Example #1
0
PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, SubresourceLoaderClient* client, const ResourceRequest& request, SecurityCheckPolicy securityCheck, bool sendResourceLoadCallbacks, bool shouldContentSniff)
{
    if (!frame)
        return 0;

    FrameLoader* fl = frame->loader();
    if (securityCheck == DoSecurityCheck && (fl->state() == FrameStateProvisional || !fl->activeDocumentLoader() || fl->activeDocumentLoader()->isStopping()))
        return 0;

    ResourceRequest newRequest = request;

    if (securityCheck == DoSecurityCheck && !frame->document()->securityOrigin()->canDisplay(request.url())) {
        FrameLoader::reportLocalLoadFailed(frame, request.url().string());
        return 0;
    }
    
    if (SecurityOrigin::shouldHideReferrer(request.url(), fl->outgoingReferrer()))
        newRequest.clearHTTPReferrer();
    else if (!request.httpReferrer())
        newRequest.setHTTPReferrer(fl->outgoingReferrer());
    FrameLoader::addHTTPOriginIfNeeded(newRequest, fl->outgoingOrigin());

    fl->addExtraFieldsToSubresourceRequest(newRequest);

    RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, client, sendResourceLoadCallbacks, shouldContentSniff)));
    subloader->documentLoader()->addSubresourceLoader(subloader.get());
    if (!subloader->load(newRequest))
        return 0;

    return subloader.release();
}
Example #2
0
void CachedResource::addAdditionalRequestHeaders(CachedResourceLoader* cachedResourceLoader)
{
    // Note: We skip the Content-Security-Policy check here because we check
    // the Content-Security-Policy at the CachedResourceLoader layer so we can
    // handle different resource types differently.

    FrameLoader* frameLoader = cachedResourceLoader->frame()->loader();
    String outgoingReferrer;
    String outgoingOrigin;
    if (m_resourceRequest.httpReferrer().isNull()) {
        outgoingReferrer = frameLoader->outgoingReferrer();
        outgoingOrigin = frameLoader->outgoingOrigin();
    } else {
        outgoingReferrer = m_resourceRequest.httpReferrer();
        outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
    }

    outgoingReferrer = SecurityPolicy::generateReferrerHeader(cachedResourceLoader->document()->referrerPolicy(), m_resourceRequest.url(), outgoingReferrer);
    if (outgoingReferrer.isEmpty())
        m_resourceRequest.clearHTTPReferrer();
    else if (!m_resourceRequest.httpReferrer())
        m_resourceRequest.setHTTPReferrer(outgoingReferrer);
    FrameLoader::addHTTPOriginIfNeeded(m_resourceRequest, outgoingOrigin);

    frameLoader->addExtraFieldsToSubresourceRequest(m_resourceRequest);
}
PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, SubresourceLoaderClient* client, const ResourceRequest& request, SecurityCheckPolicy securityCheck, bool sendResourceLoadCallbacks, bool shouldContentSniff, bool shouldBufferData)
{
    if (!frame)
        return 0;

    FrameLoader* fl = frame->loader();
    if (securityCheck == DoSecurityCheck && (fl->state() == FrameStateProvisional || !fl->activeDocumentLoader() || fl->activeDocumentLoader()->isStopping()))
        return 0;

    ResourceRequest newRequest = request;

    if (securityCheck == DoSecurityCheck && !frame->document()->securityOrigin()->canDisplay(request.url())) {
        FrameLoader::reportLocalLoadFailed(frame, request.url().string());
        return 0;
    }

    // Note: We skip the Content-Security-Policy check here because we check
    // the Content-Security-Policy at the CachedResourceLoader layer so we can
    // handle different resource types differently.

