X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=src%2Fthird_party%2FWebKit%2FSource%2Fcore%2Floader%2FDocumentThreadableLoader.cpp;h=1888afb9375a5b795ceb98bd579b14bcdb2634fc;hb=ff3e2503a20db9193d323c1d19c38c68004dec4a;hp=51bac8ab32e19519234bcb5fe2f5cd50bfd9ca2b;hpb=7338fba38ba696536d1cc9d389afd716a6ab2fe6;p=platform%2Fframework%2Fweb%2Fcrosswalk.git diff --git a/src/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp b/src/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp index 51bac8a..1888afb 100644 --- a/src/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp +++ b/src/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp @@ -82,7 +82,7 @@ DocumentThreadableLoader::DocumentThreadableLoader(Document* document, Threadabl ASSERT(m_async || request.httpReferrer().isEmpty()); if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) { - loadRequest(request, DoSecurityCheck); + loadRequest(request); return; } @@ -127,13 +127,13 @@ void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const Resource return; } - loadRequest(request, DoSecurityCheck); + loadRequest(request); } void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request) { ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin()); - loadRequest(preflightRequest, DoSecurityCheck); + loadRequest(preflightRequest); } DocumentThreadableLoader::~DocumentThreadableLoader() @@ -199,13 +199,15 @@ void DocumentThreadableLoader::redirectReceived(Resource* resource, ResourceRequ String accessControlErrorDescription; if (m_simpleRequest) { - allowRedirect = checkCrossOriginAccessRedirectionUrl(request.url(), accessControlErrorDescription) + allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(request.url(), accessControlErrorDescription) && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)); } else { accessControlErrorDescription = "The request was redirected to '"+ request.url().string() + "', which is disallowed for cross-origin requests that require preflight."; } if (allowRedirect) { + // FIXME: consider combining this with CORS redirect handling performed by + // CrossOriginAccessControl::handleRedirect(). clearResource(); RefPtr originalOrigin = SecurityOrigin::create(redirectResponse.url()); @@ -365,8 +367,7 @@ void DocumentThreadableLoader::preflightSuccess() clearResource(); - // It should be ok to skip the security check since we already asked about the preflight request. - loadRequest(*actualRequest, SkipSecurityCheck); + loadRequest(*actualRequest); } void DocumentThreadableLoader::preflightFailure(const String& url, const String& errorDescription) @@ -376,17 +377,15 @@ void DocumentThreadableLoader::preflightFailure(const String& url, const String& m_client->didFailAccessControlCheck(error); } -void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck) +void DocumentThreadableLoader::loadRequest(const ResourceRequest& request) { // Any credential should have been removed from the cross-site requests. const KURL& requestURL = request.url(); - m_options.securityCheck = securityCheck; ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); ThreadableLoaderOptions options = m_options; if (m_async) { - options.crossOriginCredentialPolicy = DoNotAskClientForCrossOriginCredentials; if (m_actualRequest) { options.sniffContent = DoNotSniffContent; options.dataBufferingPolicy = BufferData; @@ -462,19 +461,4 @@ SecurityOrigin* DocumentThreadableLoader::securityOrigin() const return m_options.securityOrigin ? m_options.securityOrigin.get() : m_document->securityOrigin(); } -bool DocumentThreadableLoader::checkCrossOriginAccessRedirectionUrl(const KURL& requestUrl, String& errorDescription) -{ - if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(requestUrl.protocol())) { - errorDescription = "The request was redirected to a URL ('" + requestUrl.string() + "') which has a disallowed scheme for cross-origin requests."; - return false; - } - - if (!(requestUrl.user().isEmpty() && requestUrl.pass().isEmpty())) { - errorDescription = "The request was redirected to a URL ('" + requestUrl.string() + "') containing userinfo, which is disallowed for cross-origin requests."; - return false; - } - - return true; -} - } // namespace WebCore