void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceRequest& request)
{
ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
ASSERT(m_client);
ASSERT(!resource());
// Cross-origin requests are only allowed certain registered schemes.
// We would catch this when checking response headers later, but there
// is no reason to send a request, preflighted or not, that's guaranteed
// to be denied.
if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
ThreadableLoaderClient* client = m_client;
clear();
client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are only supported for protocol schemes: " + SchemeRegistry::listOfCORSEnabledURLSchemes() + "."));
// |this| may be dead here in async mode.
return;
}
// We use isSimpleOrForbiddenRequest() here since |request| may have been
// modified in the process of loading (not from the user's input). For
// example, referrer. We need to accept them. For security, we must reject
// forbidden headers/methods at the point we accept user's input. Not here.
if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) {
ResourceRequest crossOriginRequest(request);
ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effectiveAllowCredentials());
// We update the credentials mode according to effectiveAllowCredentials() here for backward compatibility. But this is not correct.
// FIXME: We should set it in the caller of DocumentThreadableLoader.
crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() == AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRequest::FetchCredentialsModeOmit);
loadRequest(crossOriginRequest, crossOriginOptions);
} else {
m_crossOriginNonSimpleRequest = true;
ResourceRequest crossOriginRequest(request);
ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
// Do not set the Origin header for preflight requests.
updateRequestForAccessControl(crossOriginRequest, 0, effectiveAllowCredentials());
// We update the credentials mode according to effectiveAllowCredentials() here for backward compatibility. But this is not correct.
// FIXME: We should set it in the caller of DocumentThreadableLoader.
crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() == AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRequest::FetchCredentialsModeOmit);
m_actualRequest = crossOriginRequest;
m_actualOptions = crossOriginOptions;
bool shouldForcePreflight = InspectorInstrumentation::shouldForceCORSPreflight(m_document);
bool canSkipPreflight = CrossOriginPreflightResultCache::shared().canSkipPreflight(securityOrigin()->toString(), m_actualRequest.url(), effectiveAllowCredentials(), m_actualRequest.httpMethod(), m_actualRequest.httpHeaderFields());
if (canSkipPreflight && !shouldForcePreflight) {
loadActualRequest();
} else {
ResourceRequest preflightRequest = createAccessControlPreflightRequest(m_actualRequest, securityOrigin());
// Create a ResourceLoaderOptions for preflight.
ResourceLoaderOptions preflightOptions = m_actualOptions;
preflightOptions.allowCredentials = DoNotAllowStoredCredentials;
loadRequest(preflightRequest, preflightOptions);
}
}
}
ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
{
ResourceRequest preflightRequest(request.url());
updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
preflightRequest.setHTTPMethod("OPTIONS");
preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod());
preflightRequest.setPriority(request.priority());
const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
if (requestHeaderFields.size() > 0) {
StringBuilder headerBuffer;
HTTPHeaderMap::const_iterator it = requestHeaderFields.begin();
headerBuffer.append(it->first);
++it;
HTTPHeaderMap::const_iterator end = requestHeaderFields.end();
for (; it != end; ++it) {
headerBuffer.append(',');
headerBuffer.append(' ');
headerBuffer.append(it->first);
}
preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", headerBuffer.toString().lower());
}
return preflightRequest;
}
bool ScriptElement::requestScript(const String& sourceUrl)
{
RefPtr<Document> originalDocument = m_element->document();
if (!m_element->dispatchBeforeLoadEvent(sourceUrl))
return false;
if (!m_element->inDocument() || m_element->document() != originalDocument)
return false;
ASSERT(!m_cachedScript);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
ResourceRequest request = ResourceRequest(m_element->document()->completeURL(sourceUrl));
String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull()) {
m_requestUsesAccessControl = true;
StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
updateRequestForAccessControl(request, m_element->document()->securityOrigin(), allowCredentials);
}
m_cachedScript = m_element->document()->cachedResourceLoader()->requestScript(request, scriptCharset());
m_isExternalScript = true;
}
if (m_cachedScript) {
return true;
}
dispatchErrorEvent();
return false;
