2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
3 * Copyright (C) 2013, Intel Corporation
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
9 * * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above
12 * copyright notice, this list of conditions and the following disclaimer
13 * in the documentation and/or other materials provided with the
15 * * Neither the name of Google Inc. nor the names of its
16 * contributors may be used to endorse or promote products derived from
17 * this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include "core/loader/DocumentThreadableLoader.h"
35 #include "core/dom/Document.h"
36 #include "core/fetch/CrossOriginAccessControl.h"
37 #include "core/fetch/FetchRequest.h"
38 #include "core/fetch/FetchUtils.h"
39 #include "core/fetch/Resource.h"
40 #include "core/fetch/ResourceFetcher.h"
41 #include "core/frame/FrameConsole.h"
42 #include "core/frame/LocalFrame.h"
43 #include "core/frame/csp/ContentSecurityPolicy.h"
44 #include "core/inspector/InspectorInstrumentation.h"
45 #include "core/inspector/InspectorTraceEvents.h"
46 #include "core/loader/CrossOriginPreflightResultCache.h"
47 #include "core/loader/DocumentThreadableLoaderClient.h"
48 #include "core/loader/FrameLoader.h"
49 #include "core/loader/ThreadableLoaderClient.h"
50 #include "platform/SharedBuffer.h"
51 #include "platform/network/ResourceRequest.h"
52 #include "platform/weborigin/SchemeRegistry.h"
53 #include "platform/weborigin/SecurityOrigin.h"
54 #include "public/platform/WebURLRequest.h"
55 #include "wtf/Assertions.h"
59 void DocumentThreadableLoader::loadResourceSynchronously(Document& document, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options, const ResourceLoaderOptions& resourceLoaderOptions)
61 // The loader will be deleted as soon as this function exits.
62 RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, &client, LoadSynchronously, request, options, resourceLoaderOptions));
63 ASSERT(loader->hasOneRef());
66 PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient* client, const ResourceRequest& request, const ThreadableLoaderOptions& options, const ResourceLoaderOptions& resourceLoaderOptions)
68 RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadAsynchronously, request, options, resourceLoaderOptions));
69 if (!loader->resource())
71 return loader.release();
74 DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options, const ResourceLoaderOptions& resourceLoaderOptions)
76 , m_document(document)
78 , m_resourceLoaderOptions(resourceLoaderOptions)
79 , m_forceDoNotAllowStoredCredentials(false)
80 , m_securityOrigin(m_resourceLoaderOptions.securityOrigin)
81 , m_sameOriginRequest(securityOrigin()->canRequest(request.url()))
82 , m_simpleRequest(true)
83 , m_async(blockingBehavior == LoadAsynchronously)
84 , m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout)
85 , m_requestStartedSeconds(0.0)
88 // Setting an outgoing referer is only supported in the async code path.
89 ASSERT(m_async || request.httpReferrer().isEmpty());
91 m_requestStartedSeconds = monotonicallyIncreasingTime();
93 // Save any CORS simple headers on the request here. If this request redirects cross-origin, we cancel the old request
94 // create a new one, and copy these headers.
95 const HTTPHeaderMap& headerMap = request.httpHeaderFields();
96 HTTPHeaderMap::const_iterator end = headerMap.end();
97 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) {
98 if (FetchUtils::isSimpleHeader(it->key, it->value))
99 m_simpleRequestHeaders.add(it->key, it->value);
102 if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
103 loadRequest(request, m_resourceLoaderOptions);
107 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {
108 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are not supported."));
112 makeCrossOriginAccessRequest(request);
115 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceRequest& request)
117 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
119 // Cross-origin requests are only allowed certain registered schemes.
120 // We would catch this when checking response headers later, but there
121 // is no reason to send a request, preflighted or not, that's guaranteed
123 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
124 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, request.url().string(), "Cross origin requests are only supported for protocol schemes: " + SchemeRegistry::listOfCORSEnabledURLSchemes() + "."));
128 if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) {
129 ResourceRequest crossOriginRequest(request);
130 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
131 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effectiveAllowCredentials());
132 loadRequest(crossOriginRequest, crossOriginOptions);
134 m_simpleRequest = false;
136 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(request));
137 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new ResourceLoaderOptions(m_resourceLoaderOptions));
138 // Do not set the Origin header for preflight requests.
