Changeset 202674 in webkit


Ignore:
Timestamp:
Jun 29, 2016 11:28:58 PM (8 years ago)
Author:
commit-queue@webkit.org
Message:

Pass SecurityOrigin as references in CORS check code
https://bugs.webkit.org/show_bug.cgi?id=159263

Patch by Youenn Fablet <youenn@apple.com> on 2016-06-29
Reviewed by Alex Christensen.

No change of behavior.

  • css/CSSImageSetValue.cpp:

(WebCore::CSSImageSetValue::cachedImageSet):

  • css/CSSImageValue.cpp:

(WebCore::CSSImageValue::cachedImage):

  • dom/ScriptElement.cpp:

(WebCore::ScriptElement::requestScript):

  • loader/CrossOriginAccessControl.cpp:

(WebCore::updateRequestForAccessControl):
(WebCore::createAccessControlPreflightRequest):
(WebCore::passesAccessControlCheck):

  • loader/CrossOriginAccessControl.h:
  • loader/CrossOriginPreflightChecker.cpp:

(WebCore::CrossOriginPreflightChecker::validatePreflightResponse):

  • loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
(WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequest):
(WebCore::DocumentThreadableLoader::preflightSuccess):
(WebCore::DocumentThreadableLoader::isAllowedRedirect):
(WebCore::DocumentThreadableLoader::securityOrigin):

  • loader/DocumentThreadableLoader.h:
  • loader/ImageLoader.cpp:

(WebCore::ImageLoader::updateFromElement):

  • loader/LinkLoader.cpp:

(WebCore::preloadIfNeeded):

  • loader/MediaResourceLoader.cpp:

(WebCore::MediaResourceLoader::requestResource):

  • loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::checkCrossOriginAccessControl):

  • loader/TextTrackLoader.cpp:

(WebCore::TextTrackLoader::load):

  • loader/cache/CachedResource.cpp:

(WebCore::CachedResource::passesAccessControlCheck):

  • loader/cache/CachedResourceRequest.cpp:

(WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):

Location:
trunk/Source/WebCore
Files:
16 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r202671 r202674  
     12016-06-29  Youenn Fablet  <youenn@apple.com>
     2
     3        Pass SecurityOrigin as references in CORS check code
     4        https://bugs.webkit.org/show_bug.cgi?id=159263
     5
     6        Reviewed by Alex Christensen.
     7
     8        No change of behavior.
     9
     10        * css/CSSImageSetValue.cpp:
     11        (WebCore::CSSImageSetValue::cachedImageSet):
     12        * css/CSSImageValue.cpp:
     13        (WebCore::CSSImageValue::cachedImage):
     14        * dom/ScriptElement.cpp:
     15        (WebCore::ScriptElement::requestScript):
     16        * loader/CrossOriginAccessControl.cpp:
     17        (WebCore::updateRequestForAccessControl):
     18        (WebCore::createAccessControlPreflightRequest):
     19        (WebCore::passesAccessControlCheck):
     20        * loader/CrossOriginAccessControl.h:
     21        * loader/CrossOriginPreflightChecker.cpp:
     22        (WebCore::CrossOriginPreflightChecker::validatePreflightResponse):
     23        * loader/DocumentThreadableLoader.cpp:
     24        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
     25        (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequest):
     26        (WebCore::DocumentThreadableLoader::preflightSuccess):
     27        (WebCore::DocumentThreadableLoader::isAllowedRedirect):
     28        (WebCore::DocumentThreadableLoader::securityOrigin):
     29        * loader/DocumentThreadableLoader.h:
     30        * loader/ImageLoader.cpp:
     31        (WebCore::ImageLoader::updateFromElement):
     32        * loader/LinkLoader.cpp:
     33        (WebCore::preloadIfNeeded):
     34        * loader/MediaResourceLoader.cpp:
     35        (WebCore::MediaResourceLoader::requestResource):
     36        * loader/SubresourceLoader.cpp:
     37        (WebCore::SubresourceLoader::checkCrossOriginAccessControl):
     38        * loader/TextTrackLoader.cpp:
     39        (WebCore::TextTrackLoader::load):
     40        * loader/cache/CachedResource.cpp:
     41        (WebCore::CachedResource::passesAccessControlCheck):
     42        * loader/cache/CachedResourceRequest.cpp:
     43        (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):
     44
    1452016-06-29  Adam Bergkvist  <adam.bergkvist@ericsson.com>
    246

  • trunk/Source/WebCore/css/CSSImageSetValue.cpp

    r202656 r202674  
    119119        CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)), options);
    120120        request.setInitiator(cachedResourceRequestInitiators().css);
    121         if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled)
    122             updateRequestForAccessControl(request.mutableResourceRequest(), document->securityOrigin(), options.allowCredentials());
     121        if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled) {
     122            ASSERT(document->securityOrigin());
     123            updateRequestForAccessControl(request.mutableResourceRequest(), *document->securityOrigin(), options.allowCredentials());
     124        }
    123125        if (CachedResourceHandle<CachedImage> cachedImage = loader.requestImage(request)) {
    124126            detachPendingImage();