    String outgoingReferrer;
    String outgoingOrigin;
    if (request.httpReferrer().isNull()) {
        outgoingReferrer = fl->outgoingReferrer();
        outgoingOrigin = fl->outgoingOrigin();
    } else {
        outgoingReferrer = request.httpReferrer();
        outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
    }

    if (SecurityOrigin::shouldHideReferrer(request.url(), outgoingReferrer))
        newRequest.clearHTTPReferrer();
    else if (!request.httpReferrer())
        newRequest.setHTTPReferrer(outgoingReferrer);
    FrameLoader::addHTTPOriginIfNeeded(newRequest, outgoingOrigin);

    fl->addExtraFieldsToSubresourceRequest(newRequest);

    RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, client, sendResourceLoadCallbacks, shouldContentSniff)));
    subloader->setShouldBufferData(shouldBufferData);
    subloader->documentLoader()->addSubresourceLoader(subloader.get());
    if (!subloader->init(newRequest))
        return 0;

    return subloader.release();
}
Example #4
0
void CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders(FrameLoader& frameLoader, ReferrerPolicy defaultPolicy)
{
    // Implementing step 7 to 9 of https://fetch.spec.whatwg.org/#http-network-or-cache-fetch

    String outgoingOrigin;
    String outgoingReferrer = m_resourceRequest.httpReferrer();
    if (!outgoingReferrer.isNull())
        outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
    else {
        outgoingReferrer = frameLoader.outgoingReferrer();
        outgoingOrigin = frameLoader.outgoingOrigin();
    }

    // FIXME: Refactor SecurityPolicy::generateReferrerHeader to align with new terminology used in https://w3c.github.io/webappsec-referrer-policy.
    switch (m_options.referrerPolicy) {
    case FetchOptions::ReferrerPolicy::EmptyString: {
        outgoingReferrer = SecurityPolicy::generateReferrerHeader(defaultPolicy, m_resourceRequest.url(), outgoingReferrer);
        break; }
    case FetchOptions::ReferrerPolicy::NoReferrerWhenDowngrade:
        outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Default, m_resourceRequest.url(), outgoingReferrer);
        break;
    case FetchOptions::ReferrerPolicy::NoReferrer:
        outgoingReferrer = String();
        break;
    case FetchOptions::ReferrerPolicy::Origin:
        outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
        break;
    case FetchOptions::ReferrerPolicy::OriginWhenCrossOrigin:
        if (isRequestCrossOrigin(m_origin.get(), m_resourceRequest.url(), m_options))
            outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
        break;
    case FetchOptions::ReferrerPolicy::UnsafeUrl:
        break;
    };

    if (outgoingReferrer.isEmpty())
        m_resourceRequest.clearHTTPReferrer();
    else
        m_resourceRequest.setHTTPReferrer(outgoingReferrer);
    FrameLoader::addHTTPOriginIfNeeded(m_resourceRequest, outgoingOrigin);

    frameLoader.applyUserAgent(m_resourceRequest);
}
Example #5
0
PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, CachedResource* resource, const ResourceRequest& request, const ResourceLoaderOptions& options)
{
    if (!frame)
        return 0;

    FrameLoader* frameLoader = frame->loader();
    if (options.securityCheck == DoSecurityCheck && (frameLoader->state() == FrameStateProvisional || !frameLoader->activeDocumentLoader() || frameLoader->activeDocumentLoader()->isStopping()))
        return 0;

    ResourceRequest newRequest = request;

    // Note: We skip the Content-Security-Policy check here because we check
    // the Content-Security-Policy at the CachedResourceLoader layer so we can
    // handle different resource types differently.

    String outgoingReferrer;
    String outgoingOrigin;
    if (request.httpReferrer().isNull()) {
        outgoingReferrer = frameLoader->outgoingReferrer();
        outgoingOrigin = frameLoader->outgoingOrigin();
    } else {
        outgoingReferrer = request.httpReferrer();
        outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
    }

    outgoingReferrer = SecurityPolicy::generateReferrerHeader(frame->document()->referrerPolicy(), request.url(), outgoingReferrer);
    if (outgoingReferrer.isEmpty())
        newRequest.clearHTTPReferrer();
    else if (!request.httpReferrer())
        newRequest.setHTTPReferrer(outgoingReferrer);
    FrameLoader::addHTTPOriginIfNeeded(newRequest, outgoingOrigin);

    frameLoader->addExtraFieldsToSubresourceRequest(newRequest);

    RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, resource, options)));
    if (!subloader->init(newRequest))
        return 0;
    return subloader.release();
}