}
ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
{
ResourceRequest preflightRequest(request.url());
updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
preflightRequest.setHTTPMethod("OPTIONS");
preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestMethod, request.httpMethod());
preflightRequest.setPriority(request.priority());
const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
if (!requestHeaderFields.isEmpty()) {
StringBuilder headerBuffer;
bool appendComma = false;
for (const auto& headerField : requestHeaderFields) {
if (appendComma)
headerBuffer.appendLiteral(", ");
else
appendComma = true;
headerBuffer.append(headerField.key);
}
preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestHeaders, headerBuffer.toString().lower());
}
return preflightRequest;
}
bool TextTrackLoader::load(const URL& url, const String& crossOriginMode, bool isInitiatingElementInUserAgentShadowTree)
{
cancelLoad();
ASSERT(is<Document>(m_scriptExecutionContext));
Document* document = downcast<Document>(m_scriptExecutionContext);
ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
options.setContentSecurityPolicyImposition(isInitiatingElementInUserAgentShadowTree ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck);
CachedResourceRequest cueRequest(ResourceRequest(document->completeURL(url)), options);
if (!crossOriginMode.isNull()) {
m_crossOriginMode = crossOriginMode;
StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
updateRequestForAccessControl(cueRequest.mutableResourceRequest(), document->securityOrigin(), allowCredentials);
} else {
// Cross-origin resources that are not suitably CORS-enabled may not load.
if (!document->securityOrigin()->canRequest(url)) {
corsPolicyPreventedLoad();
return false;
}
}
m_resource = document->cachedResourceLoader().requestTextTrack(cueRequest);
if (!m_resource)
return false;
m_resource->addClient(this);
return true;
}
bool ScriptElement::requestScript(const String& sourceUrl)
{
Ref<Document> originalDocument(m_element->document());
if (!m_element->dispatchBeforeLoadEvent(sourceUrl))
return false;
if (!m_element->inDocument() || &m_element->document() != &originalDocument.get())
return false;
if (!m_element->document().contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), m_element->document().url(), m_startLineNumber, m_element->document().completeURL(sourceUrl)))
return false;
ASSERT(!m_cachedScript);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
CachedResourceRequest request(ResourceRequest(m_element->document().completeURL(sourceUrl)));
String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull()) {
m_requestUsesAccessControl = true;
StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
updateRequestForAccessControl(request.mutableResourceRequest(), m_element->document().securityOrigin(), allowCredentials);
}
request.setCharset(scriptCharset());
request.setInitiator(element());
m_cachedScript = m_element->document().cachedResourceLoader()->requestScript(request);
m_isExternalScript = true;
}
if (m_cachedScript) {
return true;
}
dispatchErrorEvent();
return false;
}
bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest)
{
ASSERT(options().mode != FetchOptions::Mode::SameOrigin);
bool shouldCheckCrossOrigin = options().mode == FetchOptions::Mode::Cors && m_resource->isCrossOrigin();
if (!(m_origin && m_origin->canRequest(newRequest.url())))
m_resource->setCrossOrigin();
if (!shouldCheckCrossOrigin)
return true;
ASSERT(m_origin);
String errorDescription;
bool responsePassesCORS = m_origin->canRequest(previousRequest.url())
|| passesAccessControlCheck(redirectResponse, options().allowCredentials(), *m_origin, errorDescription);
if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) {
if (m_frame && m_frame->document()) {
String errorMessage = "Cross-origin redirection denied by Cross-Origin Resource Sharing policy: " +
(!responsePassesCORS ? errorDescription : "Redirected to either a non-HTTP URL or a URL that contains credentials.");
m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage);
}
return false;
}
// If the request URL origin is not the same as the original origin, the request origin should be set to a globally unique identifier.
m_origin = SecurityOrigin::createUnique();
cleanRedirectedRequestForAccessControl(newRequest);
updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials());
return true;
}
StyleCachedImage* CSSImageSetValue::bestFitImage(CachedResourceLoader& loader, const ResourceLoaderOptions& options)
{
Document* document = loader.document();
if (Page* page = document->page())
m_scaleFactor = page->deviceScaleFactor();
else
m_scaleFactor = 1;
if (!m_imagesInSet.size())
fillImageSet();
if (!m_accessedBestFitImage) {
// FIXME: In the future, we want to take much more than deviceScaleFactor into acount here.
