static PathToDefaultProtectionSpaceMap::iterator findDefaultProtectionSpaceForURL(const KURL& url)
{
ASSERT(url.protocolIsInHTTPFamily());
ASSERT(url.isValid());
PathToDefaultProtectionSpaceMap& map = pathToDefaultProtectionSpaceMap();
// Don't spend time iterating the path for origins that don't have any credentials.
if (!originsWithCredentials().contains(originStringFromURL(url)))
return map.end();
String directoryURL = protectionSpaceMapKeyFromURL(url);
unsigned directoryURLPathStart = url.pathStart();
while (true) {
PathToDefaultProtectionSpaceMap::iterator iter = map.find(directoryURL);
if (iter != map.end())
return iter;
if (directoryURL.length() == directoryURLPathStart + 1) // path is "/" already, cannot shorten it any more
return map.end();
size_t index = directoryURL.reverseFind('/', directoryURL.length() - 2);
ASSERT(index != notFound);
directoryURL = directoryURL.substring(0, (index == directoryURLPathStart) ? index + 1 : index);
ASSERT(directoryURL.length() > directoryURLPathStart);
ASSERT(directoryURL.length() == directoryURLPathStart + 1 || directoryURL[directoryURL.length() - 1] != '/');
}
}
IconURL IconController::defaultURL(IconType iconType)
{
// Don't return a favicon iconURL unless we're http or https
KURL documentURL = m_frame->document()->url();
if (!documentURL.protocolIsInHTTPFamily())
return IconURL();
KURL url;
bool couldSetProtocol = url.setProtocol(documentURL.protocol());
ASSERT_UNUSED(couldSetProtocol, couldSetProtocol);
url.setHost(documentURL.host());
if (documentURL.hasPort())
url.setPort(documentURL.port());
if (iconType == Favicon) {
url.setPath("/favicon.ico");
return IconURL::defaultIconURL(url, Favicon);
}
#if ENABLE(TOUCH_ICON_LOADING)
if (iconType == TouchPrecomposedIcon) {
url.setPath("/apple-touch-icon-precomposed.png");
return IconURL::defaultIconURL(url, TouchPrecomposedIcon);
}
if (iconType == TouchIcon) {
url.setPath("/apple-touch-icon.png");
return IconURL::defaultIconURL(url, TouchIcon);
}
#endif
return IconURL();
}
static bool schemeRequiresAuthority(const KURL& url)
{
// We expect URLs with these schemes to have authority components. If the
// URL lacks an authority component, we get concerned and mark the origin
// as unique.
return url.protocolIsInHTTPFamily() || url.protocolIs("ftp");
}
static void preconnectIfNeeded(
const LinkRelAttribute& relAttribute,
const KURL& href,
Document& document,
const CrossOriginAttributeValue crossOrigin,
const NetworkHintsInterface& networkHintsInterface,
LinkCaller caller) {
if (relAttribute.isPreconnect() && href.isValid() &&
href.protocolIsInHTTPFamily()) {
UseCounter::count(document, UseCounter::LinkRelPreconnect);
if (caller == LinkCalledFromHeader)
UseCounter::count(document, UseCounter::LinkHeaderPreconnect);
Settings* settings = document.settings();
if (settings && settings->logDnsPrefetchAndPreconnect()) {
document.addConsoleMessage(ConsoleMessage::create(
OtherMessageSource, DebugMessageLevel,
String("Preconnect triggered for ") + href.getString()));
if (crossOrigin != CrossOriginAttributeNotSet) {
document.addConsoleMessage(ConsoleMessage::create(
OtherMessageSource, DebugMessageLevel,
String("Preconnect CORS setting is ") +
String((crossOrigin == CrossOriginAttributeAnonymous)
? "anonymous"
: "use-credentials")));
}
}
networkHintsInterface.preconnectHost(href, crossOrigin);
}
}
void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec)
{
internalAbort();
State previousState = m_state;
m_state = UNSENT;
m_error = false;
m_uploadComplete = false;
// clear stuff from possible previous load
clearResponse();
clearRequest();
ASSERT(m_state == UNSENT);
if (!isValidHTTPToken(method)) {
ec = SYNTAX_ERR;
return;
}
if (!isAllowedHTTPMethod(method)) {
ec = SECURITY_ERR;
return;
}
if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return;
}
// Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated
// attempt to discourage synchronous XHR use. responseType is one such piece of functionality.
