ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction, ResourceRequest::RedirectStatus redirectStatus) const { if (InspectorInstrumentation::shouldBlockRequest(frame(), resourceRequest)) return ResourceRequestBlockedReasonInspector; SecurityOrigin* securityOrigin = options.securityOrigin.get(); if (!securityOrigin && m_document) securityOrigin = m_document->getSecurityOrigin(); if (originRestriction != FetchRequest::NoOriginRestriction && securityOrigin && !securityOrigin->canDisplay(url)) { if (!forPreload) FrameLoader::reportLocalLoadFailed(frame(), url.elidedString()); WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource URL was not allowed by SecurityOrigin::canDisplay"); return ResourceRequestBlockedReasonOther; } // Some types of resources can be loaded only from the same origin. Other // types of resources, like Images, Scripts, and CSS, can be loaded from // any URL. switch (type) { case Resource::MainResource: case Resource::Image: case Resource::CSSStyleSheet: case Resource::Script: case Resource::Font: case Resource::Raw: case Resource::LinkPrefetch: case Resource::LinkPreload: case Resource::TextTrack: case Resource::ImportResource: case Resource::Media: case Resource::Manifest: // By default these types of resources can be loaded from any origin. // FIXME: Are we sure about Resource::Font? if (originRestriction == FetchRequest::RestrictToSameOrigin && !securityOrigin->canRequest(url)) { printAccessDeniedMessage(url); return ResourceRequestBlockedReasonOrigin; } break; case Resource::XSLStyleSheet: ASSERT(RuntimeEnabledFeatures::xsltEnabled()); case Resource::SVGDocument: if (!securityOrigin->canRequest(url)) { printAccessDeniedMessage(url); return ResourceRequestBlockedReasonOrigin; } break; } // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. bool shouldBypassMainWorldCSP = frame()->script().shouldBypassMainWorldCSP() || options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy; // Don't send CSP messages for preloads, we might never actually display those items. ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ? ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport; if (m_document) { DCHECK(m_document->contentSecurityPolicy()); if (!shouldBypassMainWorldCSP && !m_document->contentSecurityPolicy()->allowRequest(resourceRequest.requestContext(), url, options.contentSecurityPolicyNonce, redirectStatus, cspReporting)) return ResourceRequestBlockedReasonCSP; } if (type == Resource::Script || type == Resource::ImportResource) { ASSERT(frame()); if (!frame()->loader().client()->allowScriptFromSource(!frame()->settings() || frame()->settings()->scriptEnabled(), url)) { frame()->loader().client()->didNotAllowScript(); // TODO(estark): Use a different ResourceRequestBlockedReason // here, since this check has nothing to do with // CSP. https://crbug.com/600795 return ResourceRequestBlockedReasonCSP; } } else if (type == Resource::Media || type == Resource::TextTrack) { ASSERT(frame()); if (!frame()->loader().client()->allowMedia(url)) return ResourceRequestBlockedReasonOther; } // SVG Images have unique security rules that prevent all subresource requests // except for data urls. if (type != Resource::MainResource && frame()->chromeClient().isSVGImageChromeClient() && !url.protocolIsData()) return ResourceRequestBlockedReasonOrigin; // Measure the number of legacy URL schemes ('ftp://') and the number of embedded-credential // ('http://*****:*****@...') resources embedded as subresources. in the hopes that we can // block them at some point in the future. if (resourceRequest.frameType() != WebURLRequest::FrameTypeTopLevel) { ASSERT(frame()->document()); if (SchemeRegistry::shouldTreatURLSchemeAsLegacy(url.protocol()) && !SchemeRegistry::shouldTreatURLSchemeAsLegacy(frame()->document()->getSecurityOrigin()->protocol())) UseCounter::count(frame()->document(), UseCounter::LegacyProtocolEmbeddedAsSubresource); if (!url.user().isEmpty() || !url.pass().isEmpty()) UseCounter::count(frame()->document(), UseCounter::RequestedSubresourceWithEmbeddedCredentials); } // Check for mixed content. We do this second-to-last so that when folks block // mixed content with a CSP policy, they don't get a warning. They'll still // get a warning in the console about CSP blocking the load. MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ? MixedContentChecker::SuppressReport : MixedContentChecker::SendReport; if (MixedContentChecker::shouldBlockFetch(frame(), resourceRequest, url, mixedContentReporting)) return ResourceRequestBlockedReasonMixedContent; // Let the client have the final say into whether or not the load should proceed. DocumentLoader* documentLoader = masterDocumentLoader(); if (documentLoader && documentLoader->subresourceFilter() && type != Resource::MainResource && type != Resource::ImportResource && !documentLoader->subresourceFilter()->allowLoad(url, resourceRequest.requestContext())) return ResourceRequestBlockedReasonSubresourceFilter; return ResourceRequestBlockedReasonNone; }