static PathToDefaultProtectionSpaceMap::iterator findDefaultProtectionSpaceForURL(const KURL& url) { ASSERT(url.protocolIsInHTTPFamily()); ASSERT(url.isValid()); PathToDefaultProtectionSpaceMap& map = pathToDefaultProtectionSpaceMap(); // Don't spend time iterating the path for origins that don't have any credentials. if (!originsWithCredentials().contains(originStringFromURL(url))) return map.end(); String directoryURL = protectionSpaceMapKeyFromURL(url); unsigned directoryURLPathStart = url.pathStart(); while (true) { PathToDefaultProtectionSpaceMap::iterator iter = map.find(directoryURL); if (iter != map.end()) return iter; if (directoryURL.length() == directoryURLPathStart + 1) // path is "/" already, cannot shorten it any more return map.end(); size_t index = directoryURL.reverseFind('/', directoryURL.length() - 2); ASSERT(index != notFound); directoryURL = directoryURL.substring(0, (index == directoryURLPathStart) ? index + 1 : index); ASSERT(directoryURL.length() > directoryURLPathStart); ASSERT(directoryURL.length() == directoryURLPathStart + 1 || directoryURL[directoryURL.length() - 1] != '/'); } }
IconURL IconController::defaultURL(IconType iconType) { // Don't return a favicon iconURL unless we're http or https KURL documentURL = m_frame->document()->url(); if (!documentURL.protocolIsInHTTPFamily()) return IconURL(); KURL url; bool couldSetProtocol = url.setProtocol(documentURL.protocol()); ASSERT_UNUSED(couldSetProtocol, couldSetProtocol); url.setHost(documentURL.host()); if (documentURL.hasPort()) url.setPort(documentURL.port()); if (iconType == Favicon) { url.setPath("/favicon.ico"); return IconURL::defaultIconURL(url, Favicon); } #if ENABLE(TOUCH_ICON_LOADING) if (iconType == TouchPrecomposedIcon) { url.setPath("/apple-touch-icon-precomposed.png"); return IconURL::defaultIconURL(url, TouchPrecomposedIcon); } if (iconType == TouchIcon) { url.setPath("/apple-touch-icon.png"); return IconURL::defaultIconURL(url, TouchIcon); } #endif return IconURL(); }
static bool schemeRequiresAuthority(const KURL& url) { // We expect URLs with these schemes to have authority components. If the // URL lacks an authority component, we get concerned and mark the origin // as unique. return url.protocolIsInHTTPFamily() || url.protocolIs("ftp"); }
static void preconnectIfNeeded( const LinkRelAttribute& relAttribute, const KURL& href, Document& document, const CrossOriginAttributeValue crossOrigin, const NetworkHintsInterface& networkHintsInterface, LinkCaller caller) { if (relAttribute.isPreconnect() && href.isValid() && href.protocolIsInHTTPFamily()) { UseCounter::count(document, UseCounter::LinkRelPreconnect); if (caller == LinkCalledFromHeader) UseCounter::count(document, UseCounter::LinkHeaderPreconnect); Settings* settings = document.settings(); if (settings && settings->logDnsPrefetchAndPreconnect()) { document.addConsoleMessage(ConsoleMessage::create( OtherMessageSource, DebugMessageLevel, String("Preconnect triggered for ") + href.getString())); if (crossOrigin != CrossOriginAttributeNotSet) { document.addConsoleMessage(ConsoleMessage::create( OtherMessageSource, DebugMessageLevel, String("Preconnect CORS setting is ") + String((crossOrigin == CrossOriginAttributeAnonymous) ? "anonymous" : "use-credentials"))); } } networkHintsInterface.preconnectHost(href, crossOrigin); } }