  • trunk/Source/WebCore/css/CSSImageValue.cpp

    r201290 r202674  
    8383            request.setInitiator(m_initiatorName);
    8484
    85         if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled)
    86             updateRequestForAccessControl(request.mutableResourceRequest(), loader.document()->securityOrigin(), options.allowCredentials());
    87 
     85        if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled) {
     86            ASSERT(loader.document()->securityOrigin());
     87            updateRequestForAccessControl(request.mutableResourceRequest(), *loader.document()->securityOrigin(), options.allowCredentials());
     88        }
    8889        if (CachedResourceHandle<CachedImage> cachedImage = loader.requestImage(request)) {
    8990            detachPendingImage();

  • trunk/Source/WebCore/dom/ScriptElement.cpp

    r202105 r202674  
    272272            m_requestUsesAccessControl = true;
    273273            StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
    274             updateRequestForAccessControl(request.mutableResourceRequest(), m_element.document().securityOrigin(), allowCredentials);
     274            ASSERT(m_element.document().securityOrigin());
     275            updateRequestForAccessControl(request.mutableResourceRequest(), *m_element.document().securityOrigin(), allowCredentials);
    275276        }
    276277        request.setCharset(scriptCharset());

  • trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

    r198395 r202674  
    9999}
    100100
    101 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* securityOrigin, StoredCredentials allowCredentials)
     101void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin& securityOrigin, StoredCredentials allowCredentials)
    102102{
    103103    request.removeCredentials();
    104104    request.setAllowCookies(allowCredentials == AllowStoredCredentials);
    105     request.setHTTPOrigin(securityOrigin->toString());
     105    request.setHTTPOrigin(securityOrigin.toString());
    106106}
    107107
    108 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
     108ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin& securityOrigin)
    109109{
    110110    ResourceRequest preflightRequest(request.url());
     
    153153}
    154154
    155 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
     155bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin& securityOrigin, String& errorDescription)
    156156{
    157157    // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
     
    162162
    163163    // FIXME: Access-Control-Allow-Origin can contain a list of origins.
    164     if (accessControlOriginString != securityOrigin->toString()) {
     164    if (accessControlOriginString != securityOrigin.toString()) {
    165165        if (accessControlOriginString == "*")
    166166            errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.";
    167167        else
    168             errorDescription =  "Origin " + securityOrigin->toString() + " is not allowed by Access-Control-Allow-Origin.";
     168            errorDescription =  "Origin " + securityOrigin.toString() + " is not allowed by Access-Control-Allow-Origin.";
    169169        return false;
    170170    }

  • trunk/Source/WebCore/loader/CrossOriginAccessControl.h

    r198395 r202674  
    4949bool isOnAccessControlResponseHeaderWhitelist(const String&);
    5050
    51 void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin*, StoredCredentials);
    52 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*);
     51void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin&, StoredCredentials);
     52ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin&);
    5353
    5454bool isValidCrossOriginRedirectionURL(const URL&);
    5555void cleanRedirectedRequestForAccessControl(ResourceRequest&);
    5656
    57 bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin*, String& errorDescription);
     57bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin&, String& errorDescription);
    5858void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&);
    5959

  • trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp

    r202542 r202674  
    8383    }
    8484
    85     CrossOriginPreflightResultCache::singleton().appendEntry(loader.securityOrigin()->toString(), request.url(), WTFMove(result));
     85    CrossOriginPreflightResultCache::singleton().appendEntry(loader.securityOrigin().toString(), request.url(), WTFMove(result));
    8686    loader.preflightSuccess(WTFMove(request));
    8787}

  • trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

    r202614 r202674  
    8787    , m_options(options)
    8888    , m_origin(WTFMove(origin))
    89     , m_sameOriginRequest(securityOrigin()->canRequest(request.url()))
     89    , m_sameOriginRequest(securityOrigin().canRequest(request.url()))
    9090    , m_simpleRequest(true)
    9191    , m_async(blockingBehavior == LoadAsynchronously)
     
    121121    else {
    122122        m_simpleRequest = false;
    123         if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin()->toString(), crossOriginRequest.url(), m_options.allowCredentials(), crossOriginRequest.httpMethod(), crossOriginRequest.httpHeaderFields()))
     123        if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin().toString(), crossOriginRequest.url(), m_options.allowCredentials(), crossOriginRequest.httpMethod(), crossOriginRequest.httpHeaderFields()))
    124124            preflightSuccess(WTFMove(crossOriginRequest));
    125125        else
     
    328328{
    329329    ResourceRequest actualRequest(WTFMove(request));
    330     actualRequest.setHTTPOrigin(securityOrigin()->toString());
     330    actualRequest.setHTTPOrigin(securityOrigin().toString());
    331331
    332332    m_preflightChecker = Nullopt;
     
