError = -7;
     ResourceError error("net", timeoutError, resource()->url(), String());
     error.setIsTimeout(true);
     cancelWithError(error);
 }
 
+void DocumentThreadableLoader::loadFallbackRequestForServiceWorker()
+{
+    clearResource();
+    OwnPtr<ResourceRequest> fallbackRequest(m_fallbackRequestForServiceWorker.release());
+    if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
+        loadRequest(*fallbackRequest, m_resourceLoaderOptions);
+        return;
+    }
+    ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
+    makeCrossOriginAccessRequest(*fallbackRequest);
+}
+
 void DocumentThreadableLoader::loadActualRequest()
 {
     OwnPtr<ResourceRequest> actualRequest;
     actualRequest.swap(m_actualRequest);
     OwnPtr<ResourceLoaderOptions> actualOptions;
     actualOptions.swap(m_actualOptions);
 
     actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString());
 
     clearResource();
@@ skipping 106 matching lines @@
         return DoNotAllowStoredCredentials;
     return m_resourceLoaderOptions.allowCredentials;
 }
 
 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
 {
     return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin();
 }
 
 } // namespace blink