// All forms of scale should be included: Page::pageScaleFactor(), Frame::pageZoomFactor(),
// and any CSS transforms. https://bugs.webkit.org/show_bug.cgi?id=81698
ImageWithScale image = bestImageForScaleFactor();
CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)), options);
request.setInitiator(cachedResourceRequestInitiators().css);
if (options.mode == FetchOptions::Mode::Cors) {
ASSERT(document->securityOrigin());
updateRequestForAccessControl(request.mutableResourceRequest(), *document->securityOrigin(), options.allowCredentials);
}
if (CachedResourceHandle<CachedImage> cachedImage = loader.requestImage(request)) {
detachPendingImage();
m_image = StyleCachedImage::createForImageSet(cachedImage.get(), image.scaleFactor, *this);
m_accessedBestFitImage = true;
}
}
return is<StyleCachedImage>(m_image.get()) ? downcast<StyleCachedImage>(m_image.get()) : nullptr;
}
RefPtr<PlatformMediaResource> MediaResourceLoader::requestResource(const ResourceRequest& request, LoadOptions options)
{
if (!m_document)
return nullptr;
DataBufferingPolicy bufferingPolicy = options & LoadOption::BufferData ? WebCore::BufferData : WebCore::DoNotBufferData;
RequestOriginPolicy corsPolicy = !m_crossOriginMode.isNull() ? PotentiallyCrossOriginEnabled : UseDefaultOriginRestrictionsForType;
StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
// FIXME: Skip Content Security Policy check if the element that inititated this request
// is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching));
if (!m_crossOriginMode.isNull())
updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document->securityOrigin(), allowCredentials);
CachedResourceHandle<CachedRawResource> resource = m_document->cachedResourceLoader().requestMedia(cacheRequest);
if (!resource)
return nullptr;
Ref<MediaResource> mediaResource = MediaResource::create(*this, resource);
m_resources.add(mediaResource.ptr());
return WTFMove(mediaResource);
}
bool TextTrackLoader::load(const KURL& url, const String& crossOriginMode)
{
cancelLoad();
if (!m_client->shouldLoadCues(this))
return false;
ASSERT(m_scriptExecutionContext->isDocument());
Document* document = static_cast<Document*>(m_scriptExecutionContext);
ResourceRequest cueRequest(document->completeURL(url));
if (!crossOriginMode.isNull()) {
m_crossOriginMode = crossOriginMode;
StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
updateRequestForAccessControl(cueRequest, document->securityOrigin(), allowCredentials);
} else {
// Cross-origin resources that are not suitably CORS-enabled may not load.
if (!document->securityOrigin()->canRequest(url)) {
corsPolicyPreventedLoad();
return false;
}
}
CachedResourceLoader* cachedResourceLoader = document->cachedResourceLoader();
m_cachedCueData = cachedResourceLoader->requestTextTrack(cueRequest);
if (m_cachedCueData)
m_cachedCueData->addClient(this);
m_client->cueLoadingStarted(this);
return true;
}
void FetchRequest::setCrossOriginAccessControl(
SecurityOrigin* origin,
CrossOriginAttributeValue crossOrigin) {
DCHECK_NE(crossOrigin, CrossOriginAttributeNotSet);
const bool useCredentials = crossOrigin == CrossOriginAttributeUseCredentials;
const bool isSameOriginRequest =
origin && origin->canRequestNoSuborigin(m_resourceRequest.url());
// Currently FetchRequestMode and FetchCredentialsMode are only used when the
// request goes to Service Worker.
