Changeset 202674 in webkit
- Timestamp:
- Jun 29, 2016 11:28:58 PM (8 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 16 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r202671 r202674 1 2016-06-29 Youenn Fablet <youenn@apple.com> 2 3 Pass SecurityOrigin as references in CORS check code 4 https://bugs.webkit.org/show_bug.cgi?id=159263 5 6 Reviewed by Alex Christensen. 7 8 No change of behavior. 9 10 * css/CSSImageSetValue.cpp: 11 (WebCore::CSSImageSetValue::cachedImageSet): 12 * css/CSSImageValue.cpp: 13 (WebCore::CSSImageValue::cachedImage): 14 * dom/ScriptElement.cpp: 15 (WebCore::ScriptElement::requestScript): 16 * loader/CrossOriginAccessControl.cpp: 17 (WebCore::updateRequestForAccessControl): 18 (WebCore::createAccessControlPreflightRequest): 19 (WebCore::passesAccessControlCheck): 20 * loader/CrossOriginAccessControl.h: 21 * loader/CrossOriginPreflightChecker.cpp: 22 (WebCore::CrossOriginPreflightChecker::validatePreflightResponse): 23 * loader/DocumentThreadableLoader.cpp: 24 (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): 25 (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequest): 26 (WebCore::DocumentThreadableLoader::preflightSuccess): 27 (WebCore::DocumentThreadableLoader::isAllowedRedirect): 28 (WebCore::DocumentThreadableLoader::securityOrigin): 29 * loader/DocumentThreadableLoader.h: 30 * loader/ImageLoader.cpp: 31 (WebCore::ImageLoader::updateFromElement): 32 * loader/LinkLoader.cpp: 33 (WebCore::preloadIfNeeded): 34 * loader/MediaResourceLoader.cpp: 35 (WebCore::MediaResourceLoader::requestResource): 36 * loader/SubresourceLoader.cpp: 37 (WebCore::SubresourceLoader::checkCrossOriginAccessControl): 38 * loader/TextTrackLoader.cpp: 39 (WebCore::TextTrackLoader::load): 40 * loader/cache/CachedResource.cpp: 41 (WebCore::CachedResource::passesAccessControlCheck): 42 * loader/cache/CachedResourceRequest.cpp: 43 (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin): 44 1 45 2016-06-29 Adam Bergkvist <adam.bergkvist@ericsson.com> 2 46 -
trunk/Source/WebCore/css/CSSImageSetValue.cpp
r202656 r202674 119 119 CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)), options); 120 120 request.setInitiator(cachedResourceRequestInitiators().css); 121 if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled) 122 updateRequestForAccessControl(request.mutableResourceRequest(), document->securityOrigin(), options.allowCredentials()); 121 if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled) { 122 ASSERT(document->securityOrigin()); 123 updateRequestForAccessControl(request.mutableResourceRequest(), *document->securityOrigin(), options.allowCredentials()); 124 } 123 125 if (CachedResourceHandle<CachedImage> cachedImage = loader.requestImage(request)) { 124 126 detachPendingImage(); -
trunk/Source/WebCore/css/CSSImageValue.cpp
r201290 r202674 83 83 request.setInitiator(m_initiatorName); 84 84 85 if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled) 86 updateRequestForAccessControl(request.mutableResourceRequest(), loader.document()->securityOrigin(), options.allowCredentials()); 87 85 if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled) { 86 ASSERT(loader.document()->securityOrigin()); 87 updateRequestForAccessControl(request.mutableResourceRequest(), *loader.document()->securityOrigin(), options.allowCredentials()); 88 } 88 89 if (CachedResourceHandle<CachedImage> cachedImage = loader.requestImage(request)) { 89 90 detachPendingImage(); -
trunk/Source/WebCore/dom/ScriptElement.cpp
r202105 r202674 272 272 m_requestUsesAccessControl = true; 273 273 StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; 274 updateRequestForAccessControl(request.mutableResourceRequest(), m_element.document().securityOrigin(), allowCredentials); 274 ASSERT(m_element.document().securityOrigin()); 275 updateRequestForAccessControl(request.mutableResourceRequest(), *m_element.document().securityOrigin(), allowCredentials); 275 276 } 276 277 request.setCharset(scriptCharset()); -
trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp
