Instead, add a load-specific policy for showing the user authentication
challenge down to ResourceLoaderOptions and enforce it in ResourceLoader.
https://bugs.webkit.org/show_bug.cgi?id=65330
Reviewed by Alexey Proskuryakov.
No new tests, refactor only.
* loader/DocumentThreadableLoader.cpp:
* loader/DocumentThreadableLoader.h:
* loader/MainResourceLoader.cpp:
* loader/NetscapePlugInStreamLoader.cpp:
* loader/ResourceLoadScheduler.h:
* loader/ResourceLoader.cpp:
(WebCore::ResourceLoader::didReceiveAuthenticationChallenge):
For resource types that always send a challenge to the embedder,
this patch doesn't change anything. For those that don't, we will
always try to continue without credentials when they are forbidden
and the platform supports it.
When continuing without credentials was initially implemented in
DocumentThreadableLoader, we sent the ThreadableLoaderClient a didFail(),
then canceled the SubresourceLoader. This was necessary because of the
quirks of ThreadableLoader cancellation (we sever the client/loader connections
before the load actually cancels), but a simple didFail() should suffice at
the ResourceLoader layer.
* loader/ResourceLoaderOptions.h:
* loader/SubresourceLoader.cpp:
* loader/SubresourceLoader.h:
* loader/SubresourceLoaderClient.h:
* loader/cache/CachedResource.cpp:
* loader/cache/CachedResourceLoader.cpp:
* loader/cache/CachedResourceLoader.h:
* loader/icon/IconLoader.cpp: The ResourceLoader implementation of
didReceiveAuthenticationChallege means that IconLoader will now
try to continue with credentials on platforms that support it,
rather than just canceling outright. We still will never prompt
for authentication for icons.
* loader/icon/IconLoader.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95768
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-09-22 Nate Chapin <japhet@chromium.org>
+
+ Remove didReceiveAuthenticationChallenge() from SubresourceLoaderClient.
+ Instead, add a load-specific policy for showing the user authentication
+ challenge down to ResourceLoaderOptions and enforce it in ResourceLoader.
+ https://bugs.webkit.org/show_bug.cgi?id=65330
+
+ Reviewed by Alexey Proskuryakov.
+
+ No new tests, refactor only.
+
+ * loader/DocumentThreadableLoader.cpp:
+ * loader/DocumentThreadableLoader.h:
+ * loader/MainResourceLoader.cpp:
+ * loader/NetscapePlugInStreamLoader.cpp:
+ * loader/ResourceLoadScheduler.h:
+ * loader/ResourceLoader.cpp:
+ (WebCore::ResourceLoader::didReceiveAuthenticationChallenge):
+ For resource types that always send a challenge to the embedder,
+ this patch doesn't change anything. For those that don't, we will
+ always try to continue without credentials when they are forbidden
+ and the platform supports it.
+ When continuing without credentials was initially implemented in
+ DocumentThreadableLoader, we sent the ThreadableLoaderClient a didFail(),
+ then canceled the SubresourceLoader. This was necessary because of the
+ quirks of ThreadableLoader cancellation (we sever the client/loader connections
+ before the load actually cancels), but a simple didFail() should suffice at
+ the ResourceLoader layer.
+ * loader/ResourceLoaderOptions.h:
+ * loader/SubresourceLoader.cpp:
+ * loader/SubresourceLoader.h:
+ * loader/SubresourceLoaderClient.h:
+ * loader/cache/CachedResource.cpp:
+ * loader/cache/CachedResourceLoader.cpp:
+ * loader/cache/CachedResourceLoader.h:
+ * loader/icon/IconLoader.cpp: The ResourceLoader implementation of
+ didReceiveAuthenticationChallege means that IconLoader will now
+ try to continue with credentials on platforms that support it,
+ rather than just canceling outright. We still will never prompt
+ for authentication for icons.
+ * loader/icon/IconLoader.h:
+
2011-09-22 Dean Jackson <dino@apple.com>
Add ENABLE_CSS_FILTERS
m_client->didFail(error);
}
-void DocumentThreadableLoader::didReceiveAuthenticationChallenge(SubresourceLoader* loader, const AuthenticationChallenge& challenge)
-{
- ASSERT(loader == m_loader);
- // Users are not prompted for credentials for cross-origin requests.
- if (!m_sameOriginRequest) {
-#if PLATFORM(MAC) || USE(CFNETWORK) || USE(CURL)
- loader->handle()->receivedRequestToContinueWithoutCredential(challenge);
-#else
- // These platforms don't provide a way to continue without credentials, cancel the load altogether.
