void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec)
{
internalAbort();
State previousState = m_state;
m_state = UNSENT;
m_error = false;
m_uploadComplete = false;
// clear stuff from possible previous load
clearResponse();
clearRequest();
ASSERT(m_state == UNSENT);
if (!isValidHTTPToken(method)) {
ec = SYNTAX_ERR;
return;
}
if (!isAllowedHTTPMethod(method)) {
ec = SECURITY_ERR;
return;
}
if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return;
}
// Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated
// attempt to discourage synchronous XHR use. responseType is one such piece of functionality.
// We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols
// such as file: and data: still make sense to allow.
if (!async && scriptExecutionContext()->isDocument() && url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) {
logConsoleError(scriptExecutionContext(), "Synchronous HTTP(S) requests made from the window context cannot have XMLHttpRequest.responseType set.");
ec = INVALID_ACCESS_ERR;
return;
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
m_async = async;
ASSERT(!m_loader);
// Check previous state to avoid dispatching readyState event
// when calling open several times in a row.
if (previousState != OPENED)
changeState(OPENED);
else
m_state = OPENED;
}
void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec)
{
internalAbort();
State previousState = m_state;
m_state = UNSENT;
m_error = false;
m_responseTypeCode = ResponseTypeDefault;
m_uploadComplete = false;
// clear stuff from possible previous load
clearResponse();
clearRequest();
ASSERT(m_state == UNSENT);
if (!isValidHTTPToken(method)) {
ec = SYNTAX_ERR;
return;
}
if (!isAllowedHTTPMethod(method)) {
ec = SECURITY_ERR;
return;
}
if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return;
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
m_async = async;
ASSERT(!m_loader);
// Check previous state to avoid dispatching readyState event
// when calling open several times in a row.
if (previousState != OPENED)
changeState(OPENED);
else
m_state = OPENED;
}
void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec)
{
internalAbort();
State previousState = m_state;
m_state = UNSENT;
m_error = false;
m_uploadComplete = false;
// clear stuff from possible previous load
clearResponse();
clearRequest();
ASSERT(m_state == UNSENT);
if (!isValidHTTPToken(method)) {
ec = SYNTAX_ERR;
return;
}
if (!isAllowedHTTPMethod(method)) {
ec = SECURITY_ERR;
return;
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
bool shouldBypassMainWorldContentSecurityPolicy = false;
if (scriptExecutionContext()->isDocument()) {
Document* document = static_cast<Document*>(scriptExecutionContext());
shouldBypassMainWorldContentSecurityPolicy = document->frame()->script()->shouldBypassMainWorldContentSecurityPolicy();
}
if (!shouldBypassMainWorldContentSecurityPolicy && !scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return;
}
if (!async && scriptExecutionContext()->isDocument()) {
if (document()->settings() && !document()->settings()->syncXHRInDocumentsEnabled()) {
logConsoleError(scriptExecutionContext(), "Synchronous XMLHttpRequests are disabled for this page.");
ec = INVALID_ACCESS_ERR;
return;
}
// Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated
// attempt to discourage synchronous XHR use. responseType is one such piece of functionality.
// We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols
// such as file: and data: still make sense to allow.
if (url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) {
logConsoleError(scriptExecutionContext(), "Synchronous HTTP(S) requests made from the window context cannot have XMLHttpRequest.responseType set.");
ec = INVALID_ACCESS_ERR;
return;
}
#if ENABLE(XHR_TIMEOUT)
// Similarly, timeouts are disabled for synchronous requests as well.
if (m_timeoutMilliseconds > 0) {
logConsoleError(scriptExecutionContext(), "Synchronous XMLHttpRequests must not have a timeout value set.");
ec = INVALID_ACCESS_ERR;
return;
}
#endif
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
m_async = async;
ASSERT(!m_loader);
// Check previous state to avoid dispatching readyState event
// when calling open several times in a row.