m_resourceRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORS);
m_resourceRequest.setFetchCredentialsMode(
useCredentials ? WebURLRequest::FetchCredentialsModeInclude
: WebURLRequest::FetchCredentialsModeSameOrigin);
m_options.allowCredentials = (isSameOriginRequest || useCredentials)
? AllowStoredCredentials
: DoNotAllowStoredCredentials;
m_options.corsEnabled = IsCORSEnabled;
m_options.securityOrigin = origin;
m_options.credentialsRequested = useCredentials
? ClientRequestedCredentials
: ClientDidNotRequestCredentials;
updateRequestForAccessControl(m_resourceRequest, origin,
m_options.allowCredentials);
}
StyleCachedImageSet* CSSImageSetValue::cachedImageSet(CachedResourceLoader* loader, const ResourceLoaderOptions& options)
{
ASSERT(loader);
Document* document = loader->document();
if (Page* page = document->page())
m_scaleFactor = page->deviceScaleFactor();
else
m_scaleFactor = 1;
if (!m_imagesInSet.size())
fillImageSet();
if (!m_accessedBestFitImage) {
// FIXME: In the future, we want to take much more than deviceScaleFactor into acount here.
// All forms of scale should be included: Page::pageScaleFactor(), Frame::pageZoomFactor(),
// and any CSS transforms. https://bugs.webkit.org/show_bug.cgi?id=81698
ImageWithScale image = bestImageForScaleFactor();
CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)), options);
request.setInitiator(cachedResourceRequestInitiators().css);
if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled)
updateRequestForAccessControl(request.mutableResourceRequest(), document->securityOrigin(), options.allowCredentials());
if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request)) {
detachPendingImage();
m_imageSet = StyleCachedImageSet::create(cachedImage.get(), image.scaleFactor, this);
m_accessedBestFitImage = true;
}
}
return (m_imageSet && m_imageSet->isCachedImageSet()) ? toStyleCachedImageSet(m_imageSet.get()) : nullptr;
}
void FetchRequest::setCrossOriginAccessControl(SecurityOrigin* origin, StoredCredentials allowCredentials, CredentialRequest requested)
{
ASSERT(requested == ClientDidNotRequestCredentials || allowCredentials == AllowStoredCredentials);
m_resourceRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORS);
updateRequestForAccessControl(m_resourceRequest, origin, allowCredentials);
m_options.allowCredentials = allowCredentials;
m_options.corsEnabled = IsCORSEnabled;
m_options.securityOrigin = origin;
m_options.credentialsRequested = requested;
}
void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceRequest& request)
{
ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(request));
if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) {
updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_options.allowCredentials);
makeSimpleCrossOriginAccessRequest(*crossOriginRequest);
} else {
m_simpleRequest = false;
// Do not set the Origin header for preflight requests.
updateRequestForAccessControl(*crossOriginRequest, 0, m_options.allowCredentials);
m_actualRequest = crossOriginRequest.release();
if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
preflightSuccess();
else
makeCrossOriginAccessRequestWithPreflight(*m_actualRequest);
}
}
void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceRequest& request)
{
ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
auto crossOriginRequest = std::make_unique<ResourceRequest>(request);
updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_options.allowCredentials());
if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight)
makeSimpleCrossOriginAccessRequest(*crossOriginRequest);
else {
m_simpleRequest = false;
m_actualRequest = WTFMove(crossOriginRequest);
if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials(), m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
preflightSuccess();
else
makeCrossOriginAccessRequestWithPreflight(*m_actualRequest);
}
}
bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest, String& errorMessage)
{
bool crossOriginFlag = m_resource->isCrossOrigin();
bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url());
if (isNextRequestCrossOrigin)
m_resource->setCrossOrigin();
ASSERT(options().mode != FetchOptions::Mode::SameOrigin || !m_resource->isCrossOrigin());
if (options().mode != FetchOptions::Mode::Cors)
return true;
// Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 8 & 9.
