void FetchLoader::start(ScriptExecutionContext& context, const FetchRequest& request)
{
ThreadableLoaderOptions options(request.fetchOptions(), ConsiderPreflight,
context.shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective,
String(cachedResourceRequestInitiators().fetch),
OpaqueResponseBodyPolicy::DoNotReceive);
options.sendLoadCallbacks = SendCallbacks;
options.dataBufferingPolicy = DoNotBufferData;
options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
ResourceRequest fetchRequest = request.internalRequest();
ASSERT(context.contentSecurityPolicy());
auto& contentSecurityPolicy = *context.contentSecurityPolicy();
contentSecurityPolicy.upgradeInsecureRequestIfNeeded(fetchRequest, ContentSecurityPolicy::InsecureRequestType::Load);
if (!context.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy.allowConnectToSource(fetchRequest.url())) {
m_client.didFail();
return;
}
String referrer = request.internalRequestReferrer();
if (referrer == "no-referrer") {
options.referrerPolicy = FetchOptions::ReferrerPolicy::NoReferrer;
referrer = String();
} else
referrer = (referrer == "client") ? context.url().strippedForUseAsReferrer() : URL(context.url(), referrer).strippedForUseAsReferrer();
m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options, WTFMove(referrer));
m_isStarted = m_loader;
}
PassRefPtr<EventSource> EventSource::create(ScriptExecutionContext& context, const String& url, const Dictionary& eventSourceInit, ExceptionCode& ec)
{
if (url.isEmpty()) {
ec = SYNTAX_ERR;
return 0;
}
URL fullURL = context.completeURL(url);
if (!fullURL.isValid()) {
ec = SYNTAX_ERR;
return 0;
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
bool shouldBypassMainWorldContentSecurityPolicy = false;
if (context.isDocument()) {
Document& document = toDocument(context);
shouldBypassMainWorldContentSecurityPolicy = document.frame()->script().shouldBypassMainWorldContentSecurityPolicy();
}
if (!shouldBypassMainWorldContentSecurityPolicy && !context.contentSecurityPolicy()->allowConnectToSource(fullURL)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return 0;
}
RefPtr<EventSource> source = adoptRef(new EventSource(context, fullURL, eventSourceInit));
source->setPendingActivity(source.get());
source->scheduleInitialConnect();
source->suspendIfNeeded();
return source.release();
}
RefPtr<EventSource> EventSource::create(ScriptExecutionContext& context, const String& url, const Init& eventSourceInit, ExceptionCode& ec)
{
if (url.isEmpty()) {
ec = SYNTAX_ERR;
return nullptr;
}
URL fullURL = context.completeURL(url);
if (!fullURL.isValid()) {
ec = SYNTAX_ERR;
return nullptr;
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
if (!context.contentSecurityPolicy()->allowConnectToSource(fullURL, context.shouldBypassMainWorldContentSecurityPolicy())) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return nullptr;
}
auto source = adoptRef(*new EventSource(context, fullURL, eventSourceInit));
source->setPendingActivity(source.ptr());
source->scheduleInitialConnect();
source->suspendIfNeeded();
return WTFMove(source);
}
bool NavigatorBeacon::canSendBeacon(ScriptExecutionContext& context, const URL& url, ExceptionCode& ec)
{
if (!url.isValid()) {
ec = SYNTAX_ERR;
return false;
}
// For now, only support HTTP and related.
if (!url.protocolIsInHTTPFamily()) {
ec = SECURITY_ERR;
return false;
}
if (!context.contentSecurityPolicy()->allowConnectToSource(url, context.shouldBypassMainWorldContentSecurityPolicy())) {
ec = SECURITY_ERR;
return false;
}
// If detached from frame, do not allow sending a Beacon.
if (!frame())
return false;
return true;
}