Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(52)

Side by Side Diff: Source/core/fetch/ResourceFetcher.cpp

Issue 954233003: Enable SRI only for same origin and CORS content. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Rebase on ToT Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de) 2 Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org) 3 Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org) 4 Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. 5 Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/ 6 Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
7 7
8 This library is free software; you can redistribute it and/or 8 This library is free software; you can redistribute it and/or
9 modify it under the terms of the GNU Library General Public 9 modify it under the terms of the GNU Library General Public
10 License as published by the Free Software Foundation; either 10 License as published by the Free Software Foundation; either
(...skipping 564 matching lines...) Expand 10 before | Expand all | Expand 10 after
575 // FIXME: Deal with RemoteFrames. 575 // FIXME: Deal with RemoteFrames.
576 if (frame()->tree().parent()->isLocalFrame()) 576 if (frame()->tree().parent()->isLocalFrame())
577 effectiveFrame = toLocalFrame(frame()->tree().parent()); 577 effectiveFrame = toLocalFrame(frame()->tree().parent());
578 } 578 }
579 579
580 MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ? 580 MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ?
581 MixedContentChecker::SuppressReport : MixedContentChecker::SendReport; 581 MixedContentChecker::SuppressReport : MixedContentChecker::SendReport;
582 return !MixedContentChecker::shouldBlockFetch(effectiveFrame, resourceReques t, url, mixedContentReporting); 582 return !MixedContentChecker::shouldBlockFetch(effectiveFrame, resourceReques t, url, mixedContentReporting);
583 } 583 }
584 584
585 bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sour ceOrigin, const KURL& url) const 585 bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sour ceOrigin, const KURL& url, AccessControlLoggingDecision logErrorsDecision) const
586 { 586 {
587 // Redirects can change the response URL different from one of request. 587 // Redirects can change the response URL different from one of request.
588 if (!canRequest(resource->type(), resource->resourceRequest(), url, resource ->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrict ionForType)) 588 if (!canRequest(resource->type(), resource->resourceRequest(), url, resource ->options(), resource->isUnusedPreload(), FetchRequest::UseDefaultOriginRestrict ionForType))
589 return false; 589 return false;
590 590
591 if (!sourceOrigin && document()) 591 if (!sourceOrigin && document())
592 sourceOrigin = document()->securityOrigin(); 592 sourceOrigin = document()->securityOrigin();
593 593
594 if (sourceOrigin->canRequest(url)) 594 if (sourceOrigin->canRequest(url))
595 return true; 595 return true;
596 596
597 String errorDescription; 597 String errorDescription;
598 if (!resource->passesAccessControlCheck(document(), sourceOrigin, errorDescr iption)) { 598 if (!resource->passesAccessControlCheck(document(), sourceOrigin, errorDescr iption)) {
599 if (resource->type() == Resource::Font) 599 if (resource->type() == Resource::Font)
600 toFontResource(resource)->setCORSFailed(); 600 toFontResource(resource)->setCORSFailed();
601 if (frame() && frame()->document()) { 601 if ((logErrorsDecision == ShouldLogAccessControlErrors) && frame() && fr ame()->document()) {
602 String resourceType = Resource::resourceTypeToString(resource->type( ), resource->options().initiatorInfo); 602 String resourceType = Resource::resourceTypeToString(resource->type( ), resource->options().initiatorInfo);
603 frame()->document()->addConsoleMessage(ConsoleMessage::create(JSMess ageSource, ErrorMessageLevel, resourceType + " from origin '" + SecurityOrigin:: create(url)->toString() + "' has been blocked from loading by Cross-Origin Resou rce Sharing policy: " + errorDescription)); 603 frame()->document()->addConsoleMessage(ConsoleMessage::create(JSMess ageSource, ErrorMessageLevel, resourceType + " from origin '" + SecurityOrigin:: create(url)->toString() + "' has been blocked from loading by Cross-Origin Resou rce Sharing policy: " + errorDescription));
604 } 604 }
605 return false; 605 return false;
606 } 606 }
607 return true; 607 return true;
608 } 608 }
609 609
610 bool ResourceFetcher::isControlledByServiceWorker() const 610 bool ResourceFetcher::isControlledByServiceWorker() const
611 { 611 {
(...skipping 1025 matching lines...) Expand 10 before | Expand all | Expand 10 after
1637 ResourceLoaderHost::trace(visitor); 1637 ResourceLoaderHost::trace(visitor);
1638 } 1638 }
1639 1639
1640 ResourceFetcher* ResourceFetcher::toResourceFetcher(ResourceLoaderHost* host) 1640 ResourceFetcher* ResourceFetcher::toResourceFetcher(ResourceLoaderHost* host)
1641 { 1641 {
1642 ASSERT(host->objectType() == ResourceLoaderHost::ResourceFetcherType); 1642 ASSERT(host->objectType() == ResourceLoaderHost::ResourceFetcherType);
1643 return static_cast<ResourceFetcher*>(host); 1643 return static_cast<ResourceFetcher*>(host);
1644 } 1644 }
1645 1645
1646 } 1646 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698