139 updateRequestForAccessControl(*crossOriginRequest, 0, effectiveAllowCredentials());
140 m_actualRequest = crossOriginRequest.release();
141 m_actualOptions = crossOriginOptions.release();
143 bool shouldForcePreflight = InspectorInstrumentation::shouldForceCORSPreflight(&m_document);
144 bool canSkipPreflight = CrossOriginPreflightResultCache::shared().canSkipPreflight(securityOrigin()->toString(), m_actualRequest->url(), effectiveAllowCredentials(), m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields());
145 if (canSkipPreflight && !shouldForcePreflight) {
148 ResourceRequest preflightRequest = createAccessControlPreflightRequest(*m_actualRequest, securityOrigin());
149 // Create a ResourceLoaderOptions for preflight.
150 ResourceLoaderOptions preflightOptions = *m_actualOptions;
151 preflightOptions.allowCredentials = DoNotAllowStoredCredentials;
152 loadRequest(preflightRequest, preflightOptions);
157 DocumentThreadableLoader::~DocumentThreadableLoader()
161 void DocumentThreadableLoader::overrideTimeout(unsigned long timeoutMilliseconds)
164 ASSERT(m_requestStartedSeconds > 0.0);
165 m_timeoutTimer.stop();
166 // At the time of this method's implementation, it is only ever called by
167 // XMLHttpRequest, when the timeout attribute is set after sending the
170 // The XHR request says to resolve the time relative to when the request
171 // was initially sent, however other uses of this method may need to
172 // behave differently, in which case this should be re-arranged somehow.
173 if (timeoutMilliseconds) {
174 double elapsedTime = monotonicallyIncreasingTime() - m_requestStartedSeconds;
175 double nextFire = timeoutMilliseconds / 1000.0;
176 double resolvedTime = std::max(nextFire - elapsedTime, 0.0);
177 m_timeoutTimer.startOneShot(resolvedTime, FROM_HERE);
181 void DocumentThreadableLoader::cancel()
183 cancelWithError(ResourceError());
186 void DocumentThreadableLoader::cancelWithError(const ResourceError& error)
188 RefPtr<DocumentThreadableLoader> protect(this);
190 // Cancel can re-enter and m_resource might be null here as a result.
191 if (m_client && resource()) {
192 ResourceError errorForCallback = error;
193 if (errorForCallback.isNull()) {
194 // FIXME: This error is sent to the client in didFail(), so it should not be an internal one. Use FrameLoaderClient::cancelledError() instead.
195 errorForCallback = ResourceError(errorDomainBlinkInternal, 0, resource()->url().string(), "Load cancelled");
196 errorForCallback.setIsCancellation(true);
198 m_client->didFail(errorForCallback);
202 m_requestStartedSeconds = 0.0;
205 void DocumentThreadableLoader::setDefersLoading(bool value)
208 resource()->setDefersLoading(value);
211 void DocumentThreadableLoader::redirectReceived(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse)
214 ASSERT_UNUSED(resource, resource == this->resource());
216 RefPtr<DocumentThreadableLoader> protect(this);
218 // FIXME: Support redirect in Fetch API.
219 if (resource->resourceRequest().requestContext() == blink::WebURLRequest::RequestContextFetch) {
220 m_client->didFailRedirectCheck();
221 request = ResourceRequest();
225 if (!isAllowedByPolicy(request.url())) {
226 m_client->didFailRedirectCheck();
227 request = ResourceRequest();
228 m_requestStartedSeconds = 0.0;
232 // Allow same origin requests to continue after allowing clients to audit the redirect.
233 if (isAllowedRedirect(request.url())) {
234 if (m_client->isDocumentThreadableLoaderClient())
235 static_cast<DocumentThreadableLoaderClient*>(m_client)->willSendRequest(request, redirectResponse);
239 // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported
240 // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the
241 // original request was not same-origin.
242 if (m_options.crossOriginRequestPolicy == UseAccessControl) {
244 InspectorInstrumentation::didReceiveCORSRedirectResponse(m_document.frame(), resource->identifier(), m_document.frame()->loader().documentLoader(), redirectResponse, 0);
246 bool allowRedirect = false;
247 String accessControlErrorDescription;
249 if (m_simpleRequest) {
250 allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(request.url(), accessControlErrorDescription)
251 && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription));
253 accessControlErrorDescription = "The request was redirected to '"+ request.url().string() + "', which is disallowed for cross-origin requests that require preflight.";
257 // FIXME: consider combining this with CORS redirect handling performed by
258 // CrossOriginAccessControl::handleRedirect().
261 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redirectResponse.url());
262 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(request.url());
263 // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin,
264 // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request
265 // should be the original URL origin.)
266 if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(requestOrigin.get()))
267 m_securityOrigin = SecurityOrigin::createUnique();
268 // Force any subsequent requests to use these checks.
269 m_sameOriginRequest = false;
271 // Since the request is no longer same-origin, if the user didn't request credentials in
272 // the first place, update our state so we neither request them nor expect they must be allowed.
