void Worker::didReceiveResponse(unsigned long identifier, const ResourceResponse& response)
{
const URL& responseURL = response.url();
if (!responseURL.protocolIsBlob() && !responseURL.protocolIs("file") && !SecurityOrigin::create(responseURL)->isUnique())
m_contentSecurityPolicyResponseHeaders = ContentSecurityPolicyResponseHeaders(response);
InspectorInstrumentation::didReceiveScriptResponse(scriptExecutionContext(), identifier);
}
void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse& response, std::unique_ptr<WebDataConsumerHandle> handle)
{
ASSERT_UNUSED(resource, m_mainResource == resource);
ASSERT_UNUSED(handle, !handle);
ASSERT(frame());
m_applicationCacheHost->didReceiveResponseForMainResource(response);
// The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served
// from the application cache, ensure we don't save the result for future use. All responses loaded
// from appcache will have a non-zero appCacheID().
if (response.appCacheID())
memoryCache()->remove(m_mainResource.get());
m_contentSecurityPolicy = ContentSecurityPolicy::create();
m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) {
cancelLoadAfterXFrameOptionsOrCSPDenied(response);
return;
}
// 'frame-ancestors' obviates 'x-frame-options': https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options
if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) {
HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(HTTPNames::X_Frame_Options);
if (it != response.httpHeaderFields().end()) {
String content = it->value;
if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) {
String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(SecurityMessageSource, ErrorMessageLevel, message, response.url(), mainResourceIdentifier());
frame()->document()->addConsoleMessage(consoleMessage);
cancelLoadAfterXFrameOptionsOrCSPDenied(response);
return;
}
}
}
ASSERT(!m_frame->page()->defersLoading());
m_response = response;
if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->getDataBufferingPolicy() != BufferData)
m_mainResource->setDataBufferingPolicy(BufferData);
if (!shouldContinueForResponse()) {
InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response, m_mainResource.get());
m_fetcher->stopFetching();
return;
}
if (m_response.isHTTP()) {
int status = m_response.httpStatusCode();
if ((status < 200 || status >= 300) && m_frame->owner())
m_frame->owner()->renderFallbackContent();
}
}
void InProcessWorkerBase::didReceiveResponse(unsigned long identifier, const ResourceResponse& response)
{
if (!response.url().protocolIs("blob") && !response.url().protocolIs("file") && !response.url().protocolIs("filesystem")) {
m_contentSecurityPolicy = ContentSecurityPolicy::create();
m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
}
InspectorInstrumentation::didReceiveScriptResponse(executionContext(), identifier);
}
HTMLImportLoader::State HTMLImportLoader::startWritingAndParsing(const ResourceResponse& response)
{
DocumentInit init = DocumentInit(response.url(), 0, m_import->master()->contextDocument(), m_import)
.withRegistrationContext(m_import->master()->registrationContext());
m_importedDocument = HTMLDocument::create(init);
m_importedDocument->initContentSecurityPolicy(ContentSecurityPolicyResponseHeaders(response));
m_writer = DocumentWriter::create(m_importedDocument.get(), response.mimeType(), response.textEncodingName());
return StateLoading;
}
void WorkerScriptLoader::processContentSecurityPolicy(const ResourceResponse& response)
{
// Per http://www.w3.org/TR/CSP2/#processing-model-workers, if the Worker's
// URL is not a GUID, then it grabs its CSP from the response headers
// directly. Otherwise, the Worker inherits the policy from the parent
// document (which is implemented in WorkerMessagingProxy, and
// m_contentSecurityPolicy should be left as nullptr to inherit the policy).
if (!response.url().protocolIs("blob") && !response.url().protocolIs("file") && !response.url().protocolIs("filesystem")) {
m_contentSecurityPolicy = ContentSecurityPolicy::create();
m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
}
}
HTMLImportLoader::State HTMLImportLoader::startWritingAndParsing(const ResourceResponse& response)
{
// Current canAccess() implementation isn't sufficient for catching cross-domain redirects: http://crbug.com/256976
if (!m_parent->document()->fetcher()->canAccess(m_resource.get()))
return StateError;
DocumentInit init = DocumentInit(response.url(), 0, root()->document()->contextDocument(), this)
.withRegistrationContext(root()->document()->registrationContext());
m_importedDocument = HTMLDocument::create(init);
m_importedDocument->initContentSecurityPolicy(ContentSecurityPolicyResponseHeaders(response));
m_writer = DocumentWriter::create(m_importedDocument.get(), response.mimeType(), response.textEncodingName());
return StateLoading;
}
void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse& response, PassOwnPtr<WebDataConsumerHandle> handle)
{
ASSERT_UNUSED(resource, m_mainResource == resource);
ASSERT_UNUSED(handle, !handle);
RefPtr<DocumentLoader> protect(this);
m_applicationCacheHost->didReceiveResponseForMainResource(response);
// The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served
// from the application cache, ensure we don't save the result for future use. All responses loaded
// from appcache will have a non-zero appCacheID().
if (response.appCacheID())
memoryCache()->remove(m_mainResource.get());
DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral));
HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(xFrameOptionHeader);
if (it != response.httpHeaderFields().end()) {
String content = it->value;
if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) {
String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
RefPtrWillBeRawPtr<ConsoleMessage> consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message);
consoleMessage->setRequestIdentifier(mainResourceIdentifier());
frame()->document()->addConsoleMessage(consoleMessage.release());
cancelLoadAfterXFrameOptionsOrCSPDenied(response);
return;
}
}
m_contentSecurityPolicy = ContentSecurityPolicy::create();
m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) {
cancelLoadAfterXFrameOptionsOrCSPDenied(response);
return;
}
ASSERT(!mainResourceLoader() || !mainResourceLoader()->defersLoading());
m_response = response;
if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->dataBufferingPolicy() != BufferData)
m_mainResource->setDataBufferingPolicy(BufferData);
if (!shouldContinueForResponse()) {
InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response);
cancelMainResourceLoad(ResourceError::cancelledError(m_request.url()));
return;
}
if (m_response.isHTTP()) {
int status = m_response.httpStatusCode();
// FIXME: Fallback content only works if the parent is in the same processs.
if ((status < 200 || status >= 300) && m_frame->owner()) {
if (!m_frame->deprecatedLocalOwner()) {
ASSERT_NOT_REACHED();
} else if (m_frame->deprecatedLocalOwner()->isObjectElement()) {
m_frame->deprecatedLocalOwner()->renderFallbackContent();
// object elements are no longer rendered after we fallback, so don't
// keep trying to process data from their load
cancelMainResourceLoad(ResourceError::cancelledError(m_request.url()));
}
}
}
}