if (m_resource->isCrossOrigin() && !isValidCrossOriginRedirectionURL(newRequest.url())) {
errorMessage = ASCIILiteral("URL is either a non-HTTP URL or contains credentials.");
return false;
}
ASSERT(m_origin);
if (crossOriginFlag && !passesAccessControlCheck(redirectResponse, options().allowCredentials, *m_origin, errorMessage))
return false;
bool redirectingToNewOrigin = false;
if (m_resource->isCrossOrigin()) {
if (!crossOriginFlag && isNextRequestCrossOrigin)
redirectingToNewOrigin = true;
else
redirectingToNewOrigin = !SecurityOrigin::create(previousRequest.url())->canRequest(newRequest.url());
}
// Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 10.
if (crossOriginFlag && redirectingToNewOrigin)
m_origin = SecurityOrigin::createUnique();
if (redirectingToNewOrigin) {
cleanRedirectedRequestForAccessControl(newRequest);
updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials);
}
return true;
}
DocumentThreadableLoader::DocumentThreadableLoader(Document* document, ThreadableLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options)
: m_client(client)
, m_document(document)
, m_options(options)
, m_sameOriginRequest(securityOrigin()->canRequest(request.url()))
, m_async(blockingBehavior == LoadAsynchronously)
#if ENABLE(INSPECTOR)
, m_preflightRequestIdentifier(0)
#endif
{
ASSERT(document);
ASSERT(client);
// Setting an outgoing referer is only supported in the async code path.
ASSERT(m_async || request.httpReferrer().isEmpty());
if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
loadRequest(request, DoSecurityCheck);
return;
}
if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {
m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, request.url().string(), "Cross origin requests are not supported."));
return;
}
ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(request));
updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_options.allowCredentials);
if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight)
makeSimpleCrossOriginAccessRequest(*crossOriginRequest);
else {
m_actualRequest = crossOriginRequest.release();
if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
preflightSuccess();
else
makeCrossOriginAccessRequestWithPreflight(*m_actualRequest);
}
}
ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
{
ResourceRequest preflightRequest(request.url());
updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
preflightRequest.setHTTPMethod("OPTIONS");
preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod());
preflightRequest.setPriority(request.priority());
preflightRequest.setRequestContext(request.requestContext());
preflightRequest.setSkipServiceWorker(true);
const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
if (requestHeaderFields.size() > 0) {
// Sort header names lexicographically: https://crbug.com/452391
// Fetch API Spec:
// https://fetch.spec.whatwg.org/#cors-preflight-fetch-0
Vector<String> headers;
for (const auto& header : requestHeaderFields) {
if (equalIgnoringCase(header.key, "referer")) {
// When the request is from a Worker, referrer header was added
// by WorkerThreadableLoader. But it should not be added to
// Access-Control-Request-Headers header.
continue;
}
headers.append(header.key.lower());
}
std::sort(headers.begin(), headers.end(), WTF::codePointCompareLessThan);
StringBuilder headerBuffer;
for (const String& header : headers) {
if (!headerBuffer.isEmpty())
headerBuffer.appendLiteral(", ");
headerBuffer.append(header);
}
preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", AtomicString(headerBuffer.toString()));
}
return preflightRequest;
}
std::pair<CachedImage*, float> CSSImageSetValue::loadBestFitImage(CachedResourceLoader& loader, const ResourceLoaderOptions& options)
{
Document* document = loader.document();
updateDeviceScaleFactor(*document);
if (!m_accessedBestFitImage) {
m_accessedBestFitImage = true;
// FIXME: In the future, we want to take much more than deviceScaleFactor into acount here.
