CrossOriginPreflightChecker.cpp [plain text]
#include "config.h"
#include "CrossOriginPreflightChecker.h"
#include "CachedRawResource.h"
#include "CachedResourceLoader.h"
#include "CachedResourceRequest.h"
#include "ContentSecurityPolicy.h"
#include "CrossOriginAccessControl.h"
#include "CrossOriginPreflightResultCache.h"
#include "DocumentThreadableLoader.h"
#include "FrameLoader.h"
#include "InspectorInstrumentation.h"
#include "NetworkLoadMetrics.h"
#include "RuntimeEnabledFeatures.h"
#include "SharedBuffer.h"
namespace WebCore {
CrossOriginPreflightChecker::CrossOriginPreflightChecker(DocumentThreadableLoader& loader, ResourceRequest&& request)
: m_loader(loader)
, m_request(WTFMove(request))
{
}
CrossOriginPreflightChecker::~CrossOriginPreflightChecker()
{
if (m_resource)
m_resource->removeClient(*this);
}
void CrossOriginPreflightChecker::validatePreflightResponse(DocumentThreadableLoader& loader, ResourceRequest&& request, unsigned long identifier, const ResourceResponse& response)
{
Frame* frame = loader.document().frame();
ASSERT(frame);
if (!response.isSuccessful()) {
loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), ASCIILiteral("Preflight response is not successful"), ResourceError::Type::AccessControl));
return;
}
String description;
if (!passesAccessControlCheck(response, loader.options().allowCredentials, loader.securityOrigin(), description)) {
loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), description, ResourceError::Type::AccessControl));
return;
}
auto result = std::make_unique<CrossOriginPreflightResultCacheItem>(loader.options().allowCredentials);
if (!result->parse(response, description)
|| !result->allowsCrossOriginMethod(request.httpMethod(), description)
|| !result->allowsCrossOriginHeaders(request.httpHeaderFields(), description)) {
loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), description, ResourceError::Type::AccessControl));
return;
}
NetworkLoadMetrics emptyMetrics;
InspectorInstrumentation::didReceiveResourceResponse(*frame, identifier, frame->loader().documentLoader(), response, nullptr);
InspectorInstrumentation::didFinishLoading(frame, frame->loader().documentLoader(), identifier, emptyMetrics, nullptr);
CrossOriginPreflightResultCache::singleton().appendEntry(loader.securityOrigin().toString(), request.url(), WTFMove(result));
loader.preflightSuccess(WTFMove(request));
}
void CrossOriginPreflightChecker::notifyFinished(CachedResource& resource)
{
ASSERT_UNUSED(resource, &resource == m_resource);
if (m_resource->loadFailedOrCanceled()) {
ResourceError preflightError = m_resource->resourceError();
if (preflightError.isNull() || preflightError.isCancellation() || preflightError.isGeneral())
preflightError.setType(ResourceError::Type::AccessControl);
m_loader.preflightFailure(m_resource->identifier(), preflightError);
return;
}
validatePreflightResponse(m_loader, WTFMove(m_request), m_resource->identifier(), m_resource->response());
}
void CrossOriginPreflightChecker::startPreflight()
{
ResourceLoaderOptions options;
options.referrerPolicy = m_loader.options().referrerPolicy;
options.redirect = FetchOptions::Redirect::Manual;
options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
CachedResourceRequest preflightRequest(createAccessControlPreflightRequest(m_request, m_loader.securityOrigin(), m_loader.referrer()), options);
if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
preflightRequest.setInitiator(m_loader.options().initiator);
ASSERT(!m_resource);
m_resource = m_loader.document().cachedResourceLoader().requestRawResource(WTFMove(preflightRequest));
if (m_resource)
m_resource->addClient(*this);
}
void CrossOriginPreflightChecker::doPreflight(DocumentThreadableLoader& loader, ResourceRequest&& request)
{
if (!loader.document().frame())
return;
ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, loader.securityOrigin(), loader.referrer());
ResourceError error;
ResourceResponse response;
RefPtr<SharedBuffer> data;
unsigned identifier = loader.document().frame()->loader().loadResourceSynchronously(preflightRequest, DoNotAllowStoredCredentials, ClientCredentialPolicy::CannotAskClientForCredentials, error, response, data);
if (!error.isNull()) {
if (error.isCancellation() || error.isGeneral())
error.setType(ResourceError::Type::AccessControl);
loader.preflightFailure(identifier, error);
return;
}
bool isRedirect = preflightRequest.url().strippedForUseAsReferrer() != response.url().strippedForUseAsReferrer();
if (isRedirect || !response.isSuccessful()) {
loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), ASCIILiteral("Preflight response is not successful"), ResourceError::Type::AccessControl));
return;
}
validatePreflightResponse(loader, WTFMove(request), identifier, response);
}
void CrossOriginPreflightChecker::setDefersLoading(bool value)
{
if (m_resource)
m_resource->setDefersLoading(value);
}
bool CrossOriginPreflightChecker::isXMLHttpRequest() const
{
return m_loader.isXMLHttpRequest();
}
}