PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, SubresourceLoaderClient* client, const ResourceRequest& request, SecurityCheckPolicy securityCheck, bool sendResourceLoadCallbacks, bool shouldContentSniff)
{
if (!frame)
return 0;
FrameLoader* fl = frame->loader();
if (securityCheck == DoSecurityCheck && (fl->state() == FrameStateProvisional || !fl->activeDocumentLoader() || fl->activeDocumentLoader()->isStopping()))
return 0;
ResourceRequest newRequest = request;
if (securityCheck == DoSecurityCheck && !frame->document()->securityOrigin()->canDisplay(request.url())) {
FrameLoader::reportLocalLoadFailed(frame, request.url().string());
return 0;
}
if (SecurityOrigin::shouldHideReferrer(request.url(), fl->outgoingReferrer()))
newRequest.clearHTTPReferrer();
else if (!request.httpReferrer())
newRequest.setHTTPReferrer(fl->outgoingReferrer());
FrameLoader::addHTTPOriginIfNeeded(newRequest, fl->outgoingOrigin());
fl->addExtraFieldsToSubresourceRequest(newRequest);
RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, client, sendResourceLoadCallbacks, shouldContentSniff)));
subloader->documentLoader()->addSubresourceLoader(subloader.get());
if (!subloader->load(newRequest))
return 0;
return subloader.release();
}
void CachedResource::addAdditionalRequestHeaders(CachedResourceLoader* cachedResourceLoader)
{
// Note: We skip the Content-Security-Policy check here because we check
// the Content-Security-Policy at the CachedResourceLoader layer so we can
// handle different resource types differently.
FrameLoader* frameLoader = cachedResourceLoader->frame()->loader();
String outgoingReferrer;
String outgoingOrigin;
if (m_resourceRequest.httpReferrer().isNull()) {
outgoingReferrer = frameLoader->outgoingReferrer();
outgoingOrigin = frameLoader->outgoingOrigin();
} else {
outgoingReferrer = m_resourceRequest.httpReferrer();
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
}
outgoingReferrer = SecurityPolicy::generateReferrerHeader(cachedResourceLoader->document()->referrerPolicy(), m_resourceRequest.url(), outgoingReferrer);
if (outgoingReferrer.isEmpty())
m_resourceRequest.clearHTTPReferrer();
else if (!m_resourceRequest.httpReferrer())
m_resourceRequest.setHTTPReferrer(outgoingReferrer);
FrameLoader::addHTTPOriginIfNeeded(m_resourceRequest, outgoingOrigin);
frameLoader->addExtraFieldsToSubresourceRequest(m_resourceRequest);
}
PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, SubresourceLoaderClient* client, const ResourceRequest& request, SecurityCheckPolicy securityCheck, bool sendResourceLoadCallbacks, bool shouldContentSniff, bool shouldBufferData)
{
if (!frame)
return 0;
FrameLoader* fl = frame->loader();
if (securityCheck == DoSecurityCheck && (fl->state() == FrameStateProvisional || !fl->activeDocumentLoader() || fl->activeDocumentLoader()->isStopping()))
return 0;
ResourceRequest newRequest = request;
if (securityCheck == DoSecurityCheck && !frame->document()->securityOrigin()->canDisplay(request.url())) {
FrameLoader::reportLocalLoadFailed(frame, request.url().string());
return 0;
}
// Note: We skip the Content-Security-Policy check here because we check
// the Content-Security-Policy at the CachedResourceLoader layer so we can
// handle different resource types differently.