// All forms of scale should be included: Page::pageScaleFactor(), Frame::pageZoomFactor(),
// and any CSS transforms. https://bugs.webkit.org/show_bug.cgi?id=81698
ImageWithScale image = bestImageForScaleFactor();
CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)), options);
request.setInitiator(cachedResourceRequestInitiators().css);
if (options.mode == FetchOptions::Mode::Cors) {
ASSERT(document->securityOrigin());
updateRequestForAccessControl(request.mutableResourceRequest(), *document->securityOrigin(), options.allowCredentials);
}
m_cachedImage = loader.requestImage(request);
m_bestFitImageScaleFactor = image.scaleFactor;
}
return { m_cachedImage.get(), m_bestFitImageScaleFactor };
}
StyleCachedImage* CSSImageValue::cachedImage(CachedResourceLoader* loader, const ResourceLoaderOptions& options)
{
ASSERT(loader);
if (!m_accessedImage) {
m_accessedImage = true;
CachedResourceRequest request(ResourceRequest(loader->document()->completeURL(m_url)), options);
if (m_initiatorName.isEmpty())
request.setInitiator(cachedResourceRequestInitiators().css);
else
request.setInitiator(m_initiatorName);
if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled)
updateRequestForAccessControl(request.mutableResourceRequest(), loader->document()->securityOrigin(), options.allowCredentials());
if (CachedResourceHandle<CachedImage> cachedImage = loader->requestImage(request)) {
detachPendingImage();
m_image = StyleCachedImage::create(cachedImage.get());
}
}
return (m_image && m_image->isCachedImage()) ? toStyleCachedImage(m_image.get()) : nullptr;
}
bool MediaResourceLoader::start(const ResourceRequest& request, LoadOptions options)
{
if (m_resource)
return false;
DataBufferingPolicy bufferingPolicy = options & LoadOption::BufferData ? WebCore::BufferData : WebCore::DoNotBufferData;
RequestOriginPolicy corsPolicy = !m_crossOriginMode.isNull() ? PotentiallyCrossOriginEnabled : UseDefaultOriginRestrictionsForType;
StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalIgnoringCase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
// ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
if (!m_crossOriginMode.isNull())
updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
m_didPassAccessControlCheck = false;
m_resource = m_document.cachedResourceLoader().requestRawResource(cacheRequest);
if (!m_resource)
return false;
m_resource->addClient(this);
return true;
}
void ImageLoader::updateFromElement()
{
// If we're not making renderers for the page, then don't load images. We don't want to slow
// down the raw HTML parsing case by loading images we don't intend to display.
Document* document = m_element->document();
if (!document->renderer())
return;
AtomicString attr = m_element->imageSourceURL();
if (attr == m_failedLoadURL)
return;
// Do not load any image if the 'src' attribute is missing or if it is
// an empty string.
CachedResourceHandle<CachedImage> newImage = 0;
if (!attr.isNull() && !stripLeadingAndTrailingHTMLSpaces(attr).isEmpty()) {
CachedResourceRequest request(ResourceRequest(document->completeURL(sourceURI(attr))));
request.setInitiator(element());
String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull()) {
StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
updateRequestForAccessControl(request.mutableResourceRequest(), document->securityOrigin(), allowCredentials);
}
if (m_loadManually) {
bool autoLoadOtherImages = document->cachedResourceLoader()->autoLoadImages();
document->cachedResourceLoader()->setAutoLoadImages(false);
newImage = new CachedImage(request.resourceRequest());
newImage->setLoading(true);
newImage->setOwningCachedResourceLoader(document->cachedResourceLoader());
document->cachedResourceLoader()->m_documentResources.set(newImage->url(), newImage.get());
document->cachedResourceLoader()->setAutoLoadImages(autoLoadOtherImages);
} else
newImage = document->cachedResourceLoader()->requestImage(request);
// If we do not have an image here, it means that a cross-site
// violation occurred, or that the image was blocked via Content
// Security Policy, or the page is being dismissed. Trigger an
// error event if the page is not being dismissed.
if (!newImage && !pageIsBeingDismissed(document)) {
m_failedLoadURL = attr;
m_hasPendingErrorEvent = true;
errorEventSender().dispatchEventSoon(this);
} else
clearFailedLoadURL();
} else if (!attr.isNull()) {
// Fire an error event if the url is empty.