    436436        return true;
    437437
    438     return m_sameOriginRequest && securityOrigin()->canRequest(url);
     438    return m_sameOriginRequest && securityOrigin().canRequest(url);
    439439}
    440440
     
    444444}
    445445
    446 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
    447 {
    448     return m_origin ? m_origin.get() : m_document.securityOrigin();
     446SecurityOrigin& DocumentThreadableLoader::securityOrigin() const
     447{
     448    ASSERT(m_document.securityOrigin());
     449    return m_origin ? *m_origin : *m_document.securityOrigin();
    449450}
    450451

  • trunk/Source/WebCore/loader/DocumentThreadableLoader.h

    r202614 r202674  
    9898        bool isXMLHttpRequest() const final;
    9999
    100         SecurityOrigin* securityOrigin() const;
     100        SecurityOrigin& securityOrigin() const;
    101101        const ContentSecurityPolicy& contentSecurityPolicy() const;
    102102

  • trunk/Source/WebCore/loader/ImageLoader.cpp

    r202278 r202674  
    183183        if (!crossOriginMode.isNull()) {
    184184            StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
    185             updateRequestForAccessControl(request.mutableResourceRequest(), document.securityOrigin(), allowCredentials);
     185            ASSERT(document.securityOrigin());
     186            updateRequestForAccessControl(request.mutableResourceRequest(), *document.securityOrigin(), allowCredentials);
    186187        }
    187188

  • trunk/Source/WebCore/loader/LinkLoader.cpp

    r199752 r202674  
    129129
    130130    if (!crossOriginMode.isNull()) {
     131        ASSERT(document.securityOrigin());
    131132        StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
    132         updateRequestForAccessControl(linkRequest.mutableResourceRequest(), document.securityOrigin(), allowCredentials);
     133        updateRequestForAccessControl(linkRequest.mutableResourceRequest(), *document.securityOrigin(), allowCredentials);
    133134    }
    134135    linkRequest.setForPreload(true);

  • trunk/Source/WebCore/loader/MediaResourceLoader.cpp

    r202579 r202674  
    8181    CachedResourceRequest cacheRequest(updatedRequest, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, AskClientForAllCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, cachingPolicy));
    8282
    83     if (!m_crossOriginMode.isNull())
    84         updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document->securityOrigin(), allowCredentials);
    85 
     83    if (!m_crossOriginMode.isNull()) {
     84        ASSERT(m_document->securityOrigin());
     85        updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), *m_document->securityOrigin(), allowCredentials);
     86    }
    8687    CachedResourceHandle<CachedRawResource> resource = m_document->cachedResourceLoader().requestMedia(cacheRequest);
    8788    if (!resource)

  • trunk/Source/WebCore/loader/SubresourceLoader.cpp

    r201761 r202674  
    404404    String errorDescription;
    405405    bool responsePassesCORS = m_origin->canRequest(previousRequest.url())
    406         || passesAccessControlCheck(redirectResponse, options().allowCredentials(), m_origin.get(), errorDescription);
     406        || passesAccessControlCheck(redirectResponse, options().allowCredentials(), *m_origin, errorDescription);
    407407    if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) {
    408408        if (m_frame && m_frame->document()) {
     
    417417    m_origin = SecurityOrigin::createUnique();
    418418    cleanRedirectedRequestForAccessControl(newRequest);
    419     updateRequestForAccessControl(newRequest, m_origin.get(), options().allowCredentials());
     419    updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials());
    420420
    421421    return true;

  • trunk/Source/WebCore/loader/TextTrackLoader.cpp

    r195452 r202674  
    161161        m_crossOriginMode = crossOriginMode;
    162162        StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
    163         updateRequestForAccessControl(cueRequest.mutableResourceRequest(), document->securityOrigin(), allowCredentials);
     163        updateRequestForAccessControl(cueRequest.mutableResourceRequest(), *document->securityOrigin(), allowCredentials);
    164164    } else {
    165165        // Cross-origin resources that are not suitably CORS-enabled may not load.

  • trunk/Source/WebCore/loader/cache/CachedResource.cpp

    r202198 r202674  
    353353{
    354354    String errorDescription;
    355     return WebCore::passesAccessControlCheck(response(), resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, &securityOrigin, errorDescription);
     355    return WebCore::passesAccessControlCheck(response(), resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, securityOrigin, errorDescription);
    356356}
    357357

  • trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp

    r201930 r202674  
    101101    m_options.setAllowCredentials(equalLettersIgnoringASCIICase(mode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials);
    102102
    103     updateRequestForAccessControl(m_resourceRequest, document.securityOrigin(), m_options.allowCredentials());
     103    ASSERT(document.securityOrigin());
     104    updateRequestForAccessControl(m_resourceRequest, *document.securityOrigin(), m_options.allowCredentials());
    104105}
    105106
Note: See TracChangeset for help on using the changeset viewer.