- UNUSED_PARAM(challenge);
- RefPtr<DocumentThreadableLoader> protect(this);
- m_client->didFail(loader->blockedError());
- cancel();
-#endif
- }
-}
-
void DocumentThreadableLoader::preflightSuccess()
{
OwnPtr<ResourceRequest> actualRequest;
if (m_async) {
ThreadableLoaderOptions options = m_options;
+ options.crossOriginCredentialPolicy = DoNotAskClientForCrossOriginCredentials;
if (m_actualRequest) {
// Don't sniff content or send load callbacks for the preflight request.
options.sendLoadCallbacks = DoNotSendCallbacks;
virtual void didFinishLoading(SubresourceLoader*, double);
virtual void didFail(SubresourceLoader*, const ResourceError&);
- virtual void didReceiveAuthenticationChallenge(SubresourceLoader*, const AuthenticationChallenge&);
-
#if PLATFORM(CHROMIUM)
virtual void didDownloadData(SubresourceLoader*, int dataLength);
#endif
namespace WebCore {
MainResourceLoader::MainResourceLoader(Frame* frame)
- : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials))
+ : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials))
, m_dataLoadTimer(this, &MainResourceLoader::handleDataLoadNow)
, m_loadingMultipartContent(false)
, m_waitingForContentPolicy(false)
namespace WebCore {
NetscapePlugInStreamLoader::NetscapePlugInStreamLoader(Frame* frame, NetscapePlugInStreamLoaderClient* client)
- : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials))
+ : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials))
, m_client(client)
{
}
public:
friend ResourceLoadScheduler* resourceLoadScheduler();
- PassRefPtr<SubresourceLoader> scheduleSubresourceLoad(Frame*, SubresourceLoaderClient*, const ResourceRequest&, ResourceLoadPriority = ResourceLoadPriorityLow, SecurityCheckPolicy = DoSecurityCheck, const ResourceLoaderOptions& = ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials));
+ PassRefPtr<SubresourceLoader> scheduleSubresourceLoad(Frame*, SubresourceLoaderClient*, const ResourceRequest&, ResourceLoadPriority, SecurityCheckPolicy, const ResourceLoaderOptions&);
PassRefPtr<NetscapePlugInStreamLoader> schedulePluginStreamLoad(Frame*, NetscapePlugInStreamLoaderClient*, const ResourceRequest&);
void addMainResourceLoad(ResourceLoader*);
void remove(ResourceLoader*);
#include "ResourceError.h"
#include "ResourceHandle.h"
#include "ResourceLoadScheduler.h"
+#include "SecurityOrigin.h"
#include "Settings.h"
#include "SharedBuffer.h"
void ResourceLoader::didReceiveAuthenticationChallenge(const AuthenticationChallenge& challenge)
{
+ ASSERT(handle()->hasAuthenticationChallenge());
// Protect this in this delegate method since the additional processing can do
// anything including possibly derefing this; one example of this is Radar 3266216.
RefPtr<ResourceLoader> protector(this);
- frameLoader()->notifier()->didReceiveAuthenticationChallenge(this, challenge);
+
+ if (m_options.allowCredentials == AllowStoredCredentials) {
+ if (m_options.crossOriginCredentialPolicy == AskClientForCrossOriginCredentials || m_frame->document()->securityOrigin()->canRequest(originalRequest().url())) {
+ frameLoader()->notifier()->didReceiveAuthenticationChallenge(this, challenge);
+ return;
+ }
+ }
+ // Only these platforms provide a way to continue without credentials.
+ // If we can't continue with credentials, we need to cancel the load altogether.
+#if PLATFORM(MAC) || USE(CFNETWORK) || USE(CURL)
+ handle()->receivedRequestToContinueWithoutCredential(challenge);
+ ASSERT(!handle()->hasAuthenticationChallenge());
+#else
+ didFail(blockedError());
+#endif
}
void ResourceLoader::didCancelAuthenticationChallenge(const AuthenticationChallenge& challenge)
BufferData,
DoNotBufferData
};
+
+enum ClientCrossOriginCredentialPolicy {
+ AskClientForCrossOriginCredentials,
+ DoNotAskClientForCrossOriginCredentials
+};
struct ResourceLoaderOptions {
- ResourceLoaderOptions() : sendLoadCallbacks(DoNotSendCallbacks), sniffContent(DoNotSniffContent), shouldBufferData(BufferData), allowCredentials(DoNotAllowStoredCredentials) { }
- ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacksArg, ContentSniffingPolicy sniffContentArg, DataBufferingPolicy shouldBufferDataArg, StoredCredentials allowCredentialsArg) : sendLoadCallbacks(sendLoadCallbacksArg), sniffContent(sniffContentArg), shouldBufferData(shouldBufferDataArg), allowCredentials(allowCredentialsArg) { }
+ ResourceLoaderOptions() : sendLoadCallbacks(DoNotSendCallbacks), sniffContent(DoNotSniffContent), shouldBufferData(BufferData), allowCredentials(DoNotAllowStoredCredentials), crossOriginCredentialPolicy(DoNotAskClientForCrossOriginCredentials) { }
+ ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy shouldBufferData, StoredCredentials allowCredentials, ClientCrossOriginCredentialPolicy crossOriginCredentialPolicy)
+ : sendLoadCallbacks(sendLoadCallbacks)
+ , sniffContent(sniffContent)
+ , shouldBufferData(shouldBufferData)
+ , allowCredentials(allowCredentials)
+ , crossOriginCredentialPolicy(crossOriginCredentialPolicy)
+ {
+ }
SendCallbackPolicy sendLoadCallbacks;
ContentSniffingPolicy sniffContent;
DataBufferingPolicy shouldBufferData;
StoredCredentials allowCredentials; // Whether HTTP credentials and cookies are sent with the request.