r198395 r202674 99 99 } 100 100 101 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin *securityOrigin, StoredCredentials allowCredentials)101 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin& securityOrigin, StoredCredentials allowCredentials) 102 102 { 103 103 request.removeCredentials(); 104 104 request.setAllowCookies(allowCredentials == AllowStoredCredentials); 105 request.setHTTPOrigin(securityOrigin ->toString());105 request.setHTTPOrigin(securityOrigin.toString()); 106 106 } 107 107 108 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin *securityOrigin)108 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin& securityOrigin) 109 109 { 110 110 ResourceRequest preflightRequest(request.url()); … … 153 153 } 154 154 155 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin *securityOrigin, String& errorDescription)155 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin& securityOrigin, String& errorDescription) 156 156 { 157 157 // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent, … … 162 162 163 163 // FIXME: Access-Control-Allow-Origin can contain a list of origins. 164 if (accessControlOriginString != securityOrigin ->toString()) {164 if (accessControlOriginString != securityOrigin.toString()) { 165 165 if (accessControlOriginString == "*") 166 166 errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."; 167 167 else 168 errorDescription = "Origin " + securityOrigin ->toString() + " is not allowed by Access-Control-Allow-Origin.";168 errorDescription = "Origin " + securityOrigin.toString() + " is not allowed by Access-Control-Allow-Origin."; 169 169 return false; 170 170 } -
trunk/Source/WebCore/loader/CrossOriginAccessControl.h
r198395 r202674 49 49 bool isOnAccessControlResponseHeaderWhitelist(const String&); 50 50 51 void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin *, StoredCredentials);52 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin *);51 void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin&, StoredCredentials); 52 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin&); 53 53 54 54 bool isValidCrossOriginRedirectionURL(const URL&); 55 55 void cleanRedirectedRequestForAccessControl(ResourceRequest&); 56 56 57 bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin *, String& errorDescription);57 bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin&, String& errorDescription); 58 58 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&); 59 59 -
trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp
r202542 r202674 83 83 } 84 84 85 CrossOriginPreflightResultCache::singleton().appendEntry(loader.securityOrigin() ->toString(), request.url(), WTFMove(result));85 CrossOriginPreflightResultCache::singleton().appendEntry(loader.securityOrigin().toString(), request.url(), WTFMove(result)); 86 86 loader.preflightSuccess(WTFMove(request)); 87 87 } -
trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp
r202614 r202674 87 87 , m_options(options) 88 88 , m_origin(WTFMove(origin)) 89 , m_sameOriginRequest(securityOrigin() ->canRequest(request.url()))89 , m_sameOriginRequest(securityOrigin().canRequest(request.url())) 90 90 , m_simpleRequest(true) 91 91 , m_async(blockingBehavior == LoadAsynchronously) … … 121 121 else { 122 122 m_simpleRequest = false; 123 if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin() ->toString(), crossOriginRequest.url(), m_options.allowCredentials(), crossOriginRequest.httpMethod(), crossOriginRequest.httpHeaderFields()))123 if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin().toString(), crossOriginRequest.url(), m_options.allowCredentials(), crossOriginRequest.httpMethod(), crossOriginRequest.httpHeaderFields())) 124 124 preflightSuccess(WTFMove(crossOriginRequest)); 125 125 else … … 328 328 { 329 329 ResourceRequest actualRequest(WTFMove(request)); 330 actualRequest.setHTTPOrigin(securityOrigin() ->toString());330 actualRequest.setHTTPOrigin(securityOrigin().toString()); 331 331 332 332 m_preflightChecker = Nullopt; … … 436 436 return true; 437 437 438 return m_sameOriginRequest && securityOrigin() ->canRequest(url);438 return m_sameOriginRequest && securityOrigin().canRequest(url); 439 439 } 440 440 … … 444 444 } 445 445 446 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const 447 { 448 return m_origin ? m_origin.get() : m_document.securityOrigin(); 446 SecurityOrigin& DocumentThreadableLoader::securityOrigin() const 447 { 448 ASSERT(m_document.securityOrigin()); 449 return m_origin ? *m_origin : *m_document.securityOrigin(); 449 450 } 450 451 -
