void DocumentThreadableLoader::handlePreflightResponse(const ResourceResponse& response) { String accessControlErrorDescription; if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription, m_requestContext)) { handlePreflightFailure(response.url().string(), "Response to preflight request doesn't pass access control check: " + accessControlErrorDescription); // |this| may be dead here in async mode. return; } if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { handlePreflightFailure(response.url().string(), accessControlErrorDescription); // |this| may be dead here in async mode. return; } OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials())); if (!preflightResult->parse(response, accessControlErrorDescription) || !preflightResult->allowsCrossOriginMethod(m_actualRequest.httpMethod(), accessControlErrorDescription) || !preflightResult->allowsCrossOriginHeaders(m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) { handlePreflightFailure(response.url().string(), accessControlErrorDescription); // |this| may be dead here in async mode. return; } CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toString(), m_actualRequest.url(), preflightResult.release()); }
void DocumentThreadableLoader::handlePreflightResponse( const ResourceResponse& response) { String accessControlErrorDescription; if (!passesAccessControlCheck( response, effectiveAllowCredentials(), getSecurityOrigin(), accessControlErrorDescription, m_requestContext)) { handlePreflightFailure( response.url().getString(), "Response to preflight request doesn't pass access control check: " + accessControlErrorDescription); return; } if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { handlePreflightFailure(response.url().getString(), accessControlErrorDescription); return; } if (m_actualRequest.isExternalRequest() && !passesExternalPreflightCheck(response, accessControlErrorDescription)) { handlePreflightFailure(response.url().getString(), accessControlErrorDescription); return; } std::unique_ptr<CrossOriginPreflightResultCacheItem> preflightResult = WTF::wrapUnique( new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials())); if (!preflightResult->parse(response, accessControlErrorDescription) || !preflightResult->allowsCrossOriginMethod( m_actualRequest.httpMethod(), accessControlErrorDescription) || !preflightResult->allowsCrossOriginHeaders( m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) { handlePreflightFailure(response.url().getString(), accessControlErrorDescription); return; } CrossOriginPreflightResultCache::shared().appendEntry( getSecurityOrigin()->toString(), m_actualRequest.url(), std::move(preflightResult)); }
// In this method, we can clear |request| to tell content::WebURLLoaderImpl of // Chromium not to follow the redirect. This works only when this method is // called by RawResource::willSendRequest(). If called by // RawResource::didAddClient(), clearing |request| won't be propagated to // content::WebURLLoaderImpl. So, this loader must also get detached from the // resource by calling clearResource(). bool DocumentThreadableLoader::redirectReceived( Resource* resource, const ResourceRequest& request, const ResourceResponse& redirectResponse) { DCHECK(m_client); DCHECK_EQ(resource, this->resource()); DCHECK(m_async); m_checker.redirectReceived(); if (!m_actualRequest.isNull()) { reportResponseReceived(resource->identifier(), redirectResponse); handlePreflightFailure(redirectResponse.url().getString(), "Response for preflight is invalid (redirect)"); return false; } if (m_redirectMode == WebURLRequest::FetchRedirectModeManual) { // We use |m_redirectMode| to check the original redirect mode. |request| is // a new request for redirect. So we don't set the redirect mode of it in // WebURLLoaderImpl::Context::OnReceivedRedirect(). DCHECK(request.useStreamOnResponse()); // There is no need to read the body of redirect response because there is // no way to read the body of opaque-redirect filtered response's internal // response. // TODO(horo): If we support any API which expose the internal body, we will // have to read the body. And also HTTPCache changes will be needed because // it doesn't store the body of redirect responses. responseReceived(resource, redirectResponse, WTF::makeUnique<EmptyDataHandle>()); if (m_client) { DCHECK(m_actualRequest.isNull()); notifyFinished(resource); } return false; } if (m_redirectMode == WebURLRequest::FetchRedirectModeError) { ThreadableLoaderClient* client = m_client; clear(); client->didFailRedirectCheck(); return