void WorkerScriptLoader::didReceiveResponse( unsigned long identifier, const ResourceResponse& response, std::unique_ptr<WebDataConsumerHandle> handle) { DCHECK(!handle); if (response.httpStatusCode() / 100 != 2 && response.httpStatusCode()) { notifyError(); return; } m_identifier = identifier; m_responseURL = response.url(); m_responseEncoding = response.textEncodingName(); m_appCacheID = response.appCacheID(); m_referrerPolicy = response.httpHeaderField(HTTPNames::Referrer_Policy); processContentSecurityPolicy(response); m_originTrialTokens = OriginTrialContext::parseHeaderValue( response.httpHeaderField(HTTPNames::Origin_Trial)); if (NetworkUtils::isReservedIPAddress(response.remoteIPAddress())) { m_responseAddressSpace = SecurityOrigin::create(m_responseURL)->isLocalhost() ? WebAddressSpaceLocal : WebAddressSpacePrivate; } if (m_responseCallback) (*m_responseCallback)(); }
void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse& response) { ASSERT_UNUSED(resource, m_mainResource == resource); RefPtr<DocumentLoader> protect(this); m_applicationCacheHost->didReceiveResponseForMainResource(response); // The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served // from the application cache, ensure we don't save the result for future use. All responses loaded // from appcache will have a non-zero appCacheID(). if (response.appCacheID()) memoryCache()->remove(m_mainResource.get()); DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral)); HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(xFrameOptionHeader); if (it != response.httpHeaderFields().end()) { String content = it->value; ASSERT(m_mainResource); unsigned long identifier = mainResourceIdentifier(); ASSERT(identifier); if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), identifier)) { InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, identifier, response); String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; frame()->document()->addConsoleMessageWithRequestIdentifier(SecurityMessageSource, ErrorMessageLevel, message, identifier); frame()->document()->enforceSandboxFlags(SandboxOrigin); if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement()) ownerElement->dispatchEvent(Event::create(EventTypeNames::load)); // The load event might have detached this frame. In that case, the load will already have been cancelled during detach. if (frameLoader()) cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); return; } } ASSERT(!mainResourceLoader() || !mainResourceLoader()->defersLoading()); m_response = response; if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->dataBufferingPolicy() != BufferData) m_mainResource->setDataBufferingPolicy(BufferData); if (!shouldContinueForResponse()) { InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response); cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); return; } if (m_response.isHTTP()) { int status = m_response.httpStatusCode(); if ((status < 200 || status >= 300) && m_frame->ownerElement() && m_frame->ownerElement()->isObjectElement()) { m_frame->ownerElement()->renderFallbackContent(); // object elements are no longer rendered after we fallback, so don't // keep trying to process data from their load cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); } } }
void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse& response, std::unique_ptr<WebDataConsumerHandle> handle) { ASSERT_UNUSED(resource, m_mainResource == resource); ASSERT_UNUSED(handle, !handle); ASSERT(frame()); m_applicationCacheHost->didReceiveResponseForMainResource(response); // The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served // from the application cache, ensure we don't save the result for future use. All responses loaded // from appcache will have a non-zero appCacheID(). if (response.appCacheID()) memoryCache()->remove(m_mainResource.get()); m_contentSecurityPolicy = ContentSecurityPolicy::create(); m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) { cancelLoadAfterXFrameOptionsOrCSPDenied(response); return; } // 'frame-ancestors' obviates 'x-frame-options': https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) { HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(HTTPNames::X_Frame_Options); if (it != response.httpHeaderFields().end()) { String content = it->value; if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) { String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(SecurityMessageSource, ErrorMessageLevel, message, response.url(), mainResourceIdentifier()); frame()->document()->addConsoleMessage(consoleMessage); cancelLoadAfterXFrameOptionsOrCSPDenied(response); return; } } } ASSERT(!m_frame->page()->defersLoading()); m_response = response; if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->getDataBufferingPolicy() != BufferData) m_mainResource->setDataBufferingPolicy(BufferData); if (!shouldContinueForResponse()) { InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response, m_mainResource.get()); m_fetcher->stopFetching(); return; } if (m_response.isHTTP()) { int status = m_response.httpStatusCode(); if ((status < 200 || status >= 300) && m_frame->owner()) m_frame->owner()->renderFallbackContent(); } }
