Chromium Code Reviews Chromium Code Reviews
Issue 954233003:
Enable SRI only for same origin and CORS content. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) | 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) |
| 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) | 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) |
| 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) | 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) |
| 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. | 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. |
| 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ | 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ |
| 7 | 7 |
| 8 This library is free software; you can redistribute it and/or | 8 This library is free software; you can redistribute it and/or |
| 9 modify it under the terms of the GNU Library General Public | 9 modify it under the terms of the GNU Library General Public |
| 10 License as published by the Free Software Foundation; either | 10 License as published by the Free Software Foundation; either |
| (...skipping 584 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 595 // FIXME: Deal with RemoteFrames. | 595 // FIXME: Deal with RemoteFrames. |
| 596 if (frame()->tree().parent()->isLocalFrame()) | 596 if (frame()->tree().parent()->isLocalFrame()) |
| 597 effectiveFrame = toLocalFrame(frame()->tree().parent()); | 597 effectiveFrame = toLocalFrame(frame()->tree().parent()); |
| 598 } | 598 } |
| 599 | 599 |
| 600 MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ? | 600 MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ? |
| 601 MixedContentChecker::SuppressReport : MixedContentChecker::SendReport; | 601 MixedContentChecker::SuppressReport : MixedContentChecker::SendReport; |
| 602 return !MixedContentChecker::shouldBlockFetch(effectiveFrame, resourceReques t, url, mixedContentReporting); | 602 return !MixedContentChecker::shouldBlockFetch(effectiveFrame, resourceReques t, url, mixedContentReporting); |
| 603 } | 603 } |
| 604 | 604 |
| 605 bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sour ceOrigin, const KURL& url) const | 605 bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sour ceOrigin, const KURL& url, bool logErrors) const |
|
Mike West
2015/02/26 08:44:53
I'd prefer to replace this boolean with an enum so
jww
2015/03/06 02:16:42
Done.
| |
| 606 { | 606 { |
| 607 // Redirects can change the response URL different from one of request. | 607 // Redirects can change the response URL different from one of request. |
| 608 if (!canRequest(resource->type(), resource->resourceRequest(), url, resource ->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrict ionForType)) | 608 if (!canRequest(resource->type(), resource->resourceRequest(), url, resource ->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrict ionForType)) |
| 609 return false; | 609 return false; |
| 610 | 610 |
| 611 if (!sourceOrigin && document()) | 611 if (!sourceOrigin && document()) |
| 612 sourceOrigin = document()->securityOrigin(); | 612 sourceOrigin = document()->securityOrigin(); |
| 613 | 613 |
| 614 if (sourceOrigin->canRequest(url)) | 614 if (sourceOrigin->canRequest(url)) |
| 615 return true; | 615 return true; |
| 616 | 616 |
| 617 String errorDescription; | 617 String errorDescription; |
| 618 if (!resource->passesAccessControlCheck(document(), sourceOrigin, errorDescr iption)) { | 618 if (!resource->passesAccessControlCheck(document(), sourceOrigin, errorDescr iption)) { |
| 619 if (resource->type() == Resource::Font) | 619 if (resource->type() == Resource::Font) |
| 620 toFontResource(resource)->setCORSFailed(); | 620 toFontResource(resource)->setCORSFailed(); |
| 621 if (frame() && frame()->document()) { | 621 if (resource->type() == Resource::CSSStyleSheet) |
| 622 toCSSStyleSheetResource(resource)->setCORSNeededAndFailed(); | |
|
Mike West
2015/02/26 08:44:53
It seems strange to set this as a side-effect of a
jww
2015/03/06 02:16:42
Done.