void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec) { internalAbort(); State previousState = m_state; m_state = UNSENT; m_error = false; m_uploadComplete = false; // clear stuff from possible previous load clearResponse(); clearRequest(); ASSERT(m_state == UNSENT); if (!isValidHTTPToken(method)) { ec = SYNTAX_ERR; return; } if (!isAllowedHTTPMethod(method)) { ec = SECURITY_ERR; return; } if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) { // FIXME: Should this be throwing an exception? ec = SECURITY_ERR; return; } // Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated // attempt to discourage synchronous XHR use. responseType is one such piece of functionality. // We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols // such as file: and data: still make sense to allow. if (!async && scriptExecutionContext()->isDocument() && url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) { logConsoleError(scriptExecutionContext(), "Synchronous HTTP(S) requests made from the window context cannot have XMLHttpRequest.responseType set."); ec = INVALID_ACCESS_ERR; return; } m_method = uppercaseKnownHTTPMethod(method); m_url = url; m_async = async; ASSERT(!m_loader); // Check previous state to avoid dispatching readyState event // when calling open several times in a row. if (previousState != OPENED) changeState(OPENED); else m_state = OPENED; }
bool CredentialStorage::set(const Credential& credential, const KURL& url) { ASSERT(url.protocolIsInHTTPFamily()); ASSERT(url.isValid()); PathToDefaultProtectionSpaceMap::iterator iter = findDefaultProtectionSpaceForURL(url); if (iter == pathToDefaultProtectionSpaceMap().end()) return false; ASSERT(originsWithCredentials().contains(originStringFromURL(url))); protectionSpaceToCredentialMap().set(iter->value, credential); return true; }
void WebFrameLoaderClient::dispatchDidFailToStartPlugin(const PluginView* pluginView) const { WebView* webView = m_webFrame->webView(); COMPtr<IWebResourceLoadDelegate> resourceLoadDelegate; if (FAILED(webView->resourceLoadDelegate(&resourceLoadDelegate))) return; RetainPtr<CFMutableDictionaryRef> userInfo(AdoptCF, CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)); Frame* frame = core(m_webFrame); ASSERT(frame == pluginView->parentFrame()); if (!pluginView->pluginsPage().isNull()) { KURL pluginPageURL = frame->document()->completeURL(stripLeadingAndTrailingHTMLSpaces(pluginView->pluginsPage())); if (pluginPageURL.protocolIsInHTTPFamily()) { static CFStringRef key = MarshallingHelpers::LPCOLESTRToCFStringRef(WebKitErrorPlugInPageURLStringKey); CFDictionarySetValue(userInfo.get(), key, pluginPageURL.string().createCFString().get()); } } if (!pluginView->mimeType().isNull()) { static CFStringRef key = MarshallingHelpers::LPCOLESTRToCFStringRef(WebKitErrorMIMETypeKey); CFDictionarySetValue(userInfo.get(), key, pluginView->mimeType().createCFString().get()); } if (pluginView->plugin()) { String pluginName = pluginView->plugin()->name(); if (!pluginName.isNull()) { static CFStringRef key = MarshallingHelpers::LPCOLESTRToCFStringRef(WebKitErrorPlugInNameKey); CFDictionarySetValue(userInfo.get(), key, pluginName.createCFString().get()); } } COMPtr<CFDictionaryPropertyBag> userInfoBag = CFDictionaryPropertyBag::createInstance(); userInfoBag->setDictionary(userInfo.get()); int errorCode = 0; switch (pluginView->status()) { case PluginStatusCanNotFindPlugin: errorCode = WebKitErrorCannotFindPlugIn; break; case PluginStatusCanNotLoadPlugin: errorCode = WebKitErrorCannotLoadPlugIn; break; default: ASSERT_NOT_REACHED(); } ResourceError resourceError(String(WebKitErrorDomain), errorCode, pluginView->url().string(), String()); COMPtr<IWebError> error(AdoptCOM, WebError::createInstance(resourceError, userInfoBag.get())); resourceLoadDelegate->plugInFailedWithError(webView, error.get(), getWebDataSource(frame->loader()->documentLoader())); }