String outgoingReferrer;
String outgoingOrigin;
if (request.httpReferrer().isNull()) {
outgoingReferrer = fl->outgoingReferrer();
outgoingOrigin = fl->outgoingOrigin();
} else {
outgoingReferrer = request.httpReferrer();
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
}
if (SecurityOrigin::shouldHideReferrer(request.url(), outgoingReferrer))
newRequest.clearHTTPReferrer();
else if (!request.httpReferrer())
newRequest.setHTTPReferrer(outgoingReferrer);
FrameLoader::addHTTPOriginIfNeeded(newRequest, outgoingOrigin);
fl->addExtraFieldsToSubresourceRequest(newRequest);
RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, client, sendResourceLoadCallbacks, shouldContentSniff)));
subloader->setShouldBufferData(shouldBufferData);
subloader->documentLoader()->addSubresourceLoader(subloader.get());
if (!subloader->init(newRequest))
return 0;
return subloader.release();
}
void CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders(FrameLoader& frameLoader, ReferrerPolicy defaultPolicy)
{
// Implementing step 7 to 9 of https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
String outgoingOrigin;
String outgoingReferrer = m_resourceRequest.httpReferrer();
if (!outgoingReferrer.isNull())
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
else {
outgoingReferrer = frameLoader.outgoingReferrer();
outgoingOrigin = frameLoader.outgoingOrigin();
}
// FIXME: Refactor SecurityPolicy::generateReferrerHeader to align with new terminology used in https://w3c.github.io/webappsec-referrer-policy.
switch (m_options.referrerPolicy) {
case FetchOptions::ReferrerPolicy::EmptyString: {
outgoingReferrer = SecurityPolicy::generateReferrerHeader(defaultPolicy, m_resourceRequest.url(), outgoingReferrer);
break; }
case FetchOptions::ReferrerPolicy::NoReferrerWhenDowngrade:
outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Default, m_resourceRequest.url(), outgoingReferrer);
break;
case FetchOptions::ReferrerPolicy::NoReferrer:
outgoingReferrer = String();
break;
case FetchOptions::ReferrerPolicy::Origin:
outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
break;
case FetchOptions::ReferrerPolicy::OriginWhenCrossOrigin:
if (isRequestCrossOrigin(m_origin.get(), m_resourceRequest.url(), m_options))
outgoingReferrer = SecurityPolicy::generateReferrerHeader(ReferrerPolicy::Origin, m_resourceRequest.url(), outgoingReferrer);
break;
case FetchOptions::ReferrerPolicy::UnsafeUrl:
break;
};
if (outgoingReferrer.isEmpty())
m_resourceRequest.clearHTTPReferrer();
else
m_resourceRequest.setHTTPReferrer(outgoingReferrer);
FrameLoader::addHTTPOriginIfNeeded(m_resourceRequest, outgoingOrigin);
frameLoader.applyUserAgent(m_resourceRequest);
}
PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, CachedResource* resource, const ResourceRequest& request, const ResourceLoaderOptions& options)
{
if (!frame)
return 0;
FrameLoader* frameLoader = frame->loader();
if (options.securityCheck == DoSecurityCheck && (frameLoader->state() == FrameStateProvisional || !frameLoader->activeDocumentLoader() || frameLoader->activeDocumentLoader()->isStopping()))
return 0;
ResourceRequest newRequest = request;
// Note: We skip the Content-Security-Policy check here because we check
// the Content-Security-Policy at the CachedResourceLoader layer so we can
// handle different resource types differently.
String outgoingReferrer;
String outgoingOrigin;
if (request.httpReferrer().isNull()) {
outgoingReferrer = frameLoader->outgoingReferrer();
outgoingOrigin = frameLoader->outgoingOrigin();
} else {
outgoingReferrer = request.httpReferrer();
outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
}
outgoingReferrer = SecurityPolicy::generateReferrerHeader(frame->document()->referrerPolicy(), request.url(), outgoingReferrer);
if (outgoingReferrer.isEmpty())
newRequest.clearHTTPReferrer();
else if (!request.httpReferrer())
newRequest.setHTTPReferrer(outgoingReferrer);
FrameLoader::addHTTPOriginIfNeeded(newRequest, outgoingOrigin);
frameLoader->addExtraFieldsToSubresourceRequest(newRequest);
RefPtr<SubresourceLoader> subloader(adoptRef(new SubresourceLoader(frame, resource, options)));
if (!subloader->init(newRequest))
return 0;
return subloader.release();
}