Source/core/fetch/ResourceFetcher.cpp - Issue 901903003: CSP: Adding the 'upgrade-insecure-requests' directive.

Side by Side Diff: Source/core/fetch/ResourceFetcher.cpp

Issue 901903003: CSP: Adding the 'upgrade-insecure-requests' directive. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)	2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)

3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)	3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)

4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)	4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)

5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.	5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.

6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/	6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/

7	7

8 This library is free software; you can redistribute it and/or	8 This library is free software; you can redistribute it and/or

9 modify it under the terms of the GNU Library General Public	9 modify it under the terms of the GNU Library General Public

10 License as published by the Free Software Foundation; either	10 License as published by the Free Software Foundation; either

(...skipping 48 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
59 #include "core/loader/PingLoader.h"	59 #include "core/loader/PingLoader.h"

60 #include "core/loader/SubstituteData.h"	60 #include "core/loader/SubstituteData.h"

61 #include "core/loader/UniqueIdentifier.h"	61 #include "core/loader/UniqueIdentifier.h"

62 #include "core/loader/appcache/ApplicationCacheHost.h"	62 #include "core/loader/appcache/ApplicationCacheHost.h"

63 #include "core/timing/Performance.h"	63 #include "core/timing/Performance.h"

64 #include "core/timing/ResourceTimingInfo.h"	64 #include "core/timing/ResourceTimingInfo.h"

65 #include "core/svg/graphics/SVGImageChromeClient.h"	65 #include "core/svg/graphics/SVGImageChromeClient.h"

66 #include "platform/Logging.h"	66 #include "platform/Logging.h"

67 #include "platform/RuntimeEnabledFeatures.h"	67 #include "platform/RuntimeEnabledFeatures.h"

68 #include "platform/TraceEvent.h"	68 #include "platform/TraceEvent.h"

	69 #include "platform/weborigin/KnownPorts.h"

69 #include "platform/weborigin/SchemeRegistry.h"	70 #include "platform/weborigin/SchemeRegistry.h"

70 #include "platform/weborigin/SecurityOrigin.h"	71 #include "platform/weborigin/SecurityOrigin.h"

71 #include "platform/weborigin/SecurityPolicy.h"	72 #include "platform/weborigin/SecurityPolicy.h"

72 #include "public/platform/Platform.h"	73 #include "public/platform/Platform.h"

73 #include "public/platform/WebURL.h"	74 #include "public/platform/WebURL.h"

74 #include "public/platform/WebURLRequest.h"	75 #include "public/platform/WebURLRequest.h"

75 #include "wtf/text/CString.h"	76 #include "wtf/text/CString.h"

76 #include "wtf/text/WTFString.h"	77 #include "wtf/text/WTFString.h"

77	78

78 #define PRELOAD_DEBUG 0	79 #define PRELOAD_DEBUG 0

(...skipping 631 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
710 }	711 }

711	712

712 ResourcePtr<Resource> ResourceFetcher::requestResource(Resource::Type type, Fetc hRequest& request)	713 ResourcePtr<Resource> ResourceFetcher::requestResource(Resource::Type type, Fetc hRequest& request)

713 {	714 {

714 ASSERT(request.options().synchronousPolicy == RequestAsynchronously \|\| type == Resource::Raw);	715 ASSERT(request.options().synchronousPolicy == RequestAsynchronously \|\| type == Resource::Raw);

715	716

716 TRACE_EVENT0("blink", "ResourceFetcher::requestResource");	717 TRACE_EVENT0("blink", "ResourceFetcher::requestResource");

717	718

718 KURL url = request.resourceRequest().url();	719 KURL url = request.resourceRequest().url();

719	720

	721 if (m_document && m_document->insecureContentPolicy() == SecurityContext::In secureContentUpgrade && url.protocol() == "http") {

	722 url.setProtocol("https");

	723 // FIXME: HACKY HACKY HACKY HACKY.

	724 if (url.port() == 8000 \|\| url.port() == 8080)

	725 url.setPort(8443);
	Mike West 2015/02/05 12:35:01 :( I think we need some sort of platform API that :( I think we need some sort of platform API that allows the embedder to give us the default port (which we can override in layouttests), rather than relying on KnownPorts.h in Blink. WDYT of that approach?
	726 else if (url.port() == 80)

	727 url.setPort(443);
	Yoav Weiss 2015/02/05 13:25:36 What happens if the port is neither one of those? What happens if the port is neither one of those? Do we send https traffic on the same original port and hope for the best? Mike West 2015/02/05 13:39:34 Yup. Same as HSTS. See the comment I just added to Show quoted text On 2015/02/05 at 13:25:36, Yoav Weiss wrote: > What happens if the port is neither one of those? Do we send https traffic on the same original port and hope for the best? Yup. Same as HSTS. See the comment I just added to the spec in step 8 of https://w3c.github.io/webappsec/specs/upgrade/#upgrade-request.
	728 request.mutableResourceRequest().setURL(url);

	729 }

	730

720 WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource '%s', charset '%s ', priority=%d, forPreload=%u, type=%s", url.elidedString().latin1().data(), req uest.charset().latin1().data(), request.priority(), request.forPreload(), Resour ceTypeName(type));	731 WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource '%s', charset '%s ', priority=%d, forPreload=%u, type=%s", url.elidedString().latin1().data(), req uest.charset().latin1().data(), request.priority(), request.forPreload(), Resour ceTypeName(type));

721	732

722 // If only the fragment identifiers differ, it is the same resource.	733 // If only the fragment identifiers differ, it is the same resource.

723 url = MemoryCache::removeFragmentIdentifierIfNeeded(url);	734 url = MemoryCache::removeFragmentIdentifierIfNeeded(url);

724	735

725 if (!url.isValid())	736 if (!url.isValid())

726 return nullptr;	737 return nullptr;

727	738

728 if (!canRequest(type, request.resourceRequest(), url, request.options(), req uest.forPreload(), request.originRestriction()))	739 if (!canRequest(type, request.resourceRequest(), url, request.options(), req uest.forPreload(), request.originRestriction()))

729 return nullptr;	740 return nullptr;

(...skipping 849 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1579	1590

1580 void ResourceFetcher::trace(Visitor* visitor)	1591 void ResourceFetcher::trace(Visitor* visitor)

1581 {	1592 {

1582 visitor->trace(m_document);	1593 visitor->trace(m_document);

1583 visitor->trace(m_loaders);	1594 visitor->trace(m_loaders);

1584 visitor->trace(m_nonBlockingLoaders);	1595 visitor->trace(m_nonBlockingLoaders);

1585 ResourceLoaderHost::trace(visitor);	1596 ResourceLoaderHost::trace(visitor);

1586 }	1597 }

1587	1598

1588 }	1599 }

OLD	NEW

« Source/core/dom/SecurityContext.h ('K') | « Source/core/dom/SecurityContext.cpp ('k') | Source/core/frame/csp/CSPDirectiveList.h » ('j') | Source/core/frame/csp/CSPDirectiveList.cpp » ('J')