// We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols
// such as file: and data: still make sense to allow.
if (!async && scriptExecutionContext()->isDocument() && url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) {
logConsoleError(scriptExecutionContext(), "Synchronous HTTP(S) requests made from the window context cannot have XMLHttpRequest.responseType set.");
ec = INVALID_ACCESS_ERR;
return;
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
m_async = async;
ASSERT(!m_loader);
// Check previous state to avoid dispatching readyState event
// when calling open several times in a row.
if (previousState != OPENED)
changeState(OPENED);
else
m_state = OPENED;
}
bool CredentialStorage::set(const Credential& credential, const KURL& url)
{
ASSERT(url.protocolIsInHTTPFamily());
ASSERT(url.isValid());
PathToDefaultProtectionSpaceMap::iterator iter = findDefaultProtectionSpaceForURL(url);
if (iter == pathToDefaultProtectionSpaceMap().end())
return false;
ASSERT(originsWithCredentials().contains(originStringFromURL(url)));
protectionSpaceToCredentialMap().set(iter->value, credential);
return true;
}
void WebFrameLoaderClient::dispatchDidFailToStartPlugin(const PluginView* pluginView) const
{
WebView* webView = m_webFrame->webView();
COMPtr<IWebResourceLoadDelegate> resourceLoadDelegate;
if (FAILED(webView->resourceLoadDelegate(&resourceLoadDelegate)))
return;
RetainPtr<CFMutableDictionaryRef> userInfo(AdoptCF, CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
Frame* frame = core(m_webFrame);
ASSERT(frame == pluginView->parentFrame());
if (!pluginView->pluginsPage().isNull()) {
KURL pluginPageURL = frame->document()->completeURL(stripLeadingAndTrailingHTMLSpaces(pluginView->pluginsPage()));
if (pluginPageURL.protocolIsInHTTPFamily()) {
static CFStringRef key = MarshallingHelpers::LPCOLESTRToCFStringRef(WebKitErrorPlugInPageURLStringKey);
CFDictionarySetValue(userInfo.get(), key, pluginPageURL.string().createCFString().get());
}
}
if (!pluginView->mimeType().isNull()) {
static CFStringRef key = MarshallingHelpers::LPCOLESTRToCFStringRef(WebKitErrorMIMETypeKey);
CFDictionarySetValue(userInfo.get(), key, pluginView->mimeType().createCFString().get());
}
if (pluginView->plugin()) {
String pluginName = pluginView->plugin()->name();
if (!pluginName.isNull()) {
static CFStringRef key = MarshallingHelpers::LPCOLESTRToCFStringRef(WebKitErrorPlugInNameKey);
CFDictionarySetValue(userInfo.get(), key, pluginName.createCFString().get());
}
}
COMPtr<CFDictionaryPropertyBag> userInfoBag = CFDictionaryPropertyBag::createInstance();
userInfoBag->setDictionary(userInfo.get());
int errorCode = 0;
switch (pluginView->status()) {
case PluginStatusCanNotFindPlugin:
errorCode = WebKitErrorCannotFindPlugIn;
break;
case PluginStatusCanNotLoadPlugin:
errorCode = WebKitErrorCannotLoadPlugIn;
break;
default:
ASSERT_NOT_REACHED();
}
ResourceError resourceError(String(WebKitErrorDomain), errorCode, pluginView->url().string(), String());
COMPtr<IWebError> error(AdoptCOM, WebError::createInstance(resourceError, userInfoBag.get()));
resourceLoadDelegate->plugInFailedWithError(webView, error.get(), getWebDataSource(frame->loader()->documentLoader()));
}
KURL MemoryCache::removeFragmentIdentifierIfNeeded(const KURL& originalURL)
{
if (!originalURL.hasFragmentIdentifier())
return originalURL;
// Strip away fragment identifier from HTTP URLs.
