void DocumentLoader::updateForSameDocumentNavigation(const KURL& newURL)
{
KURL oldURL = m_request.url();
m_originalRequest.setURL(newURL);
m_request.setURL(newURL);
clearRedirectChain();
if (m_isClientRedirect)
appendRedirect(oldURL);
appendRedirect(newURL);
}
void DocumentLoader::updateForSameDocumentNavigation(const KURL& newURL, SameDocumentNavigationSource sameDocumentNavigationSource)
{
KURL oldURL = m_request.url();
m_originalRequest.setURL(newURL);
m_request.setURL(newURL);
if (sameDocumentNavigationSource == SameDocumentNavigationHistoryApi) {
m_request.setHTTPMethod("GET");
m_request.setHTTPBody(nullptr);
}
clearRedirectChain();
if (m_isClientRedirect)
appendRedirect(oldURL);
appendRedirect(newURL);
}
bool DocumentLoader::redirectReceived(
Resource* resource,
const ResourceRequest& request,
const ResourceResponse& redirectResponse) {
DCHECK_EQ(resource, m_mainResource);
DCHECK(!redirectResponse.isNull());
m_request = request;
// If the redirecting url is not allowed to display content from the target
// origin, then block the redirect.
const KURL& requestURL = m_request.url();
RefPtr<SecurityOrigin> redirectingOrigin =
SecurityOrigin::create(redirectResponse.url());
if (!redirectingOrigin->canDisplay(requestURL)) {
FrameLoader::reportLocalLoadFailed(m_frame, requestURL.getString());
m_fetcher->stopFetching();
return false;
}
if (!frameLoader()->shouldContinueForNavigationPolicy(
m_request, SubstituteData(), this, CheckContentSecurityPolicy,
m_navigationType, NavigationPolicyCurrentTab,
replacesCurrentHistoryItem(), isClientRedirect(), nullptr)) {
m_fetcher->stopFetching();
return false;
}
DCHECK(timing().fetchStart());
appendRedirect(requestURL);
didRedirect(redirectResponse.url(), requestURL);
frameLoader()->client()->dispatchDidReceiveServerRedirectForProvisionalLoad();
return true;
}
void DocumentLoader::redirectReceived(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse)
{
ASSERT_UNUSED(resource, resource == m_mainResource);
ASSERT(!redirectResponse.isNull());
m_request = request;
// If the redirecting url is not allowed to display content from the target origin,
// then block the redirect.
const KURL& requestURL = m_request.url();
RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url());
if (!redirectingOrigin->canDisplay(requestURL)) {
FrameLoader::reportLocalLoadFailed(m_frame, requestURL.getString());
m_fetcher->stopFetching();
return;
}
if (!frameLoader()->shouldContinueForNavigationPolicy(m_request, SubstituteData(), this, CheckContentSecurityPolicy, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect())) {
m_fetcher->stopFetching();
return;
}
ASSERT(timing().fetchStart());
timing().addRedirect(redirectResponse.url(), requestURL);
appendRedirect(requestURL);
frameLoader()->receivedMainResourceRedirect(requestURL);
}
void DocumentLoader::willSendRequest(ResourceRequest& newRequest, const ResourceResponse& redirectResponse)
{
// Note that there are no asserts here as there are for the other callbacks. This is due to the
// fact that this "callback" is sent when starting every load, and the state of callback
// deferrals plays less of a part in this function in preventing the bad behavior deferring
// callbacks is meant to prevent.
ASSERT(!newRequest.isNull());
if (isFormSubmission(m_triggeringAction.type()) && !m_frame->document()->contentSecurityPolicy()->allowFormAction(newRequest.url())) {
cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url()));
return;
}
ASSERT(timing()->fetchStart());
if (!redirectResponse.isNull()) {
// If the redirecting url is not allowed to display content from the target origin,
// then block the redirect.
RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url());
if (!redirectingOrigin->canDisplay(newRequest.url())) {
FrameLoader::reportLocalLoadFailed(m_frame, newRequest.url().string());
cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url()));
return;
}
timing()->addRedirect(redirectResponse.url(), newRequest.url());
}
// Update cookie policy base URL as URL changes, except for subframes, which use the
// URL of the main frame which doesn't change when we redirect.
if (frameLoader()->isLoadingMainFrame())
newRequest.setFirstPartyForCookies(newRequest.url());
// If we're fielding a redirect in response to a POST, force a load from origin, since
// this is a common site technique to return to a page viewing some data that the POST
// just modified.
if (newRequest.cachePolicy() == UseProtocolCachePolicy && isRedirectAfterPost(newRequest, redirectResponse))
newRequest.setCachePolicy(ReloadIgnoringCacheData);
// If this is a sub-frame, check for mixed content blocking against the top frame.
if (m_frame->tree().parent()) {
LocalFrame* top = m_frame->tree().top();
if (!top->loader().mixedContentChecker()->canRunInsecureContent(top->document()->securityOrigin(), newRequest.url())) {
cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url()));
return;
}
}
m_request = newRequest;
if (redirectResponse.isNull())
return;
appendRedirect(newRequest.url());
frameLoader()->client()->dispatchDidReceiveServerRedirectForProvisionalLoad();
if (!shouldContinueForNavigationPolicy(newRequest))
cancelMainResourceLoad(ResourceError::cancelledError(m_request.url()));
}
void DocumentLoader::willSendRequest(ResourceRequest& newRequest, const ResourceResponse& redirectResponse)
{
// Note that there are no asserts here as there are for the other callbacks. This is due to the
// fact that this "callback" is sent when starting every load, and the state of callback
// deferrals plays less of a part in this function in preventing the bad behavior deferring
// callbacks is meant to prevent.
ASSERT(!newRequest.isNull());
if (isFormSubmission(m_navigationType) && !m_frame->document()->contentSecurityPolicy()->allowFormAction(newRequest.url())) {
cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url()));
return;
}
ASSERT(timing()->fetchStart());
if (!redirectResponse.isNull()) {
// If the redirecting url is not allowed to display content from the target origin,
// then block the redirect.
RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url());
if (!redirectingOrigin->canDisplay(newRequest.url())) {
FrameLoader::reportLocalLoadFailed(m_frame, newRequest.url().string());
cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url()));
return;
}
timing()->addRedirect(redirectResponse.url(), newRequest.url());
}
// If we're fielding a redirect in response to a POST, force a load from origin, since
// this is a common site technique to return to a page viewing some data that the POST
// just modified.
if (newRequest.cachePolicy() == UseProtocolCachePolicy && isRedirectAfterPost(newRequest, redirectResponse))
newRequest.setCachePolicy(ReloadBypassingCache);
m_request = newRequest;
if (redirectResponse.isNull())
return;
appendRedirect(newRequest.url());
frameLoader()->client()->dispatchDidReceiveServerRedirectForProvisionalLoad();
if (!shouldContinueForNavigationPolicy(newRequest, CheckContentSecurityPolicy))
cancelMainResourceLoad(ResourceError::cancelledError(m_request.url()));
}
void DocumentLoader::cancelLoadAfterXFrameOptionsOrCSPDenied(const ResourceResponse& response)
{
InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, mainResourceIdentifier(), response, m_mainResource.get());
setWasBlockedAfterXFrameOptionsOrCSP();
// Pretend that this was an empty HTTP 200 response. Don't reuse the
// original URL for the empty page (https://crbug.com/622385).
//
// TODO(mkwst): Remove this once XFO moves to the browser.
// https://crbug.com/555418.
clearMainResourceHandle();
KURL blockedURL = SecurityOrigin::urlWithUniqueSecurityOrigin();
m_originalRequest.setURL(blockedURL);
m_request.setURL(blockedURL);
m_redirectChain.removeLast();
appendRedirect(blockedURL);
m_response = ResourceResponse(blockedURL, "text/html", 0, nullAtom, String());
finishedLoading(monotonicallyIncreasingTime());
return;
}
