void FetchLoader::start(ScriptExecutionContext& context, const FetchRequest& request)
{
ThreadableLoaderOptions options(request.fetchOptions(), ConsiderPreflight,
context.shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective,
String(cachedResourceRequestInitiators().fetch),
OpaqueResponseBodyPolicy::DoNotReceive);
options.sendLoadCallbacks = SendCallbacks;
options.dataBufferingPolicy = DoNotBufferData;
options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
ResourceRequest fetchRequest = request.internalRequest();
ASSERT(context.contentSecurityPolicy());
auto& contentSecurityPolicy = *context.contentSecurityPolicy();
contentSecurityPolicy.upgradeInsecureRequestIfNeeded(fetchRequest, ContentSecurityPolicy::InsecureRequestType::Load);
if (!context.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy.allowConnectToSource(fetchRequest.url())) {
m_client.didFail();
return;
}
String referrer = request.internalRequestReferrer();
if (referrer == "no-referrer") {
options.referrerPolicy = FetchOptions::ReferrerPolicy::NoReferrer;
referrer = String();
} else
referrer = (referrer == "client") ? context.url().strippedForUseAsReferrer() : URL(context.url(), referrer).strippedForUseAsReferrer();
m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options, WTFMove(referrer));
m_isStarted = m_loader;
}
RefPtr<Worker> Worker::create(ScriptExecutionContext& context, const String& url, ExceptionCode& ec)
{
ASSERT(isMainThread());
// We don't currently support nested workers, so workers can only be created from documents.
ASSERT_WITH_SECURITY_IMPLICATION(context.isDocument());
Ref<Worker> worker = adoptRef(*new Worker(context));
worker->suspendIfNeeded();
bool shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy();
URL scriptURL = worker->resolveURL(url, shouldBypassMainWorldContentSecurityPolicy, ec);
if (scriptURL.isEmpty())
return nullptr;
worker->m_shouldBypassMainWorldContentSecurityPolicy = shouldBypassMainWorldContentSecurityPolicy;
// The worker context does not exist while loading, so we must ensure that the worker object is not collected, nor are its event listeners.
worker->setPendingActivity(worker.ptr());
worker->m_scriptLoader = WorkerScriptLoader::create();
auto contentSecurityPolicyEnforcement = shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceChildSrcDirective;
worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, contentSecurityPolicyEnforcement, worker.ptr());
return WTFMove(worker);
}
ExceptionOr<Ref<Worker>> Worker::create(ScriptExecutionContext& context, const String& url, JSC::RuntimeFlags runtimeFlags)
{
ASSERT(isMainThread());
// We don't currently support nested workers, so workers can only be created from documents.
ASSERT_WITH_SECURITY_IMPLICATION(context.isDocument());
auto worker = adoptRef(*new Worker(context, runtimeFlags));
worker->suspendIfNeeded();
bool shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy();
auto scriptURL = worker->resolveURL(url, shouldBypassMainWorldContentSecurityPolicy);
if (scriptURL.hasException())
return scriptURL.releaseException();
worker->m_shouldBypassMainWorldContentSecurityPolicy = shouldBypassMainWorldContentSecurityPolicy;
// The worker context does not exist while loading, so we must ensure that the worker object is not collected, nor are its event listeners.
worker->setPendingActivity(worker.ptr());
worker->m_scriptLoader = WorkerScriptLoader::create();
auto contentSecurityPolicyEnforcement = shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceChildSrcDirective;
worker->m_scriptLoader->loadAsynchronously(&context, scriptURL.releaseReturnValue(), FetchOptions::Mode::SameOrigin, contentSecurityPolicyEnforcement, worker->m_identifier, worker.ptr());
return WTFMove(worker);
}
RefPtr<EventSource> EventSource::create(ScriptExecutionContext& context, const String& url, const Init& eventSourceInit, ExceptionCode& ec)
{
if (url.isEmpty()) {
ec = SYNTAX_ERR;
return nullptr;
}
URL fullURL = context.completeURL(url);
if (!fullURL.isValid()) {
ec = SYNTAX_ERR;
return nullptr;
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
if (!context.contentSecurityPolicy()->allowConnectToSource(fullURL, context.shouldBypassMainWorldContentSecurityPolicy())) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return nullptr;
}
auto source = adoptRef(*new EventSource(context, fullURL, eventSourceInit));
source->setPendingActivity(source.ptr());
source->scheduleInitialConnect();
source->suspendIfNeeded();
return WTFMove(source);
}
bool NavigatorBeacon::canSendBeacon(ScriptExecutionContext& context, const URL& url, ExceptionCode& ec)
{
if (!url.isValid()) {
ec = SYNTAX_ERR;
return false;
}
// For now, only support HTTP and related.
if (!url.protocolIsInHTTPFamily()) {
ec = SECURITY_ERR;
return false;
}
if (!context.contentSecurityPolicy()->allowConnectToSource(url, context.shouldBypassMainWorldContentSecurityPolicy())) {
ec = SECURITY_ERR;
return false;
}
// If detached from frame, do not allow sending a Beacon.
if (!frame())
return false;
return true;
}