// Data URLs must be unmodified. For file and custom URLs clients may expect resources
// to be unique even when they differ by the fragment identifier only.
if (!originalURL.protocolIsInHTTPFamily())
return originalURL;
KURL url = originalURL;
url.removeFragmentIdentifier();
return url;
}
IconURL IconURL::defaultFavicon(const KURL& documentURL) {
DCHECK(documentURL.protocolIsInHTTPFamily());
KURL url;
bool couldSetProtocol = url.setProtocol(documentURL.protocol());
DCHECK(couldSetProtocol);
url.setHost(documentURL.host());
if (documentURL.hasPort())
url.setPort(documentURL.port());
url.setPath("/favicon.ico");
IconURL result(url, Vector<IntSize>(), emptyString(), Favicon);
result.m_isDefaultIcon = true;
return result;
}
void WebChromeClient::unavailablePluginButtonClicked(Element* element, RenderEmbeddedObject::PluginUnavailabilityReason pluginUnavailabilityReason) const
{
ASSERT(element->hasTagName(objectTag) || element->hasTagName(embedTag) || element->hasTagName(appletTag));
ASSERT(pluginUnavailabilityReason == RenderEmbeddedObject::PluginMissing || pluginUnavailabilityReason == RenderEmbeddedObject::InsecurePluginVersion || pluginUnavailabilityReason == RenderEmbeddedObject::PluginInactive);
HTMLPlugInImageElement* pluginElement = static_cast<HTMLPlugInImageElement*>(element);
String frameURLString = pluginElement->document()->frame()->loader()->documentLoader()->responseURL().string();
String pageURLString = m_page->mainFrame()->loader()->documentLoader()->responseURL().string();
KURL pluginspageAttributeURL = element->document()->completeURL(stripLeadingAndTrailingHTMLSpaces(pluginElement->getAttribute(pluginspageAttr)));
if (!pluginspageAttributeURL.protocolIsInHTTPFamily())
pluginspageAttributeURL = KURL();
m_page->send(Messages::WebPageProxy::UnavailablePluginButtonClicked(pluginUnavailabilityReason, pluginElement->serviceType(), pluginElement->url(), pluginspageAttributeURL.string(), frameURLString, pageURLString));
}
void MediaPlayerPrivateGStreamer::setPlaybinURL(KURL& url)
{
// Clean out everything after file:// url path.
if (url.isLocalFile()) {
url.setQuery(String());
url.removeFragmentIdentifier();
}
m_url = url;
if (url.protocolIsInHTTPFamily())
url.setProtocol("webkit+" + url.protocol());
LOG_MEDIA_MESSAGE("Load %s", url.string().utf8().data());
g_object_set(m_playBin.get(), "uri", url.string().utf8().data(), NULL);
}
void CredentialStorage::set(const Credential& credential, const ProtectionSpace& protectionSpace, const KURL& url)
{
ASSERT(protectionSpace.isProxy() || url.protocolIsInHTTPFamily());
ASSERT(protectionSpace.isProxy() || url.isValid());
protectionSpaceToCredentialMap().set(protectionSpace, credential);
if (!protectionSpace.isProxy()) {
originsWithCredentials().add(originStringFromURL(url));
ProtectionSpaceAuthenticationScheme scheme = protectionSpace.authenticationScheme();
if (scheme == ProtectionSpaceAuthenticationSchemeHTTPBasic || scheme == ProtectionSpaceAuthenticationSchemeDefault) {
// The map can contain both a path and its subpath - while redundant, this makes lookups faster.