KURL MemoryCache::removeFragmentIdentifierIfNeeded(const KURL& originalURL) { if (!originalURL.hasFragmentIdentifier()) return originalURL; // Strip away fragment identifier from HTTP URLs. // Data URLs must be unmodified. For file and custom URLs clients may expect resources // to be unique even when they differ by the fragment identifier only. if (!originalURL.protocolIsInHTTPFamily()) return originalURL; KURL url = originalURL; url.removeFragmentIdentifier(); return url; }
IconURL IconURL::defaultFavicon(const KURL& documentURL) { DCHECK(documentURL.protocolIsInHTTPFamily()); KURL url; bool couldSetProtocol = url.setProtocol(documentURL.protocol()); DCHECK(couldSetProtocol); url.setHost(documentURL.host()); if (documentURL.hasPort()) url.setPort(documentURL.port()); url.setPath("/favicon.ico"); IconURL result(url, Vector<IntSize>(), emptyString(), Favicon); result.m_isDefaultIcon = true; return result; }
void WebChromeClient::unavailablePluginButtonClicked(Element* element, RenderEmbeddedObject::PluginUnavailabilityReason pluginUnavailabilityReason) const { ASSERT(element->hasTagName(objectTag) || element->hasTagName(embedTag) || element->hasTagName(appletTag)); ASSERT(pluginUnavailabilityReason == RenderEmbeddedObject::PluginMissing || pluginUnavailabilityReason == RenderEmbeddedObject::InsecurePluginVersion || pluginUnavailabilityReason == RenderEmbeddedObject::PluginInactive); HTMLPlugInImageElement* pluginElement = static_cast<HTMLPlugInImageElement*>(element); String frameURLString = pluginElement->document()->frame()->loader()->documentLoader()->responseURL().string(); String pageURLString = m_page->mainFrame()->loader()->documentLoader()->responseURL().string(); KURL pluginspageAttributeURL = element->document()->completeURL(stripLeadingAndTrailingHTMLSpaces(pluginElement->getAttribute(pluginspageAttr))); if (!pluginspageAttributeURL.protocolIsInHTTPFamily()) pluginspageAttributeURL = KURL(); m_page->send(Messages::WebPageProxy::UnavailablePluginButtonClicked(pluginUnavailabilityReason, pluginElement->serviceType(), pluginElement->url(), pluginspageAttributeURL.string(), frameURLString, pageURLString)); }
void MediaPlayerPrivateGStreamer::setPlaybinURL(KURL& url) { // Clean out everything after file:// url path. if (url.isLocalFile()) { url.setQuery(String()); url.removeFragmentIdentifier(); } m_url = url; if (url.protocolIsInHTTPFamily()) url.setProtocol("webkit+" + url.protocol()); LOG_MEDIA_MESSAGE("Load %s", url.string().utf8().data()); g_object_set(m_playBin.get(), "uri", url.string().utf8().data(), NULL); }
void CredentialStorage::set(const Credential& credential, const ProtectionSpace& protectionSpace, const KURL& url) { ASSERT(protectionSpace.isProxy() || url.protocolIsInHTTPFamily()); ASSERT(protectionSpace.isProxy() || url.isValid()); protectionSpaceToCredentialMap().set(protectionSpace, credential); if (!protectionSpace.isProxy()) { originsWithCredentials().add(originStringFromURL(url)); ProtectionSpaceAuthenticationScheme scheme = protectionSpace.authenticationScheme(); if (scheme == ProtectionSpaceAuthenticationSchemeHTTPBasic || scheme == ProtectionSpaceAuthenticationSchemeDefault) { // The map can contain both a path and its subpath - while redundant, this makes lookups faster. pathToDefaultProtectionSpaceMap().set(protectionSpaceMapKeyFromURL(url), protectionSpace); } } }
IconURL IconController::defaultURL(IconType iconType) { // Don't return a favicon iconURL unless we're http or https KURL documentURL = m_frame->document()->url(); if (!documentURL.protocolIsInHTTPFamily()) return IconURL(); KURL url; bool couldSetProtocol = url.setProtocol(documentURL.protocol()); ASSERT_UNUSED(couldSetProtocol, couldSetProtocol); url.setHost(documentURL.host()); if (documentURL.hasPort()) url.setPort(documentURL.port()); if (iconType == Favicon) { url.setPath("/favicon.ico"); return IconURL::defaultIconURL(url, Favicon); } return IconURL(); }
