PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, SubresourceLoaderClient* client, const ResourceRequest& request, SecurityCheckPolicy securityCheck, bool sendResourceLoadCallbacks, bool shouldContentSniff)
{
if (!frame)
return 0;
FrameLoader* fl = frame->loader();
if (securityCheck == DoSecurityCheck && (fl->state() == FrameStateProvisional || !fl->activeDocumentLoader() || fl->activeDocumentLoader()->isStopping()))
return 0;
ResourceRequest newRequest = request;
if (securityCheck == DoSecurityCheck && !frame->document()->securityOrigin()->canDisplay(request.url())) {
FrameLoader::reportLocalLoadFailed(frame, request.url().string());
return 0;
}
if (SecurityOrigin::shouldHideReferrer(request.url(), fl->outgoingReferrer()))
newRequest.clearHTTPReferrer();
else if (!request.httpReferrer())
newRequest.setHTTPReferrer(fl->outgoingReferrer());
FrameLoader::addHTTPOriginIfNeeded(newRequest, fl->outgoingOrigin());
fl->addExtraFieldsToSubresourceRequest(newRequest);
RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, client, sendResourceLoadCallbacks, shouldContentSniff)));
subloader->documentLoader()->addSubresourceLoader(subloader.get());
if (!subloader->load(newRequest))
return 0;
return subloader.release();
}
void CachedResource::addAdditionalRequestHeaders(CachedResourceLoader* cachedResourceLoader)
{
// Note: We skip the Content-Security-Policy check here because we check
// the Content-Security-Policy at the CachedResourceLoader layer so we can
// handle different resource types differently.
FrameLoader* frameLoader = cachedResourceLoader->frame()->loader();
String outgoingReferrer;
String outgoingOrigin;
if (m_resourceRequest.httpReferrer().isNull()) {
outgoingReferrer = frameLoader->outgoingReferrer();
outgoingOrigin = frameLoader->outgoingOrigin();
} else {
outgoingReferrer = m_resourceRequest.httpReferrer();
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
}
outgoingReferrer = SecurityPolicy::generateReferrerHeader(cachedResourceLoader->document()->referrerPolicy(), m_resourceRequest.url(), outgoingReferrer);
if (outgoingReferrer.isEmpty())
m_resourceRequest.clearHTTPReferrer();
else if (!m_resourceRequest.httpReferrer())
m_resourceRequest.setHTTPReferrer(outgoingReferrer);
FrameLoader::addHTTPOriginIfNeeded(m_resourceRequest, outgoingOrigin);
frameLoader->addExtraFieldsToSubresourceRequest(m_resourceRequest);
}
/*!
\since 4.6
\property QWebFrame::requestedUrl
The URL requested to loaded by the frame currently viewed. The URL may differ from
the one returned by url() if a DNS resolution or a redirection occurs.
\sa url(), setUrl()
*/
QUrl QWebFrame::requestedUrl() const
{
// There are some possible edge cases to be handled here,
// apart from checking if activeDocumentLoader is valid:
//
// * Method can be called while processing an unsucessful load.
// In this case, frameLoaderClient will hold the current error
// (m_loadError), and we will make use of it to recover the 'failingURL'.
// * If the 'failingURL' holds a null'ed string though, we fallback
// to 'outgoingReferrer' (it yet is safer than originalRequest).
FrameLoader* loader = d->frame->loader();
FrameLoaderClientQt* loaderClient = d->frameLoaderClient;
if (!loader->activeDocumentLoader()
|| !loaderClient->m_loadError.isNull()) {
if (!loaderClient->m_loadError.failingURL().isNull())
return QUrl(loaderClient->m_loadError.failingURL());
else if (!loader->outgoingReferrer().isEmpty())
return QUrl(loader->outgoingReferrer());
}
return loader->originalRequest().url();
}
PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, SubresourceLoaderClient* client, const ResourceRequest& request, SecurityCheckPolicy securityCheck, bool sendResourceLoadCallbacks, bool shouldContentSniff, bool shouldBufferData)
{
if (!frame)
return 0;
FrameLoader* fl = frame->loader();
if (securityCheck == DoSecurityCheck && (fl->state() == FrameStateProvisional || !fl->activeDocumentLoader() || fl->activeDocumentLoader()->isStopping()))
return 0;
ResourceRequest newRequest = request;
if (securityCheck == DoSecurityCheck && !frame->document()->securityOrigin()->canDisplay(request.url())) {
FrameLoader::reportLocalLoadFailed(frame, request.url().string());
return 0;
}
// Note: We skip the Content-Security-Policy check here because we check
// the Content-Security-Policy at the CachedResourceLoader layer so we can
// handle different resource types differently.
