void DocumentThreadableLoader::handlePreflightResponse(const ResourceResponse& response) { String accessControlErrorDescription; if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription, m_requestContext)) { handlePreflightFailure(response.url().string(), "Response to preflight request doesn't pass access control check: " + accessControlErrorDescription); // |this| may be dead here in async mode. return; } if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { handlePreflightFailure(response.url().string(), accessControlErrorDescription); // |this| may be dead here in async mode. return; } OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials())); if (!preflightResult->parse(response, accessControlErrorDescription) || !preflightResult->allowsCrossOriginMethod(m_actualRequest.httpMethod(), accessControlErrorDescription) || !preflightResult->allowsCrossOriginHeaders(m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) { handlePreflightFailure(response.url().string(), accessControlErrorDescription); // |this| may be dead here in async mode. return; } CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toString(), m_actualRequest.url(), preflightResult.release()); }
void DocumentThreadableLoader::handlePreflightResponse( const ResourceResponse& response) { String accessControlErrorDescription; if (!passesAccessControlCheck( response, effectiveAllowCredentials(), getSecurityOrigin(), accessControlErrorDescription, m_requestContext)) { handlePreflightFailure( response.url().getString(), "Response to preflight request doesn't pass access control check: " + accessControlErrorDescription); return; } if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { handlePreflightFailure(response.url().getString(), accessControlErrorDescription); return; } if (m_actualRequest.isExternalRequest() && !passesExternalPreflightCheck(response, accessControlErrorDescription)) { handlePreflightFailure(response.url().getString(), accessControlErrorDescription); return; } std::unique_ptr<CrossOriginPreflightResultCacheItem> preflightResult = WTF::wrapUnique( new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials())); if (!preflightResult->parse(response, accessControlErrorDescription) || !preflightResult->allowsCrossOriginMethod( m_actualRequest.httpMethod(), accessControlErrorDescription) || !preflightResult->allowsCrossOriginHeaders( m_actualRequest.httpHeaderFields(), accessControlErrorDescription)) { handlePreflightFailure(response.url().getString(), accessControlErrorDescription); return; } CrossOriginPreflightResultCache::shared().appendEntry( getSecurityOrigin()->toString(), m_actualRequest.url(), std::move(preflightResult)); }
void DocumentThreadableLoader::didReceiveResponse(unsigned long identifier, const ResourceResponse& response) { ASSERT(m_client); String accessControlErrorDescription; if (m_actualRequest) { // Notifying the inspector here is necessary because a call to preflightFailure() might synchronously // cause the underlying ResourceLoader to be cancelled before it tells the inspector about the response. // In that case, if we don't tell the inspector about the response now, the resource type in the inspector // will default to "other" instead of something more descriptive. DocumentLoader* loader = m_document->frame()->loader().documentLoader(); InspectorInstrumentation::didReceiveResourceResponse(m_document->frame(), identifier, loader, response, resource() ? resource()->loader() : 0); if (!passesAccessControlCheck(response, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)) { preflightFailure(response.url().string(), accessControlErrorDescription); return; } if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { preflightFailure(response.url().string(), accessControlErrorDescription); return; } OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new CrossOriginPreflightResultCacheItem(m_options.allowCredentials)); if (!preflightResult->parse(response, accessControlErrorDescription) || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod(), accessControlErrorDescription) || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeaderFields(), accessControlErrorDescription)) { preflightFailure(response.url().string(), accessControlErrorDescription); return; } CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toString(), m_actualRequest->url(), preflightResult.release()); } else { if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessControl) { if (!passesAccessControlCheck(response, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)) { m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription)); return; } } m_client->didReceiveResponse(identifier, response); } }
void DocumentThreadableLoader::didReceiveResponse(unsigned long identifier, const ResourceResponse& response) { ASSERT(m_client); String accessControlErrorDescription; if (m_actualRequest) { DocumentLoader* loader = m_document->frame()->loader().documentLoader(); InspectorInstrumentation::didReceiveResourceResponse(m_document->frame(), identifier, loader, response, resource() ? resource()->loader() : 0); if (!passesAccessControlCheck(response, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)) { preflightFailure(identifier, response.url().string(), accessControlErrorDescription); return; } if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { preflightFailure(identifier, response.url().string(), accessControlErrorDescription); return; } OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new CrossOriginPreflightResultCacheItem(m_options.allowCredentials)); if (!preflightResult->parse(response, accessControlErrorDescription) || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod(), accessControlErrorDescription) || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeaderFields(), accessControlErrorDescription)) { preflightFailure(identifier, response.url().string(), accessControlErrorDescription); return; } CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toString(), m_actualRequest->url(), preflightResult.release()); } else { if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessControl) { if (!passesAccessControlCheck(response, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)) { m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription)); return; } } m_client->didReceiveResponse(identifier, response); } }