bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
{
if (!document()->securityOrigin()->canDisplay(url)) {
if (!forPreload)
FrameLoader::reportLocalLoadFailed(document()->frame(), url.string());
LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
return 0;
}
// Some types of resources can be loaded only from the same origin. Other
// types of resources, like Images, Scripts, and CSS, can be loaded from
// any URL.
switch (type) {
case CachedResource::ImageResource:
case CachedResource::CSSStyleSheet:
case CachedResource::Script:
case CachedResource::FontResource:
case CachedResource::RawResource:
#if ENABLE(LINK_PREFETCH)
case CachedResource::LinkPrefetch:
case CachedResource::LinkPrerender:
case CachedResource::LinkSubresource:
#endif
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
#endif
#if ENABLE(CSS_SHADERS)
case CachedResource::ShaderResource:
#endif
// These types of resources can be loaded from any origin.
// FIXME: Are we sure about CachedResource::FontResource?
break;
#if ENABLE(XSLT)
case CachedResource::XSLStyleSheet:
if (!m_document->securityOrigin()->canRequest(url)) {
printAccessDeniedMessage(url);
return false;
}
break;
#endif
}
switch (type) {
#if ENABLE(XSLT)
case CachedResource::XSLStyleSheet:
#endif
case CachedResource::Script:
if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url))
return false;
if (frame()) {
Settings* settings = frame()->settings();
if (!frame()->loader()->client()->allowScriptFromSource(!settings || settings->isScriptEnabled(), url)) {
frame()->loader()->client()->didNotAllowScript();
return false;
}
}
break;
#if ENABLE(CSS_SHADERS)
case CachedResource::ShaderResource:
// Since shaders are referenced from CSS Styles use the same rules here.
#endif
case CachedResource::CSSStyleSheet:
if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url))
return false;
break;
case CachedResource::ImageResource:
if (!m_document->contentSecurityPolicy()->allowImageFromSource(url))
return false;
if (frame()) {
Settings* settings = frame()->settings();
if (!frame()->loader()->client()->allowImage(!settings || settings->areImagesEnabled(), url))
return false;
}
break;
case CachedResource::FontResource: {
if (!m_document->contentSecurityPolicy()->allowFontFromSource(url))
return false;
break;
}
case CachedResource::RawResource:
#if ENABLE(LINK_PREFETCH)
case CachedResource::LinkPrefetch:
case CachedResource::LinkPrerender:
case CachedResource::LinkSubresource:
#endif
break;
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
// Cues aren't called out in the CPS spec yet, but they only work with a media element
// so use the media policy.
if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url))
return false;
break;
#endif
}
// Last of all, check for insecure content. We do this last so that when
// folks block insecure content with a CSP policy, they don't get a warning.
// They'll still get a warning in the console about CSP blocking the load.
// FIXME: Should we consider forPreload here?
if (!checkInsecureContent(type, url))
return false;
return true;
}
bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
{
if (!document()->securityOrigin()->canDisplay(url)) {
if (!forPreload)
FrameLoader::reportLocalLoadFailed(document()->frame(), url.string());
LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
return 0;
}
// Some types of resources can be loaded only from the same origin. Other
// types of resources, like Images, Scripts, and CSS, can be loaded from
// any URL.
switch (type) {
case CachedResource::ImageResource:
case CachedResource::CSSStyleSheet:
case CachedResource::Script:
#if ENABLE(SVG)
case CachedResource::SVGDocumentResource:
#endif
case CachedResource::FontResource:
#if ENABLE(LINK_PREFETCH)
case CachedResource::LinkPrefetch:
case CachedResource::LinkPrerender:
case CachedResource::LinkSubresource:
#endif
// These types of resources can be loaded from any origin.
// FIXME: Are we sure about CachedResource::FontResource?
break;
#if ENABLE(XSLT)
case CachedResource::XSLStyleSheet:
if (!m_document->securityOrigin()->canRequest(url)) {
printAccessDeniedMessage(url);
return false;
}
break;
#endif
}
// Given that the load is allowed by the same-origin policy, we should
// check whether the load passes the mixed-content policy.
//
// FIXME: Should we consider forPreload here?
if (!checkInsecureContent(type, url))
return false;
// FIXME: Consider letting the embedder block mixed content loads.
switch (type) {
case CachedResource::Script:
if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url))
return false;
break;
#if ENABLE(XSLT)
case CachedResource::XSLStyleSheet:
#endif
case CachedResource::CSSStyleSheet:
if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url))
return false;
break;
case CachedResource::ImageResource:
if (!m_document->contentSecurityPolicy()->allowImageFromSource(url))
return false;
break;
#if ENABLE(SVG)
case CachedResource::SVGDocumentResource:
#endif
case CachedResource::FontResource: {
if (!m_document->contentSecurityPolicy()->allowFontFromSource(url))
return false;
break;
}
#if ENABLE(LINK_PREFETCH)
case CachedResource::LinkPrefetch:
case CachedResource::LinkPrerender:
case CachedResource::LinkSubresource:
break;
#endif
}
return true;
}