+ ClientCrossOriginCredentialPolicy crossOriginCredentialPolicy; // Whether we will ask the client for credentials (if we allow credentials at all).
};
} // namespace WebCore
m_documentLoader->removeSubresourceLoader(this);
}
-void SubresourceLoader::didReceiveAuthenticationChallenge(const AuthenticationChallenge& challenge)
-{
- RefPtr<SubresourceLoader> protect(this);
-
- ASSERT(handle()->hasAuthenticationChallenge());
-
- if (m_client)
- m_client->didReceiveAuthenticationChallenge(this, challenge);
-
- // The SubResourceLoaderClient may have cancelled this ResourceLoader in response to the challenge.
- // If that's the case, don't call didReceiveAuthenticationChallenge.
- if (reachedTerminalState())
- return;
-
- // It may have also handled authentication on its own.
- if (!handle()->hasAuthenticationChallenge())
- return;
-
- ResourceLoader::didReceiveAuthenticationChallenge(challenge);
-}
-
}
virtual void didReceiveCachedMetadata(const char*, int);
virtual void didFinishLoading(double finishTime);
virtual void didFail(const ResourceError&);
- virtual void didReceiveAuthenticationChallenge(const AuthenticationChallenge&);
virtual void willCancel(const ResourceError&);
virtual void didCancel(const ResourceError&);
virtual void didReceiveCachedMetadata(SubresourceLoader*, const char*, int /*dataLength*/) { }
virtual void didFinishLoading(SubresourceLoader*, double /*finishTime*/) { }
virtual void didFail(SubresourceLoader*, const ResourceError&) { }
-
- virtual void didReceiveAuthenticationChallenge(SubresourceLoader*, const AuthenticationChallenge&) { }
#if PLATFORM(CHROMIUM)
virtual void didDownloadData(SubresourceLoader*, int /*dataLength*/) { }
, m_loading(false)
, m_type(type)
, m_status(Pending)
- , m_options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials)
+ , m_options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials)
#ifndef NDEBUG
, m_deleted(false)
, m_lruIndex(0)
if (!inCache)
userSheet->setInCache(true);
- userSheet->setResourceLoaderOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials));
+ userSheet->setResourceLoaderOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials));
userSheet->load(this, /*incremental*/ false, SkipSecurityCheck);
if (!inCache)
private:
// FIXME: The default value for ResourceLoaderOptions will always be used currently.
// It is plumbed for http://bugs.webkit.org/show_bug.cgi?id=61225 .
- CachedResource* requestResource(CachedResource::Type, ResourceRequest&, const String& charset, ResourceLoadPriority = ResourceLoadPriorityUnresolved, bool isPreload = false, const ResourceLoaderOptions& = ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials));
+ CachedResource* requestResource(CachedResource::Type, ResourceRequest&, const String& charset, ResourceLoadPriority = ResourceLoadPriorityUnresolved, bool isPreload = false, const ResourceLoaderOptions& = ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials));
CachedResource* revalidateResource(CachedResource*, ResourceLoadPriority);
CachedResource* loadResource(CachedResource::Type, ResourceRequest&, const String& charset, ResourceLoadPriority, const ResourceLoaderOptions&);
void requestPreload(CachedResource::Type, ResourceRequest&, const String& charset);
ResourceRequest resourceRequest(m_frame->loader()->icon()->url());
resourceRequest.setPriority(ResourceLoadPriorityLow);
- RefPtr<SubresourceLoader> loader = resourceLoadScheduler()->scheduleSubresourceLoad(m_frame, this, resourceRequest);
+ RefPtr<SubresourceLoader> loader = resourceLoadScheduler()->scheduleSubresourceLoad(m_frame, this, resourceRequest, ResourceLoadPriorityLow, DoSecurityCheck, ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials));
if (!loader)
LOG_ERROR("Failed to start load for icon at url %s", m_frame->loader()->icon()->url().string().ascii().data());
}
}
-void IconLoader::didReceiveAuthenticationChallenge(SubresourceLoader*, const AuthenticationChallenge&)
-{
- // We don't ever want to prompt for authentication just for a site icon, so
- // implement this method to cancel the resource load
- m_resourceLoader->cancel();
-}
-
void IconLoader::didFinishLoading(SubresourceLoader* resourceLoader, double)
{
LOG(IconDatabase, "IconLoader::didFinishLoading() - Loader %p", resourceLoader);
virtual void didFinishLoading(SubresourceLoader*, double);
virtual void didFail(SubresourceLoader*, const ResourceError&);
- virtual void didReceiveAuthenticationChallenge(SubresourceLoader*, const AuthenticationChallenge&);
-
void finishLoading(const KURL&, PassRefPtr<SharedBuffer> data);
void clearLoadingState();