void DocumentLoader::updateForSameDocumentNavigation(const KURL& newURL) { KURL oldURL = m_request.url(); m_originalRequest.setURL(newURL); m_request.setURL(newURL); clearRedirectChain(); if (m_isClientRedirect) appendRedirect(oldURL); appendRedirect(newURL); }
void DocumentLoader::updateForSameDocumentNavigation(const KURL& newURL, SameDocumentNavigationSource sameDocumentNavigationSource) { KURL oldURL = m_request.url(); m_originalRequest.setURL(newURL); m_request.setURL(newURL); if (sameDocumentNavigationSource == SameDocumentNavigationHistoryApi) { m_request.setHTTPMethod("GET"); m_request.setHTTPBody(nullptr); } clearRedirectChain(); if (m_isClientRedirect) appendRedirect(oldURL); appendRedirect(newURL); }
bool DocumentLoader::redirectReceived( Resource* resource, const ResourceRequest& request, const ResourceResponse& redirectResponse) { DCHECK_EQ(resource, m_mainResource); DCHECK(!redirectResponse.isNull()); m_request = request; // If the redirecting url is not allowed to display content from the target // origin, then block the redirect. const KURL& requestURL = m_request.url(); RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url()); if (!redirectingOrigin->canDisplay(requestURL)) { FrameLoader::reportLocalLoadFailed(m_frame, requestURL.getString()); m_fetcher->stopFetching(); return false; } if (!frameLoader()->shouldContinueForNavigationPolicy( m_request, SubstituteData(), this, CheckContentSecurityPolicy, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect(), nullptr)) { m_fetcher->stopFetching(); return false; } DCHECK(timing().fetchStart()); appendRedirect(requestURL); didRedirect(redirectResponse.url(), requestURL); frameLoader()->client()->dispatchDidReceiveServerRedirectForProvisionalLoad(); return true; }
void DocumentLoader::redirectReceived(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse) { ASSERT_UNUSED(resource, resource == m_mainResource); ASSERT(!redirectResponse.isNull()); m_request = request; // If the redirecting url is not allowed to display content from the target origin, // then block the redirect. const KURL& requestURL = m_request.url(); RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url()); if (!redirectingOrigin->canDisplay(requestURL)) { FrameLoader::reportLocalLoadFailed(m_frame, requestURL.getString()); m_fetcher->stopFetching(); return; } if (!frameLoader()->shouldContinueForNavigationPolicy(m_request, SubstituteData(), this, CheckContentSecurityPolicy, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect())) { m_fetcher->stopFetching(); return; } ASSERT(timing().fetchStart()); timing().addRedirect(redirectResponse.url(), requestURL); appendRedirect(requestURL); frameLoader()->receivedMainResourceRedirect(requestURL); }
void DocumentLoader::willSendRequest(ResourceRequest& newRequest, const ResourceResponse& redirectResponse) { // Note that there are no asserts here as there are for the other callbacks. This is due to the // fact that this "callback" is sent when starting every load, and the state of callback // deferrals plays less of a part in this function in preventing the bad behavior deferring // callbacks is meant to prevent. ASSERT(!newRequest.isNull()); if (isFormSubmission(m_triggeringAction.type()) && !m_frame->document()->contentSecurityPolicy()->allowFormAction(newRequest.url())) { cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url())); return; } ASSERT(timing()->fetchStart()); if (!redirectResponse.isNull()) { // If the redirecting url is not allowed to display content from the target origin, // then block the redirect. RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url()); if (!redirectingOrigin->canDisplay(newRequest.url())) { FrameLoader::reportLocalLoadFailed(m_frame, newRequest.url().string()); cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url())); return; } timing()->addRedirect(redirectResponse.url(), newRequest.url()); } // Update cookie policy base URL as URL changes, except for subframes, which use the // URL of the main frame which doesn't change when we redirect. if (frameLoader()->isLoadingMainFrame()) newRequest.setFirstPartyForCookies(newRequest.url()); // If we're fielding a redirect in response to a POST, force a load from origin, since // this is a common site technique to return to a page viewing some data that the POST // just modified. if (newRequest.cachePolicy() == UseProtocolCachePolicy && isRedirectAfterPost(newRequest, redirectResponse)) newRequest.setCachePolicy(ReloadIgnoringCacheData); // If this is a sub-frame, check for mixed content blocking against the top frame. if (m_frame->tree().parent()) { LocalFrame* top = m_frame->tree().top(); if (!top->loader().mixedContentChecker()->canRunInsecureContent(top->document()->securityOrigin(), newRequest.url())) { cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url())); return; } } m_request = newRequest; if (redirectResponse.isNull()) return; appendRedirect(newRequest.url()); frameLoader()->client()->dispatchDidReceiveServerRedirectForProvisionalLoad(); if (!shouldContinueForNavigationPolicy(newRequest)) cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); }
void DocumentLoader::willSendRequest(ResourceRequest& newRequest, const ResourceResponse& redirectResponse) { // Note that there are no asserts here as there are for the other callbacks. This is due to the // fact that this "callback" is sent when starting every load, and the state of callback // deferrals plays less of a part in this function in preventing the bad behavior deferring // callbacks is meant to prevent. ASSERT(!newRequest.isNull()); if (isFormSubmission(m_navigationType) && !m_frame->document()->contentSecurityPolicy()->allowFormAction(newRequest.url())) { cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url())); return; } ASSERT(timing()->fetchStart()); if (!redirectResponse.isNull()) { // If the redirecting url is not allowed to display content from the target origin, // then block the redirect. RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url()); if (!redirectingOrigin->canDisplay(newRequest.url())) { FrameLoader::reportLocalLoadFailed(m_frame, newRequest.url().string()); cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url())); return; } timing()->addRedirect(redirectResponse.url(), newRequest.url()); } // If we're fielding a redirect in response to a POST, force a load from origin, since // this is a common site technique to return to a page viewing some data that the POST // just modified. if (newRequest.cachePolicy() == UseProtocolCachePolicy && isRedirectAfterPost(newRequest, redirectResponse)) newRequest.setCachePolicy(ReloadBypassingCache); m_request = newRequest; if (redirectResponse.isNull()) return; appendRedirect(newRequest.url()); frameLoader()->client()->dispatchDidReceiveServerRedirectForProvisionalLoad(); if (!shouldContinueForNavigationPolicy(newRequest, CheckContentSecurityPolicy)) cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); }
void DocumentLoader::cancelLoadAfterXFrameOptionsOrCSPDenied(const ResourceResponse& response) { InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, mainResourceIdentifier(), response, m_mainResource.get()); setWasBlockedAfterXFrameOptionsOrCSP(); // Pretend that this was an empty HTTP 200 response. Don't reuse the // original URL for the empty page (https://crbug.com/622385). // // TODO(mkwst): Remove this once XFO moves to the browser. // https://crbug.com/555418. clearMainResourceHandle(); KURL blockedURL = SecurityOrigin::urlWithUniqueSecurityOrigin(); m_originalRequest.setURL(blockedURL); m_request.setURL(blockedURL); m_redirectChain.removeLast(); appendRedirect(blockedURL); m_response = ResourceResponse(blockedURL, "text/html", 0, nullAtom, String()); finishedLoading(monotonicallyIncreasingTime()); return; }