void FetchManager::Loader::start() { // "1. If |request|'s url contains a Known HSTS Host, modify it per the // requirements of the 'URI [sic] Loading and Port Mapping' chapter of HTTP // Strict Transport Security." // FIXME: Implement this. // "2. If |request|'s referrer is not none, set |request|'s referrer to the // result of invoking determine |request|'s referrer." // We set the referrer using workerGlobalScope's URL in // WorkerThreadableLoader. // "3. If |request|'s synchronous flag is unset and fetch is not invoked // recursively, run the remaining steps asynchronously." // We don't support synchronous flag. // "4. Let response be the value corresponding to the first matching // statement:" // "- should fetching |request| be blocked as mixed content returns blocked" // We do mixed content checking in ResourceFetcher. // "- should fetching |request| be blocked as content security returns // blocked" if (!ContentSecurityPolicy::shouldBypassMainWorld(executionContext()) && !executionContext()->contentSecurityPolicy()->allowConnectToSource(m_request->url())) { // "A network error." performNetworkError("Refused to connect to '" + m_request->url().elidedString() + "' because it violates the document's Content Security Policy."); return; } // "- |request|'s url's origin is |request|'s origin and the |CORS flag| is // unset" // "- |request|'s url's scheme is 'data' and |request|'s same-origin data // URL flag is set" // "- |request|'s url's scheme is 'about'" // Note we don't support to call this method with |CORS flag|. if ((SecurityOrigin::create(m_request->url())->isSameSchemeHostPort(m_request->origin().get())) || (m_request->url().protocolIsData() && m_request->sameOriginDataURLFlag()) || (m_request->url().protocolIsAbout())) { // "The result of performing a basic fetch using request." performBasicFetch(); return; } // "- |request|'s mode is |same-origin|" if (m_request->mode() == WebURLRequest::FetchRequestModeSameOrigin) { // "A network error." performNetworkError("Fetch API cannot load " + m_request->url().string() + ". Request mode is \"same-origin\" but the URL\'s origin is not same as the request origin " + m_request->origin()->toString() + "."); return; } // "- |request|'s mode is |no CORS|" if (m_request->mode() == WebURLRequest::FetchRequestModeNoCORS) { // "Set |request|'s response tainting to |opaque|." m_request->setResponseTainting(FetchRequestData::OpaqueTainting); // "The result of performing a basic fetch using |request|." performBasicFetch(); return; } // "- |request|'s url's scheme is not one of 'http' and 'https'" if (!m_request->url().protocolIsInHTTPFamily()) { // "A network error." performNetworkError("Fetch API cannot load " + m_request->url().string() + ". URL scheme must be \"http\" or \"https\" for CORS request."); return; } // "- |request|'s mode is |CORS-with-forced-preflight|. // "- |request|'s unsafe request flag is set and either |request|'s method // is not a simple method or a header in |request|'s header list is not a // simple header" if (m_request->mode() == WebURLRequest::FetchRequestModeCORSWithForcedPreflight || (m_request->unsafeRequestFlag() && (!FetchUtils::isSimpleMethod(m_request->method()) || m_request->headerList()->containsNonSimpleHeader()))) { // "Set |request|'s response tainting to |CORS|." m_request->setResponseTainting(FetchRequestData::CORSTainting); // "The result of performing an HTTP fetch using |request| with the // |CORS flag| and |CORS preflight flag| set." performHTTPFetch(true, true); return; } // "- Otherwise // Set |request|'s response tainting to |CORS|." m_request->setResponseTainting(FetchRequestData::CORSTainting); // "The result of performing an HTTP fetch using |request| with the // |CORS flag| set." performHTTPFetch(true, false); }
void FetchManager::Loader::start() { // "1. If |request|'s url contains a Known HSTS Host, modify it per the // requirements of the 'URI [sic] Loading and Port Mapping' chapter of HTTP // Strict Transport Security." // FIXME: Implement this. // "2. If |request|'s referrer is not none, set |request|'s referrer to the // result of invoking determine |request|'s referrer." // We set the referrer using workerGlobalScope's URL in // WorkerThreadableLoader. // "3. If |request|'s synchronous flag is unset and fetch is not invoked // recursively, run the remaining steps asynchronously." // We don't support synchronous flag. // "4. Let response be the value corresponding to the first matching // statement:" // "- should fetching |request| be blocked as mixed content returns blocked // - should fetching |request| be blocked as content security returns // blocked // A network error." // We do mixed content checking and CSP checking in ResourceFetcher. // "- |request|'s url's origin is |request|'s origin and the |CORS flag| is // unset" // "- |request|'s url's scheme is 'data' and |request|'s same-origin data // URL flag is set" // "- |request|'s url's scheme is 'about'" if ((SecurityOrigin::create(m_request->url())->isSameSchemeHostPort(m_request->origin().get()) && !m_corsFlag) || (m_request->url().protocolIsData() && m_request->sameOriginDataURLFlag()) || (m_request->url().protocolIsAbout())) { // "The result of performing a basic fetch using request." performBasicFetch(); return; } // "- |request|'s mode is |same-origin|" if (m_request->mode() == FetchRequestData::SameOriginMode) { // "A network error." performNetworkError(); return; } // "- |request|'s mode is |no CORS|" if (m_request->mode() == FetchRequestData::NoCORSMode) { // "Set |request|'s response tainting to |opaque|." m_request->setResponseTainting(FetchRequestData::OpaqueTainting); // "The result of performing a basic fetch using |request|." performBasicFetch(); return; } // "- |request|'s url's scheme is not one of 'http' and 'https'" if (!m_request->url().protocolIsInHTTPFamily()) { // "A network error." performNetworkError(); return; } // "- |request|'s mode is |CORS-with-forced-preflight|. // "- |request|'s unsafe request flag is set and either |request|'s method // is not a simple method or a header in |request|'s header list is not a // simple header" if (m_request->mode() == FetchRequestData::CORSWithForcedPreflight || (m_request->unsafeRequestFlag() && (!FetchUtils::isSimpleMethod(m_request->method()) || m_request->headerList()->containsNonSimpleHeader()))) { // "Set |request|'s response tainting to |CORS|." m_request->setResponseTainting(FetchRequestData::CORSTainting); // "The result of performing an HTTP fetch using |request| with the // |CORS flag| and |CORS preflight flag| set." m_corsFlag = true; m_corsPreflightFlag = true; performHTTPFetch(); return; } // "- Otherwise // Set |request|'s response tainting to |CORS|." m_request->setResponseTainting(FetchRequestData::CORSTainting); // "The result of performing an HTTP fetch using |request| with the // |CORS flag| set." m_corsFlag = true; m_corsPreflightFlag = false; performHTTPFetch(); }