pathToDefaultProtectionSpaceMap().set(protectionSpaceMapKeyFromURL(url), protectionSpace);
}
}
}
IconURL IconController::defaultURL(IconType iconType)
{
// Don't return a favicon iconURL unless we're http or https
KURL documentURL = m_frame->document()->url();
if (!documentURL.protocolIsInHTTPFamily())
return IconURL();
KURL url;
bool couldSetProtocol = url.setProtocol(documentURL.protocol());
ASSERT_UNUSED(couldSetProtocol, couldSetProtocol);
url.setHost(documentURL.host());
if (documentURL.hasPort())
url.setPort(documentURL.port());
if (iconType == Favicon) {
url.setPath("/favicon.ico");
return IconURL::defaultIconURL(url, Favicon);
}
return IconURL();
}
void DumpRenderTreeChrome::onWillSendRequest(void*, Evas_Object*, void* eventInfo)
{
Ewk_Frame_Resource_Messages* messages = static_cast<Ewk_Frame_Resource_Messages*>(eventInfo);
if (!done && gTestRunner->dumpResourceLoadCallbacks())
printf("%s - willSendRequest %s redirectResponse %s\n",
m_dumpAssignedUrls.contains(messages->request->identifier) ? m_dumpAssignedUrls.get(messages->request->identifier).data() : "<unknown>",
descriptionSuitableForTestResult(messages->request).data(),
descriptionSuitableForTestResult(messages->redirect_response).data());
if (!done && gTestRunner->willSendRequestReturnsNull()) {
// As requested by the TestRunner, don't perform the request.
messages->request->url = 0;
return;
}
if (!done && gTestRunner->willSendRequestReturnsNullOnRedirect() && messages->redirect_response) {
printf("Returning null for this redirect\n");
messages->request->url = 0;
return;
}
KURL url = KURL(ParsedURLString, messages->request->url);
if (url.isValid()
&& url.protocolIsInHTTPFamily()
&& url.host() != "127.0.0.1"
&& url.host() != "255.255.255.255"
&& url.host().lower() != "localhost") {
printf("Blocked access to external URL %s\n", messages->request->url);
messages->request->url = 0;
return;
}
const std::string& destination = gTestRunner->redirectionDestinationForURL(url.string().utf8().data());
if (destination.length())
messages->request->url = strdup(destination.c_str());
}
bool NavigatorBeacon::canSendBeacon(ExecutionContext* context, const KURL& url, ExceptionState& exceptionState)
{
if (!url.isValid()) {
exceptionState.throwDOMException(SyntaxError, "The URL argument is ill-formed or unsupported.");
return false;
}
// For now, only support HTTP and related.
if (!url.protocolIsInHTTPFamily()) {
exceptionState.throwDOMException(SyntaxError, "Beacons are only supported over HTTP(S).");
return false;
}
// FIXME: CSP is not enforced on redirects, crbug.com/372197
if (!ContentSecurityPolicy::shouldBypassMainWorld(context) && !context->contentSecurityPolicy()->allowConnectToSource(url)) {
// We can safely expose the URL to JavaScript, as these checks happen synchronously before redirection. JavaScript receives no new information.
exceptionState.throwSecurityError("Refused to send beacon to '" + url.elidedString() + "' because it violates the document's Content Security Policy.");
return false;
}
// If detached from frame, do not allow sending a Beacon.
if (!frame() || !frame()->client())
return false;
return true;
}
void XMLHttpRequest::open(const AtomicString& method, const KURL& url, bool async, ExceptionState& exceptionState)
{
WTF_LOG(Network, "XMLHttpRequest %p open('%s', '%s', %d)", this, method.string().utf8().data(), url.elidedString().utf8().data(), async);
if (!internalAbort())
return;
State previousState = m_state;
m_state = UNSENT;
m_error = false;
m_uploadComplete = false;
// clear stuff from possible previous load
clearResponse();
clearRequest();
ASSERT(m_state == UNSENT);
if (!isValidHTTPToken(method)) {
exceptionState.throwDOMException(SyntaxError, "'" + method + "' is not a valid HTTP method.");
return;
}
if (!isAllowedHTTPMethod(method)) {
exceptionState.throwSecurityError("'" + method + "' HTTP method is unsupported.");
return;
}
if (!ContentSecurityPolicy::shouldBypassMainWorld(executionContext()) && !executionContext()->contentSecurityPolicy()->allowConnectToSource(url)) {
// We can safely expose the URL to JavaScript, as these checks happen synchronously before redirection. JavaScript receives no new information.