| |
| 623 if (frame() && frame()->document() && logErrors) { | |
| 622 String resourceType = Resource::resourceTypeToString(resource->type( ), resource->options().initiatorInfo); | 624 String resourceType = Resource::resourceTypeToString(resource->type( ), resource->options().initiatorInfo); |
| 623 frame()->document()->addConsoleMessage(ConsoleMessage::create(JSMess ageSource, ErrorMessageLevel, resourceType + " from origin '" + SecurityOrigin:: create(url)->toString() + "' has been blocked from loading by Cross-Origin Resou rce Sharing policy: " + errorDescription)); | 625 frame()->document()->addConsoleMessage(ConsoleMessage::create(JSMess ageSource, ErrorMessageLevel, resourceType + " from origin '" + SecurityOrigin:: create(url)->toString() + "' has been blocked from loading by Cross-Origin Resou rce Sharing policy: " + errorDescription)); |
| 624 } | 626 } |
| 625 return false; | 627 return false; |
| 626 } | 628 } |
| 627 return true; | 629 return true; |
| 628 } | 630 } |
| 629 | 631 |
| 630 bool ResourceFetcher::isControlledByServiceWorker() const | 632 bool ResourceFetcher::isControlledByServiceWorker() const |
| 631 { | 633 { |
| (...skipping 886 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1518 return false; | 1520 return false; |
| 1519 if (options.corsEnabled == IsCORSEnabled) { | 1521 if (options.corsEnabled == IsCORSEnabled) { |
| 1520 SecurityOrigin* sourceOrigin = options.securityOrigin.get(); | 1522 SecurityOrigin* sourceOrigin = options.securityOrigin.get(); |
| 1521 if (!sourceOrigin && document()) | 1523 if (!sourceOrigin && document()) |
| 1522 sourceOrigin = document()->securityOrigin(); | 1524 sourceOrigin = document()->securityOrigin(); |
| 1523 | 1525 |
| 1524 String errorMessage; | 1526 String errorMessage; |
| 1525 if (!CrossOriginAccessControl::handleRedirect(document(), resource, sour ceOrigin, request, redirectResponse, options, errorMessage)) { | 1527 if (!CrossOriginAccessControl::handleRedirect(document(), resource, sour ceOrigin, request, redirectResponse, options, errorMessage)) { |
| 1526 if (resource->type() == Resource::Font) | 1528 if (resource->type() == Resource::Font) |
| 1527 toFontResource(resource)->setCORSFailed(); | 1529 toFontResource(resource)->setCORSFailed(); |
| 1530 if (resource->type() == Resource::CSSStyleSheet) | |
| 1531 toCSSStyleSheetResource(resource)->setCORSNeededAndFailed(); | |
| 1528 if (frame() && frame()->document()) | 1532 if (frame() && frame()->document()) |
| 1529 frame()->document()->addConsoleMessage(ConsoleMessage::create(JS MessageSource, ErrorMessageLevel, errorMessage)); | 1533 frame()->document()->addConsoleMessage(ConsoleMessage::create(JS MessageSource, ErrorMessageLevel, errorMessage)); |
| 1530 return false; | 1534 return false; |
| 1531 } | 1535 } |
| 1532 } | 1536 } |
| 1533 if (resource->type() == Resource::Image && shouldDeferImageLoad(request.url( ))) | 1537 if (resource->type() == Resource::Image && shouldDeferImageLoad(request.url( ))) |
| 1534 return false; | 1538 return false; |
| 1535 return true; | 1539 return true; |
| 1536 } | 1540 } |
| 1537 | 1541 |
| (...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1652 ResourceLoaderHost::trace(visitor); | 1656 ResourceLoaderHost::trace(visitor); |
| 1653 } | 1657 } |
| 1654 | 1658 |
| 1655 ResourceFetcher* ResourceFetcher::toResourceFetcher(ResourceLoaderHost* host) | 1659 ResourceFetcher* ResourceFetcher::toResourceFetcher(ResourceLoaderHost* host) |
| 1656 { | 1660 { |
| 1657 ASSERT(host->objectType() == ResourceLoaderHost::ResourceFetcherType); | 1661 ASSERT(host->objectType() == ResourceLoaderHost::ResourceFetcherType); |
| 1658 return static_cast<ResourceFetcher*>(host); | 1662 return static_cast<ResourceFetcher*>(host); |
| 1659 } | 1663 } |
| 1660 | 1664 |
| 1661 } | 1665 } |
| OLD | NEW |