void DumpRenderTreeChrome::onWillSendRequest(void*, Evas_Object*, void* eventInfo) { Ewk_Frame_Resource_Messages* messages = static_cast<Ewk_Frame_Resource_Messages*>(eventInfo); if (!done && gTestRunner->dumpResourceLoadCallbacks()) printf("%s - willSendRequest %s redirectResponse %s\n", m_dumpAssignedUrls.contains(messages->request->identifier) ? m_dumpAssignedUrls.get(messages->request->identifier).data() : "<unknown>", descriptionSuitableForTestResult(messages->request).data(), descriptionSuitableForTestResult(messages->redirect_response).data()); if (!done && gTestRunner->willSendRequestReturnsNull()) { // As requested by the TestRunner, don't perform the request. messages->request->url = 0; return; } if (!done && gTestRunner->willSendRequestReturnsNullOnRedirect() && messages->redirect_response) { printf("Returning null for this redirect\n"); messages->request->url = 0; return; } KURL url = KURL(ParsedURLString, messages->request->url); if (url.isValid() && url.protocolIsInHTTPFamily() && url.host() != "127.0.0.1" && url.host() != "255.255.255.255" && url.host().lower() != "localhost") { printf("Blocked access to external URL %s\n", messages->request->url); messages->request->url = 0; return; } const std::string& destination = gTestRunner->redirectionDestinationForURL(url.string().utf8().data()); if (destination.length()) messages->request->url = strdup(destination.c_str()); }
bool NavigatorBeacon::canSendBeacon(ExecutionContext* context, const KURL& url, ExceptionState& exceptionState) { if (!url.isValid()) { exceptionState.throwDOMException(SyntaxError, "The URL argument is ill-formed or unsupported."); return false; } // For now, only support HTTP and related. if (!url.protocolIsInHTTPFamily()) { exceptionState.throwDOMException(SyntaxError, "Beacons are only supported over HTTP(S)."); return false; } // FIXME: CSP is not enforced on redirects, crbug.com/372197 if (!ContentSecurityPolicy::shouldBypassMainWorld(context) && !context->contentSecurityPolicy()->allowConnectToSource(url)) { // We can safely expose the URL to JavaScript, as these checks happen synchronously before redirection. JavaScript receives no new information. exceptionState.throwSecurityError("Refused to send beacon to '" + url.elidedString() + "' because it violates the document's Content Security Policy."); return false; } // If detached from frame, do not allow sending a Beacon. if (!frame() || !frame()->client()) return false; return true; }
void XMLHttpRequest::open(const AtomicString& method, const KURL& url, bool async, ExceptionState& exceptionState) { WTF_LOG(Network, "XMLHttpRequest %p open('%s', '%s', %d)", this, method.string().utf8().data(), url.elidedString().utf8().data(), async); if (!internalAbort()) return; State previousState = m_state; m_state = UNSENT; m_error = false; m_uploadComplete = false; // clear stuff from possible previous load clearResponse(); clearRequest(); ASSERT(m_state == UNSENT); if (!isValidHTTPToken(method)) { exceptionState.throwDOMException(SyntaxError, "'" + method + "' is not a valid HTTP method."); return; } if (!isAllowedHTTPMethod(method)) { exceptionState.throwSecurityError("'" + method + "' HTTP method is unsupported."); return; } if (!ContentSecurityPolicy::shouldBypassMainWorld(executionContext()) && !executionContext()->contentSecurityPolicy()->allowConnectToSource(url)) { // We can safely expose the URL to JavaScript, as these checks happen synchronously before redirection. JavaScript receives no new information. exceptionState.throwSecurityError("Refused to connect to '" + url.elidedString() + "' because it violates the document's Content Security Policy."); return; } if (!async && executionContext()->isDocument()) { if (document()->settings() && !document()->settings()->syncXHRInDocumentsEnabled()) { exceptionState.throwDOMException(InvalidAccessError, "Synchronous requests are disabled for this page."); return; } // Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated // attempt to discourage synchronous XHR use. responseType is one such piece of functionality. // We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols // such as file: and data: still make sense to allow. if (url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) { exceptionState.throwDOMException(InvalidAccessError, "Synchronous HTTP requests from a document must not set a response type."); return; } // Similarly, timeouts are disabled for synchronous requests as well. if (m_timeoutMilliseconds > 0) { exceptionState.throwDOMException(InvalidAccessError, "Synchronous requests must not set a timeout."); return; } } m_method = uppercaseKnownHTTPMethod(method); m_url = url; m_async = async; ASSERT(!m_loader); // Check previous state to avoid dispatching readyState event // when calling open several times in a row. if (previousState != OPENED) changeState(OPENED); else m_state = OPENED; }
void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec) { internalAbort(); State previousState = m_state; m_state = UNSENT; m_error = false; m_uploadComplete = false; // clear stuff from possible previous load clearResponse(); clearRequest(); ASSERT(m_state == UNSENT); if (!isValidHTTPToken(method)) { ec = SYNTAX_ERR; return; } if (!isAllowedHTTPMethod(method)) { ec = SECURITY_ERR; return; } // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. bool shouldBypassMainWorldContentSecurityPolicy = false; if (scriptExecutionContext()->isDocument()) { Document* document = static_cast<Document*>(scriptExecutionContext()); shouldBypassMainWorldContentSecurityPolicy = document->frame()->script()->shouldBypassMainWorldContentSecurityPolicy(); } if (!shouldBypassMainWorldContentSecurityPolicy && !scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url)) { // FIXME: Should this be throwing an exception? ec = SECURITY_ERR; return; } if (!async && scriptExecutionContext()->isDocument()) { if (document()->settings() && !document()->settings()->syncXHRInDocumentsEnabled()) { logConsoleError(scriptExecutionContext(), "Synchronous XMLHttpRequests are disabled for this page."); ec = INVALID_ACCESS_ERR; return; } // Newer functionality is not available to synchronous requests in window contexts, as a spec-mandated // attempt to discourage synchronous XHR use. responseType is one such piece of functionality. // We'll only disable this functionality for HTTP(S) requests since sync requests for local protocols // such as file: and data: still make sense to allow. if (url.protocolIsInHTTPFamily() && m_responseTypeCode != ResponseTypeDefault) { logConsoleError(scriptExecutionContext(), "Synchronous HTTP(S) requests made from the window context cannot have XMLHttpRequest.responseType set."); ec = INVALID_ACCESS_ERR; return; } #if ENABLE(XHR_TIMEOUT) // Similarly, timeouts are disabled for synchronous requests as well. if (m_timeoutMilliseconds > 0) { logConsoleError(scriptExecutionContext(), "Synchronous XMLHttpRequests must not have a timeout value set."); ec = INVALID_ACCESS_ERR; return; } #endif } m_method = uppercaseKnownHTTPMethod(method); m_url = url; m_async = async; ASSERT(!m_loader); // Check previous state to avoid dispatching readyState event // when calling open several times in a row. if (previousState != OPENED) changeState(OPENED); else m_state = OPENED; }
bool ContentSecurityPolicy::protocolMatchesSelf(const KURL& url) const { if (equalIgnoringCase("http", m_selfProtocol)) return url.protocolIsInHTTPFamily(); return equalIgnoringCase(url.protocol(), m_selfProtocol); }