void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse& response, PassOwnPtr<WebDataConsumerHandle> handle) { ASSERT_UNUSED(resource, m_mainResource == resource); ASSERT_UNUSED(handle, !handle); RefPtr<DocumentLoader> protect(this); m_applicationCacheHost->didReceiveResponseForMainResource(response); // The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served // from the application cache, ensure we don't save the result for future use. All responses loaded // from appcache will have a non-zero appCacheID(). if (response.appCacheID()) memoryCache()->remove(m_mainResource.get()); DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral)); HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(xFrameOptionHeader); if (it != response.httpHeaderFields().end()) { String content = it->value; if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) { String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; RefPtrWillBeRawPtr<ConsoleMessage> consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message); consoleMessage->setRequestIdentifier(mainResourceIdentifier()); frame()->document()->addConsoleMessage(consoleMessage.release()); cancelLoadAfterXFrameOptionsOrCSPDenied(response); return; } } m_contentSecurityPolicy = ContentSecurityPolicy::create(); m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) { cancelLoadAfterXFrameOptionsOrCSPDenied(response); return; } ASSERT(!mainResourceLoader() || !mainResourceLoader()->defersLoading()); m_response = response; if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->dataBufferingPolicy() != BufferData) m_mainResource->setDataBufferingPolicy(BufferData); if (!shouldContinueForResponse()) { InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response); cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); return; } if (m_response.isHTTP()) { int status = m_response.httpStatusCode(); // FIXME: Fallback content only works if the parent is in the same processs. if ((status < 200 || status >= 300) && m_frame->owner()) { if (!m_frame->deprecatedLocalOwner()) { ASSERT_NOT_REACHED(); } else if (m_frame->deprecatedLocalOwner()->isObjectElement()) { m_frame->deprecatedLocalOwner()->renderFallbackContent(); // object elements are no longer rendered after we fallback, so don't // keep trying to process data from their load cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); } } } }
void didReceiveResponse(unsigned long identifier, const ResourceResponse& response) override { m_identifier = identifier; m_appCacheID = response.appCacheID(); (*m_receiveResponseCallback)(); }
void MainResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& r) { ASSERT_UNUSED(resource, m_resource == resource); bool willLoadFallback = documentLoader()->applicationCacheHost()->maybeLoadFallbackForMainResponse(request(), r); // The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served // from the application cache, ensure we don't save the result for future use. bool shouldRemoveResourceFromCache = willLoadFallback; #if PLATFORM(CHROMIUM) // chromium's ApplicationCacheHost implementation always returns true for maybeLoadFallbackForMainResponse(). However, all responses loaded // from appcache will have a non-zero appCacheID(). if (r.appCacheID()) shouldRemoveResourceFromCache = true; #endif if (shouldRemoveResourceFromCache) memoryCache()->remove(m_resource.get()); if (willLoadFallback) return; DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral)); HTTPHeaderMap::const_iterator it = r.httpHeaderFields().find(xFrameOptionHeader); if (it != r.httpHeaderFields().end()) { String content = it->value; if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, r.url(), identifier())) { InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_documentLoader->frame(), documentLoader(), identifier(), r); String message = "Refused to display '" + r.url().string() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; m_documentLoader->frame()->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, message, identifier()); cancel(); return; } } // There is a bug in CFNetwork where callbacks can be dispatched even when loads are deferred. // See <rdar://problem/6304600> for more details. #if !USE(CF) ASSERT(!defersLoading()); #endif if (m_loadingMultipartContent) { m_documentLoader->setupForReplace(); m_resource->clear(); } if (r.isMultipart()) m_loadingMultipartContent = true; // The additional processing can do anything including possibly removing the last // reference to this object; one example of this is 3266216. RefPtr<MainResourceLoader> protect(this); m_documentLoader->setResponse(r); m_response = r; if (!loader()) frameLoader()->notifier()->dispatchDidReceiveResponse(documentLoader(), identifier(), m_response, 0); ASSERT(!m_waitingForContentPolicy); m_waitingForContentPolicy = true; ref(); // balanced by deref in continueAfterContentPolicy and cancel // Always show content with valid substitute data. if (m_documentLoader->substituteData().isValid()) { callContinueAfterContentPolicy(this, PolicyUse); return; } #if ENABLE(FTPDIR) // Respect the hidden FTP Directory Listing pref so it can be tested even if the policy delegate might otherwise disallow it Settings* settings = m_documentLoader->frame()->settings(); if (settings && settings->forceFTPDirectoryListings() && m_response.mimeType() == "application/x-ftp-directory") { callContinueAfterContentPolicy(this, PolicyUse); return; } #endif #if USE(CONTENT_FILTERING) if (r.url().protocolIs("https") && ContentFilter::isEnabled()) m_contentFilter = ContentFilter::create(r); #endif frameLoader()->policyChecker()->checkContentPolicy(m_response, callContinueAfterContentPolicy, this); }
void SharedWorkerScriptLoader::didReceiveResponse(unsigned long identifier, const ResourceResponse& response) { m_responseAppCacheID = response.appCacheID(); InspectorInstrumentation::didReceiveScriptResponse(m_worker->scriptExecutionContext(), identifier); }