trunk/Source/WebCore/loader/DocumentThreadableLoader.h
r202614 r202674 98 98 bool isXMLHttpRequest() const final; 99 99 100 SecurityOrigin *securityOrigin() const;100 SecurityOrigin& securityOrigin() const; 101 101 const ContentSecurityPolicy& contentSecurityPolicy() const; 102 102 -
trunk/Source/WebCore/loader/ImageLoader.cpp
r202278 r202674 183 183 if (!crossOriginMode.isNull()) { 184 184 StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; 185 updateRequestForAccessControl(request.mutableResourceRequest(), document.securityOrigin(), allowCredentials); 185 ASSERT(document.securityOrigin()); 186 updateRequestForAccessControl(request.mutableResourceRequest(), *document.securityOrigin(), allowCredentials); 186 187 } 187 188 -
trunk/Source/WebCore/loader/LinkLoader.cpp
r199752 r202674 129 129 130 130 if (!crossOriginMode.isNull()) { 131 ASSERT(document.securityOrigin()); 131 132 StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; 132 updateRequestForAccessControl(linkRequest.mutableResourceRequest(), document.securityOrigin(), allowCredentials);133 updateRequestForAccessControl(linkRequest.mutableResourceRequest(), *document.securityOrigin(), allowCredentials); 133 134 } 134 135 linkRequest.setForPreload(true); -
trunk/Source/WebCore/loader/MediaResourceLoader.cpp
r202579 r202674 81 81 CachedResourceRequest cacheRequest(updatedRequest, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, AskClientForAllCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, cachingPolicy)); 82 82 83 if (!m_crossOriginMode.isNull()) 84 updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document->securityOrigin(), allowCredentials); 85 83 if (!m_crossOriginMode.isNull()) { 84 ASSERT(m_document->securityOrigin()); 85 updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), *m_document->securityOrigin(), allowCredentials); 86 } 86 87 CachedResourceHandle<CachedRawResource> resource = m_document->cachedResourceLoader().requestMedia(cacheRequest); 87 88 if (!resource) -
trunk/Source/WebCore/loader/SubresourceLoader.cpp
r201761 r202674 404 404 String errorDescription; 405 405 bool responsePassesCORS = m_origin->canRequest(previousRequest.url()) 406 || passesAccessControlCheck(redirectResponse, options().allowCredentials(), m_origin.get(), errorDescription);406 || passesAccessControlCheck(redirectResponse, options().allowCredentials(), *m_origin, errorDescription); 407 407 if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) { 408 408 if (m_frame && m_frame->document()) { … … 417 417 m_origin = SecurityOrigin::createUnique(); 418 418 cleanRedirectedRequestForAccessControl(newRequest); 419 updateRequestForAccessControl(newRequest, m_origin.get(), options().allowCredentials());419 updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials()); 420 420 421 421 return true; -
trunk/Source/WebCore/loader/TextTrackLoader.cpp
r195452 r202674 161 161 m_crossOriginMode = crossOriginMode; 162 162 StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; 163 updateRequestForAccessControl(cueRequest.mutableResourceRequest(), document->securityOrigin(), allowCredentials);163 updateRequestForAccessControl(cueRequest.mutableResourceRequest(), *document->securityOrigin(), allowCredentials); 164 164 } else { 165 165 // Cross-origin resources that are not suitably CORS-enabled may not load. -
trunk/Source/WebCore/loader/cache/CachedResource.cpp
r202198 r202674 353 353 { 354 354 String errorDescription; 355 return WebCore::passesAccessControlCheck(response(), resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, &securityOrigin, errorDescription);355 return WebCore::passesAccessControlCheck(response(), resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, securityOrigin, errorDescription); 356 356 } 357 357 -
trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp
r201930 r202674 101 101 m_options.setAllowCredentials(equalLettersIgnoringASCIICase(mode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials); 102 102 103 updateRequestForAccessControl(m_resourceRequest, document.securityOrigin(), m_options.allowCredentials()); 103 ASSERT(document.securityOrigin()); 104 updateRequestForAccessControl(m_resourceRequest, *document.securityOrigin(), m_options.allowCredentials()); 104 105 } 105 106
Note: See TracChangeset
for help on using the changeset viewer.