// FIXME: Should we fire this event asynchronoulsy via errorEventSender()?
m_element->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
}
CachedImage* oldImage = m_image.get();
if (newImage != oldImage) {
if (m_hasPendingBeforeLoadEvent) {
beforeLoadEventSender().cancelEvent(this);
m_hasPendingBeforeLoadEvent = false;
}
if (m_hasPendingLoadEvent) {
loadEventSender().cancelEvent(this);
m_hasPendingLoadEvent = false;
}
// Cancel error events that belong to the previous load, which is now cancelled by changing the src attribute.
// If newImage is null and m_hasPendingErrorEvent is true, we know the error event has been just posted by
// this load and we should not cancel the event.
// FIXME: If both previous load and this one got blocked with an error, we can receive one error event instead of two.
if (m_hasPendingErrorEvent && newImage) {
errorEventSender().cancelEvent(this);
m_hasPendingErrorEvent = false;
}
m_image = newImage;
m_hasPendingBeforeLoadEvent = !m_element->document()->isImageDocument() && newImage;
m_hasPendingLoadEvent = newImage;
m_imageComplete = !newImage;
if (newImage) {
if (!m_element->document()->isImageDocument()) {
if (!m_element->document()->hasListenerType(Document::BEFORELOAD_LISTENER))
dispatchPendingBeforeLoadEvent();
else
beforeLoadEventSender().dispatchEventSoon(this);
} else
updateRenderer();
// If newImage is cached, addClient() will result in the load event
// being queued to fire. Ensure this happens after beforeload is
// dispatched.
newImage->addClient(this);
}
if (oldImage)
oldImage->removeClient(this);
}
if (RenderImageResource* imageResource = renderImageResource())
imageResource->resetAnimation();
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
updatedHasPendingEvent();
}
void ImageLoader::updateFromElement()
{
// If we're not making renderers for the page, then don't load images. We don't want to slow
// down the raw HTML parsing case by loading images we don't intend to display.
Document* document = m_element->document();
if (!document->renderer())
return;
AtomicString attr = m_element->getAttribute(m_element->imageSourceAttributeName());
if (attr == m_failedLoadURL)
return;
// Do not load any image if the 'src' attribute is missing or if it is
// an empty string referring to a local file. The latter condition is
// a quirk that preserves old behavior that Dashboard widgets
// need (<rdar://problem/5994621>).
CachedImage* newImage = 0;
// CAPPFIX_WEB_IMG_SRC_NULL
#if 1
if (!attr.isNull() && !stripLeadingAndTrailingHTMLSpaces(attr).isEmpty()) {
#else
if (!(attr.isNull() || (attr.isEmpty() && document->baseURI().isLocalFile()))) {
#endif
ResourceRequest request = ResourceRequest(document->completeURL(sourceURI(attr)));
String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull()) {
bool allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials");
updateRequestForAccessControl(request, document->securityOrigin(), allowCredentials);
}
if (m_loadManually) {
bool autoLoadOtherImages = document->cachedResourceLoader()->autoLoadImages();
document->cachedResourceLoader()->setAutoLoadImages(false);
newImage = new CachedImage(request);
newImage->setLoading(true);
newImage->setOwningCachedResourceLoader(document->cachedResourceLoader());
document->cachedResourceLoader()->m_documentResources.set(newImage->url(), newImage);
document->cachedResourceLoader()->setAutoLoadImages(autoLoadOtherImages);
} else
newImage = document->cachedResourceLoader()->requestImage(request);
// If we do not have an image here, it means that a cross-site
// violation occurred.