false; } // Allow same origin requests to continue after allowing clients to audit the // redirect. if (isAllowedRedirect(request.url())) { m_client->didReceiveRedirectTo(request.url()); if (m_client->isDocumentThreadableLoaderClient()) { return static_cast<DocumentThreadableLoaderClient*>(m_client) ->willFollowRedirect(request, redirectResponse); } return true; } if (m_corsRedirectLimit <= 0) { ThreadableLoaderClient* client = m_client; clear(); client->didFailRedirectCheck(); return false; } --m_corsRedirectLimit; InspectorInstrumentation::didReceiveCORSRedirectResponse( document().frame(), resource->identifier(), document().frame()->loader().documentLoader(), redirectResponse, resource); bool allowRedirect = false; String accessControlErrorDescription; if (!CrossOriginAccessControl::isLegalRedirectLocation( request.url(), accessControlErrorDescription)) { accessControlErrorDescription = "Redirect from '" + redirectResponse.url().getString() + "' has been blocked by CORS policy: " + accessControlErrorDescription; } else if (!m_sameOriginRequest && !passesAccessControlCheck( redirectResponse, effectiveAllowCredentials(), getSecurityOrigin(), accessControlErrorDescription, m_requestContext)) { // The redirect response must pass the access control check if the original // request was not same-origin. accessControlErrorDescription = "Redirect from '" + redirectResponse.url().getString() + "' to '" + request.url().getString() + "' has been blocked by CORS policy: " + accessControlErrorDescription; } else { allowRedirect = true; } if (!allowRedirect) { ThreadableLoaderClient* client = m_client; clear(); client->didFailAccessControlCheck(ResourceError( errorDomainBlinkInternal, 0, redirectResponse.url().getString(), accessControlErrorDescription)); return false; } m_client->didReceiveRedirectTo(request.url()); // FIXME: consider combining this with CORS redirect handling performed by // CrossOriginAccessControl::handleRedirect(). clearResource(); // If the original request wasn't same-origin, then if the request URL origin // is not same origin with the original URL origin, set the source origin to a // globally unique identifier. (If the original request was same-origin, the // origin of the new request should be the original URL origin.) if (!m_sameOriginRequest) { RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redirectResponse.url()); RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(request.url()); if (!originalOrigin->isSameSchemeHostPort(requestOrigin.get())) m_securityOrigin = SecurityOrigin::createUnique(); } // Force any subsequent requests to use these checks. m_sameOriginRequest = false; // Since the request is no longer same-origin, if the user didn't request // credentials in the first place, update our state so we neither request them // nor expect they must be allowed. if (m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequestCredentials) m_forceDoNotAllowStoredCredentials = true; // Save the referrer to use when following the redirect. m_overrideReferrer = true; m_referrerAfterRedirect = Referrer(request.httpReferrer(), request.getReferrerPolicy()); ResourceRequest crossOriginRequest(request); // Remove any headers that may have been added by the network layer that cause // access control to fail. crossOriginRequest.clearHTTPReferrer(); crossOriginRequest.clearHTTPOrigin(); crossOriginRequest.clearHTTPUserAgent(); // Add any request headers which we previously saved from the // original request. for (const auto& header : m_requestHeaders) crossOriginRequest.setHTTPHeaderField(header.key, header.value); makeCrossOriginAccessRequest(crossOriginRequest); return false; }
// In this method, we can clear |request| to tell content::WebURLLoaderImpl of // Chromium not to follow the redirect. This works only when this method is // called by RawResource::willSendRequest(). If called by // RawResource::didAddClient(), clearing |request| won't be propagated // to content::WebURLLoaderImpl. So, this loader must also get detached from // the resource by calling clearResource(). void DocumentThreadableLoader::redirectReceived(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse) { ASSERT(m_client); ASSERT_UNUSED(resource, resource == this->resource()); ASSERT(m_async); if (!m_actualRequest.isNull()) { reportResponseReceived(resource->identifier(), redirectResponse); handlePreflightFailure(redirectResponse.url().string(), "Response for preflight is invalid (redirect)"); // |this| may be dead here. request = ResourceRequest(); return; } if (m_redirectMode == WebURLRequest::FetchRedirectModeManual) { // Keep |this| alive even if the client release a reference in // responseReceived(). RefPtr<DocumentThreadableLoader> protect(this); // We use |m_redirectMode| to check the original redirect mode. // |request| is a new request for redirect. So we don't set the redirect // mode of it in WebURLLoaderImpl::Context::OnReceivedRedirect(). ASSERT(request.useStreamOnResponse()); // There is no need to read the body of redirect response because there // is no way to read the body of opaque-redirect filtered response's // internal response. // TODO(horo): If we support any API which expose the internal body, we // will have to read the body. And also HTTPCache changes will be needed // because it doesn't store the body of redirect responses. responseReceived(resource, redirectResponse, adoptPtr(new EmptyDataHandle())); if (m_client) { ASSERT(m_actualRequest.isNull()); notifyFinished(resource); } request = ResourceRequest(); return; } if (m_redirectMode == WebURLRequest::FetchRedirectModeError || !isAllowedByContentSecurityPolicy(request.url(), ContentSecurityPolicy::DidRedirect)) { ThreadableLoaderClient* client = m_client; clear(); client->didFailRedirectCheck(); // |this| may be dead here. request = ResourceRequest(); return; } // Allow same origin requests to continue after allowing clients to audit the redirect. if (isAllowedRedirect(request.url())) { if (m_client->isDocumentThreadableLoaderClient()) static_cast<DocumentThreadableLoaderClient*>(m_client)->willFollowRedirect(request, redirectResponse); return; } if (m_corsRedirectLimit <= 0) { ThreadableLoaderClient* client = m_client; clear(); client->didFailRedirectCheck(); // |this| may be dead here. } else if (m_options.crossOriginRequestPolicy == UseAccessControl) { --m_corsRedirectLimit; InspectorInstrumentation::didReceiveCORSRedirectResponse(document().frame(), resource->identifier(), document().frame()->loader().documentLoader(), redirectResponse, 0); bool allowRedirect = false; String accessControlErrorDescription; // Non-simple cross origin requests (both preflight and actual one) are // not allowed to follow redirect. if (m_crossOriginNonSimpleRequest) { accessControlErrorDescription = "The request was redirected to '"+ request.url().string() + "', which is disallowed for cross-origin requests that require preflight."; } else { // The redirect response must pass the access control check if the // original request was not same-origin. allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(request.url(), accessControlErrorDescription) && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription, m_requestContext)); } if (allowRedirect) { // FIXME: consider combining this with CORS redirect handling performed by // CrossOriginAccessControl::handleRedirect(). clearResource(); RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redirectResponse.url()); RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(request.url()); // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin, // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request // should be the original URL origin.) if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(requestOrigin.get())) m_securityOrigin = SecurityOrigin::createUnique(); // Force any subsequent requests to use these checks. m_sameOriginRequest = false; // Since the request is no longer same-origin, if the user didn't request credentials in // the first place, update our state so we neither request them nor expect they must be allowed. if (m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequestCredentials) m_forceDoNotAllowStoredCredentials = true; // Remove any headers that may have been added by the network layer that cause access control to fail. request.clearHTTPReferrer(); request.clearHTTPOrigin(); request.clearHTTPUserAgent(); // Add any CORS simple request headers which we previously saved from the original request. for (const auto& header : m_simpleRequestHeaders) request.setHTTPHeaderField(header.key, header.value); makeCrossOriginAccessRequest(request); // |this| may be dead here. return; } ThreadableLoaderClient* client = m_client; clear(); client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, redirectResponse.url().string(), accessControlErrorDescription)); // |this| may be dead here. } else { ThreadableLoaderClient* client = m_client; clear(); client->didFailRedirectCheck(); // |this| may be dead here. } request = ResourceRequest(); }