if (previousState != OPENED)
changeState(OPENED);
else
m_state = OPENED;
}
void XMLHttpRequest::open(const String& method, const URL& url, bool async, ExceptionCode& ec)
{
if (!internalAbort())
return;
State previousState = m_state;
m_state = UNSENT;
m_error = false;
m_sendFlag = false;
m_uploadComplete = false;
// clear stuff from possible previous load
clearResponse();
clearRequest();
ASSERT(m_state == UNSENT);
if (!isValidHTTPToken(method)) {
ec = SYNTAX_ERR;
return;
}
if (!isAllowedHTTPMethod(method)) {
ec = SECURITY_ERR;
return;
}
if (!async && scriptExecutionContext()->isDocument()) {
if (document()->settings() && !document()->settings()->syncXHRInDocumentsEnabled()) {
logConsoleError(scriptExecutionContext(), "Synchronous XMLHttpRequests are disabled for this page.");
ec = INVALID_ACCESS_ERR;
return;
}
// Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated
// attempt to discourage synchronous XHR use. responseType is one such piece of functionality.
// We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols
// such as file: and data: still make sense to allow.
if (url.protocolIsInHTTPFamily() && m_responseType != ResponseType::EmptyString) {
logConsoleError(scriptExecutionContext(), "Synchronous HTTP(S) requests made from the window context cannot have XMLHttpRequest.responseType set.");
ec = INVALID_ACCESS_ERR;
return;
}
// Similarly, timeouts are disabled for synchronous requests as well.
if (m_timeoutMilliseconds > 0) {
logConsoleError(scriptExecutionContext(), "Synchronous XMLHttpRequests must not have a timeout value set.");
ec = INVALID_ACCESS_ERR;
return;
}
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
scriptExecutionContext()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
m_async = async;
ASSERT(!m_loader);
// Check previous state to avoid dispatching readyState event
// when calling open several times in a row.
if (previousState != OPENED)
changeState(OPENED);
else
m_state = OPENED;
}
void XMLHttpRequest::open(const AtomicString& method, const KURL& url, bool async, ExceptionState& exceptionState)
{
WTF_LOG(Network, "XMLHttpRequest %p open('%s', '%s', %d)", this, method.string().utf8().data(), url.elidedString().utf8().data(), async);
if (!internalAbort())
return;
State previousState = m_state;
m_state = UNSENT;
m_error = false;
m_uploadComplete = false;
// clear stuff from possible previous load
clearResponse();
clearRequest();
ASSERT(m_state == UNSENT);
if (!isValidHTTPToken(method)) {
exceptionState.throwDOMException(SyntaxError, "'" + method + "' is not a valid HTTP method.");
return;
}
if (!isAllowedHTTPMethod(method)) {
exceptionState.throwSecurityError("'" + method + "' HTTP method is unsupported.");
return;
}
if (!ContentSecurityPolicy::shouldBypassMainWorld(executionContext()) && !executionContext()->contentSecurityPolicy()->allowConnectToSource(url)) {
// We can safely expose the URL to JavaScript, as these checks happen synchronously before redirection. JavaScript receives no new information.
exceptionState.throwSecurityError("Refused to connect to '" + url.elidedString() + "' because it violates the document's Content Security Policy.");
return;
}
if (!async && executionContext()->isDocument()) {
if (document()->settings() && !document()->settings()->syncXHRInDocumentsEnabled()) {
exceptionState.throwDOMException(InvalidAccessError, "Synchronous requests are disabled for this page.");
return;
}
// Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated
// attempt to discourage synchronous XHR use. responseType is one such piece of functionality.
// We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols
// such as file: and data: still make sense to allow.
if (url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) {
exceptionState.throwDOMException(InvalidAccessError, "Synchronous HTTP requests from a document must not set a response type.");
return;
}
// Similarly, timeouts are disabled for synchronous requests as well.
if (m_timeoutMilliseconds > 0) {
exceptionState.throwDOMException(InvalidAccessError, "Synchronous requests must not set a timeout.");
return;
}
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
m_async = async;
ASSERT(!m_loader);
// Check previous state to avoid dispatching readyState event
// when calling open several times in a row.
if (previousState != OPENED)
changeState(OPENED);
else
m_state = OPENED;
}