exceptionState.throwSecurityError("Refused to connect to '" + url.elidedString() + "' because it violates the document's Content Security Policy.");
return;
}
if (!async && executionContext()->isDocument()) {
if (document()->settings() && !document()->settings()->syncXHRInDocumentsEnabled()) {
exceptionState.throwDOMException(InvalidAccessError, "Synchronous requests are disabled for this page.");
return;
}
// Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated
// attempt to discourage synchronous XHR use. responseType is one such piece of functionality.
// We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols
// such as file: and data: still make sense to allow.
if (url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) {
exceptionState.throwDOMException(InvalidAccessError, "Synchronous HTTP requests from a document must not set a response type.");
return;
}
// Similarly, timeouts are disabled for synchronous requests as well.
if (m_timeoutMilliseconds > 0) {
exceptionState.throwDOMException(InvalidAccessError, "Synchronous requests must not set a timeout.");
return;
}
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
m_async = async;
ASSERT(!m_loader);
// Check previous state to avoid dispatching readyState event
// when calling open several times in a row.
if (previousState != OPENED)
changeState(OPENED);
else
m_state = OPENED;
}
void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec)
{
internalAbort();
State previousState = m_state;
m_state = UNSENT;
m_error = false;
m_uploadComplete = false;
// clear stuff from possible previous load
clearResponse();
clearRequest();
ASSERT(m_state == UNSENT);
if (!isValidHTTPToken(method)) {
ec = SYNTAX_ERR;
return;
}
if (!isAllowedHTTPMethod(method)) {
ec = SECURITY_ERR;
return;
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
bool shouldBypassMainWorldContentSecurityPolicy = false;
if (scriptExecutionContext()->isDocument()) {
Document* document = static_cast<Document*>(scriptExecutionContext());
shouldBypassMainWorldContentSecurityPolicy = document->frame()->script()->shouldBypassMainWorldContentSecurityPolicy();
}
if (!shouldBypassMainWorldContentSecurityPolicy && !scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return;
}
if (!async && scriptExecutionContext()->isDocument()) {
if (document()->settings() && !document()->settings()->syncXHRInDocumentsEnabled()) {
logConsoleError(scriptExecutionContext(), "Synchronous XMLHttpRequests are disabled for this page.");
ec = INVALID_ACCESS_ERR;
return;
}
// Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated
// attempt to discourage synchronous XHR use. responseType is one such piece of functionality.
// We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols
// such as file: and data: still make sense to allow.
if (url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) {
logConsoleError(scriptExecutionContext(), "Synchronous HTTP(S) requests made from the window context cannot have XMLHttpRequest.responseType set.");
ec = INVALID_ACCESS_ERR;
return;
}
#if ENABLE(XHR_TIMEOUT)
// Similarly, timeouts are disabled for synchronous requests as well.
if (m_timeoutMilliseconds > 0) {
logConsoleError(scriptExecutionContext(), "Synchronous XMLHttpRequests must not have a timeout value set.");
ec = INVALID_ACCESS_ERR;
return;
}
#endif
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
m_async = async;
ASSERT(!m_loader);
// Check previous state to avoid dispatching readyState event
// when calling open several times in a row.
if (previousState != OPENED)
changeState(OPENED);
else
m_state = OPENED;
}
bool ContentSecurityPolicy::protocolMatchesSelf(const KURL& url) const
{
if (equalIgnoringCase("http", m_selfProtocol))
return url.protocolIsInHTTPFamily();
return equalIgnoringCase(url.protocol(), m_selfProtocol);
}