String outgoingReferrer;
String outgoingOrigin;
if (request.httpReferrer().isNull()) {
outgoingReferrer = fl->outgoingReferrer();
outgoingOrigin = fl->outgoingOrigin();
} else {
outgoingReferrer = request.httpReferrer();
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
}
if (SecurityOrigin::shouldHideReferrer(request.url(), outgoingReferrer))
newRequest.clearHTTPReferrer();
else if (!request.httpReferrer())
newRequest.setHTTPReferrer(outgoingReferrer);
FrameLoader::addHTTPOriginIfNeeded(newRequest, outgoingOrigin);
fl->addExtraFieldsToSubresourceRequest(newRequest);
RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, client, sendResourceLoadCallbacks, shouldContentSniff)));
subloader->setShouldBufferData(shouldBufferData);
subloader->documentLoader()->addSubresourceLoader(subloader.get());
if (!subloader->init(newRequest))
return 0;
return subloader.release();
}
void CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders(FrameLoader& frameLoader, ReferrerPolicy defaultPolicy)
{
// Implementing step 7 to 9 of https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
String outgoingOrigin;
String outgoingReferrer = m_resourceRequest.httpReferrer();
if (!outgoingReferrer.isNull())
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
else {
outgoingReferrer = frameLoader.outgoingReferrer();
outgoingOrigin = frameLoader.outgoingOrigin();
}
// FIXME: Refactor SecurityPolicy::generateReferrerHeader to align with new terminology used in https://w3c.github.io/webappsec-referrer-policy.
switch (m_options.referrerPolicy) {
case FetchOptions::ReferrerPolicy::EmptyString: {
outgoingReferrer = SecurityPolicy::generateReferrerHeader(defaultPolicy, m_resourceRequest.url(), outgoingReferrer);
break; }
case FetchOptions::ReferrerPolicy::NoReferrerWhenDowngrade:
outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Default, m_resourceRequest.url(), outgoingReferrer);
break;
case FetchOptions::ReferrerPolicy::NoReferrer:
outgoingReferrer = String();
break;
case FetchOptions::ReferrerPolicy::Origin:
outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
break;
case FetchOptions::ReferrerPolicy::OriginWhenCrossOrigin:
if (isRequestCrossOrigin(m_origin.get(), m_resourceRequest.url(), m_options))
outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
break;
case FetchOptions::ReferrerPolicy::UnsafeUrl:
break;
};
if (outgoingReferrer.isEmpty())
m_resourceRequest.clearHTTPReferrer();
else
m_resourceRequest.setHTTPReferrer(outgoingReferrer);
FrameLoader::addHTTPOriginIfNeeded(m_resourceRequest, outgoingOrigin);
frameLoader.applyUserAgent(m_resourceRequest);
}
PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, CachedResource* resource, const ResourceRequest& request, const ResourceLoaderOptions& options)
{
if (!frame)
return 0;
FrameLoader* frameLoader = frame->loader();
if (options.securityCheck == DoSecurityCheck && (frameLoader->state() == FrameStateProvisional || !frameLoader->activeDocumentLoader() || frameLoader->activeDocumentLoader()->isStopping()))
return 0;
ResourceRequest newRequest = request;
// Note: We skip the Content-Security-Policy check here because we check
// the Content-Security-Policy at the CachedResourceLoader layer so we can
// handle different resource types differently.
String outgoingReferrer;
String outgoingOrigin;
if (request.httpReferrer().isNull()) {
outgoingReferrer = frameLoader->outgoingReferrer();
outgoingOrigin = frameLoader->outgoingOrigin();
} else {
outgoingReferrer = request.httpReferrer();
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
}
outgoingReferrer = SecurityPolicy::generateReferrerHeader(frame->document()->referrerPolicy(), request.url(), outgoingReferrer);
if (outgoingReferrer.isEmpty())
newRequest.clearHTTPReferrer();
else if (!request.httpReferrer())
newRequest.setHTTPReferrer(outgoingReferrer);
FrameLoader::addHTTPOriginIfNeeded(newRequest, outgoingOrigin);
frameLoader->addExtraFieldsToSubresourceRequest(newRequest);
RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, resource, options)));
if (!subloader->init(newRequest))
return 0;
return subloader.release();
}
void WMLGoElement::executeTask()
{
ASSERT(document()->isWMLDocument());
WMLDocument* document = static_cast<WMLDocument*>(this->document());
WMLPageState* pageState = wmlPageStateForDocument(document);
if (!pageState)
return;
WMLCardElement* card = document->activeCard();
if (!card)
return;
Frame* frame = document->frame();
if (!frame)
return;
FrameLoader* loader = frame->loader();
if (!loader)
return;
String href = getAttribute(HTMLNames::hrefAttr);
if (href.isEmpty())
return;
// Substitute variables within target url attribute value
KURL url = document->completeURL(substituteVariableReferences(href, document, WMLVariableEscapingEscape));
if (url.isEmpty())
return;
storeVariableState(pageState);
// Stop the timer of the current card if it is active
if (WMLTimerElement* eventTimer = card->eventTimer())
eventTimer->stop();
// FIXME: 'newcontext' handling not implemented for external cards
bool inSameDeck = document->url().path() == url.path();
if (inSameDeck && url.hasFragmentIdentifier()) {
if (WMLCardElement* card = WMLCardElement::findNamedCardInDocument(document, url.fragmentIdentifier())) {
if (card->isNewContext())
pageState->reset();
}
}
// Prepare loading the destination url
ResourceRequest request(url);
if (getAttribute(sendrefererAttr) == "true")
request.setHTTPReferrer(loader->outgoingReferrer());
String cacheControl = getAttribute(cache_controlAttr);
if (m_formAttributes.method() == FormSubmission::PostMethod)
preparePOSTRequest(request, inSameDeck, cacheControl);
else
prepareGETRequest(request, url);
// Set HTTP cache-control header if needed
if (!cacheControl.isEmpty()) {
request.setHTTPHeaderField("cache-control", cacheControl);
if (cacheControl == "no-cache")
request.setCachePolicy(ReloadIgnoringCacheData);
}
loader->load(request, false);
}