m_failedLoadURL = !newImage ? attr : AtomicString();
// CAPPFIX_WEB_IMG_SRC_NULL
#if 1
} else if (!attr.isNull()) // Fire an error event if the url is empty.
m_element->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
#else
}
#endif
CachedImage* oldImage = m_image.get();
if (newImage != oldImage) {
if (!m_firedBeforeLoad)
beforeLoadEventSender().cancelEvent(this);
if (!m_firedLoad)
loadEventSender().cancelEvent(this);
m_image = newImage;
m_firedBeforeLoad = !newImage;
m_firedLoad = !newImage;
m_imageComplete = !newImage;
if (newImage) {
newImage->addClient(this);
if (!m_element->document()->hasListenerType(Document::BEFORELOAD_LISTENER))
dispatchPendingBeforeLoadEvent();
else
beforeLoadEventSender().dispatchEventSoon(this);
}
if (oldImage)
oldImage->removeClient(this);
}
if (RenderImageResource* imageResource = renderImageResource())
imageResource->resetAnimation();
}
void FetchRequest::setPotentiallyCrossOriginEnabled(SecurityOrigin* origin, StoredCredentials allowCredentials)
{
updateRequestForAccessControl(m_resourceRequest, origin, allowCredentials);
ASSERT(m_options.requestOriginPolicy == UseDefaultOriginRestrictionsForType); // Allows only tightening from the default value.
m_options.requestOriginPolicy = PotentiallyCrossOriginEnabled;
}
void ImageLoader::updateFromElement()
{
// If we're not making renderers for the page, then don't load images. We don't want to slow
// down the raw HTML parsing case by loading images we don't intend to display.
Document* document = m_element->document();
if (!document->renderer())
return;
AtomicString attr = m_element->getAttribute(m_element->imageSourceAttributeName());
if (attr == m_failedLoadURL)
return;
// Do not load any image if the 'src' attribute is missing or if it is
// an empty string.
CachedImage* newImage = 0;
if (!attr.isNull() && !stripLeadingAndTrailingHTMLSpaces(attr).isEmpty()) {
ResourceRequest request = ResourceRequest(document->completeURL(sourceURI(attr)));
String crossOriginMode = m_element->fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull()) {
StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
updateRequestForAccessControl(request, document->securityOrigin(), allowCredentials);
}
if (m_loadManually) {
bool autoLoadOtherImages = document->cachedResourceLoader()->autoLoadImages();
document->cachedResourceLoader()->setAutoLoadImages(false);
newImage = new CachedImage(request);
newImage->setLoading(true);
newImage->setOwningCachedResourceLoader(document->cachedResourceLoader());
document->cachedResourceLoader()->m_documentResources.set(newImage->url(), newImage);
document->cachedResourceLoader()->setAutoLoadImages(autoLoadOtherImages);
} else
newImage = document->cachedResourceLoader()->requestImage(request);
// If we do not have an image here, it means that a cross-site
// violation occurred.
m_failedLoadURL = !newImage ? attr : AtomicString();
} else if (!attr.isNull()) // Fire an error event if the url is empty.
m_element->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
CachedImage* oldImage = m_image.get();
if (newImage != oldImage) {
if (!m_firedBeforeLoad)
beforeLoadEventSender().cancelEvent(this);
if (!m_firedLoad)
loadEventSender().cancelEvent(this);
m_image = newImage;
m_firedBeforeLoad = !newImage;
m_firedLoad = !newImage;
m_imageComplete = !newImage;
if (newImage) {
if (!m_element->document()->hasListenerType(Document::BEFORELOAD_LISTENER))
dispatchPendingBeforeLoadEvent();
else
beforeLoadEventSender().dispatchEventSoon(this);
// If newImage is cached, addClient() will result in the load event
// being queued to fire. Ensure this happens after beforeload is
// dispatched.
newImage->addClient(this);
}
if (oldImage)
oldImage->removeClient(this);
}
if (RenderImageResource* imageResource = renderImageResource())
imageResource->resetAnimation();
}
