void XMLHttpRequest::makeCrossOriginAccessRequest(ExceptionCode& ec) { ASSERT(!m_sameOriginRequest); if (!m_uploadEventsAllowed && isSimpleCrossOriginAccessRequest(m_method, m_requestHeaders)) makeSimpleCrossOriginAccessRequest(ec); else makeCrossOriginAccessRequestWithPreflight(ec); }
void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceRequest& request) { ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); auto crossOriginRequest = std::make_unique<ResourceRequest>(request); updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_options.allowCredentials()); if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) makeSimpleCrossOriginAccessRequest(*crossOriginRequest); else { m_simpleRequest = false; m_actualRequest = WTFMove(crossOriginRequest); if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials(), m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields())) preflightSuccess(); else makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); } }
DocumentThreadableLoader::DocumentThreadableLoader(Document* document, ThreadableLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options) : m_client(client) , m_document(document) , m_options(options) #if PLATFORM(APOLLO) , m_sameOriginRequest(document->securityOrigin()->canRequestExt(request.url(), document)) #else , m_sameOriginRequest(document->securityOrigin()->canRequest(request.url())) #endif , m_async(blockingBehavior == LoadAsynchronously) { ASSERT(document); ASSERT(client); if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) { loadRequest(request, DoSecurityCheck); return; } if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { m_client->didFail(ResourceError()); return; } ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); OwnPtr<ResourceRequest> crossOriginRequest(new ResourceRequest(request)); crossOriginRequest->removeCredentials(); crossOriginRequest->setAllowCookies(m_options.allowCredentials); if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) makeSimpleCrossOriginAccessRequest(*crossOriginRequest); else { m_actualRequest.set(crossOriginRequest.release()); if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields())) preflightSuccess(); else makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); } }
DocumentThreadableLoader::DocumentThreadableLoader(Document* document, ThreadableLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options) : m_client(client) , m_document(document) , m_options(options) , m_sameOriginRequest(securityOrigin()->canRequest(request.url())) , m_async(blockingBehavior == LoadAsynchronously) #if ENABLE(INSPECTOR) , m_preflightRequestIdentifier(0) #endif { ASSERT(document); ASSERT(client); // Setting an outgoing referer is only supported in the async code path. ASSERT(m_async || request.httpReferrer().isEmpty()); if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) { loadRequest(request, DoSecurityCheck); return; } if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) { m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, request.url().string(), "Cross origin requests are not supported.")); return; } ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(request)); updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_options.allowCredentials); if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) makeSimpleCrossOriginAccessRequest(*crossOriginRequest); else { m_actualRequest = crossOriginRequest.release(); if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields())) preflightSuccess(); else makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); } }
void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceRequest& request) { ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(request)); if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) { updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_options.allowCredentials); makeSimpleCrossOriginAccessRequest(*crossOriginRequest); } else { m_simpleRequest = false; // Do not set the Origin header for preflight requests. updateRequestForAccessControl(*crossOriginRequest, 0, m_options.allowCredentials); m_actualRequest = crossOriginRequest.release(); if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields())) preflightSuccess(); else makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); } }