273 if (m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequestCredentials)
274 m_forceDoNotAllowStoredCredentials = true;
276 // Remove any headers that may have been added by the network layer that cause access control to fail.
277 request.clearHTTPReferrer();
278 request.clearHTTPOrigin();
279 request.clearHTTPUserAgent();
280 // Add any CORS simple request headers which we previously saved from the original request.
281 HTTPHeaderMap::const_iterator end = m_simpleRequestHeaders.end();
282 for (HTTPHeaderMap::const_iterator it = m_simpleRequestHeaders.begin(); it != end; ++it) {
283 request.setHTTPHeaderField(it->key, it->value);
285 makeCrossOriginAccessRequest(request);
289 ResourceError error(errorDomainBlinkInternal, 0, redirectResponse.url().string(), accessControlErrorDescription);
290 m_client->didFailAccessControlCheck(error);
292 m_client->didFailRedirectCheck();
294 request = ResourceRequest();
295 m_requestStartedSeconds = 0.0;
298 void DocumentThreadableLoader::dataSent(Resource* resource, unsigned long long bytesSent, unsigned long long totalBytesToBeSent)
301 ASSERT_UNUSED(resource, resource == this->resource());
302 m_client->didSendData(bytesSent, totalBytesToBeSent);
305 void DocumentThreadableLoader::dataDownloaded(Resource* resource, int dataLength)
308 ASSERT_UNUSED(resource, resource == this->resource());
309 ASSERT(!m_actualRequest);
311 m_client->didDownloadData(dataLength);
314 void DocumentThreadableLoader::responseReceived(Resource* resource, const ResourceResponse& response)
316 ASSERT_UNUSED(resource, resource == this->resource());
317 handleResponse(resource->identifier(), response);
320 void DocumentThreadableLoader::handlePreflightResponse(const ResourceResponse& response)
322 String accessControlErrorDescription;
324 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription)) {
325 handlePreflightFailure(response.url().string(), accessControlErrorDescription);
329 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) {
330 handlePreflightFailure(response.url().string(), accessControlErrorDescription);
334 OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new CrossOriginPreflightResultCacheItem(effectiveAllowCredentials()));
335 if (!preflightResult->parse(response, accessControlErrorDescription)
336 || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod(), accessControlErrorDescription)
337 || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeaderFields(), accessControlErrorDescription)) {
338 handlePreflightFailure(response.url().string(), accessControlErrorDescription);
342 CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toString(), m_actualRequest->url(), preflightResult.release());
345 void DocumentThreadableLoader::notifyResponseReceived(unsigned long identifier, const ResourceResponse& response)
347 DocumentLoader* loader = m_document.frame()->loader().documentLoader();
348 TRACE_EVENT_INSTANT1(TRACE_DISABLED_BY_DEFAULT("devtools.timeline"), "ResourceReceiveResponse", "data", InspectorReceiveResponseEvent::data(identifier, m_document.frame(), response));
349 LocalFrame* frame = m_document.frame();
350 InspectorInstrumentation::didReceiveResourceResponse(frame, identifier, loader, response, resource() ? resource()->loader() : 0);
351 // It is essential that inspector gets resource response BEFORE console.
352 frame->console().reportResourceResponseReceived(loader, identifier, response);
355 void DocumentThreadableLoader::handleResponse(unsigned long identifier, const ResourceResponse& response)
359 if (m_actualRequest) {
360 notifyResponseReceived(identifier, response);
361 handlePreflightResponse(response);
365 // If the response is fetched via ServiceWorker, the original URL of the response could be different from the URL of the request.
366 bool isCrossOriginResponse = false;
367 if (response.wasFetchedViaServiceWorker()) {
368 if (!isAllowedByPolicy(response.url())) {
369 notifyResponseReceived(identifier, response);
370 m_client->didFailRedirectCheck();
373 isCrossOriginResponse = !securityOrigin()->canRequest(response.url());
374 if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests && isCrossOriginResponse) {
375 notifyResponseReceived(identifier, response);
376 m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), "Cross origin requests are not supported."));
379 if (isCrossOriginResponse && m_resourceLoaderOptions.credentialsRequested == ClientDidNotRequestCredentials) {
380 // Since the request is no longer same-origin, if the user didn't request credentials in
381 // the first place, update our state so we neither request them nor expect they must be allowed.
382 m_forceDoNotAllowStoredCredentials = true;
385 isCrossOriginResponse = !m_sameOriginRequest;
387 if (isCrossOriginResponse && m_options.crossOriginRequestPolicy == UseAccessControl) {
388 String accessControlErrorDescription;
389 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription)) {
390 notifyResponseReceived(identifier, response);
391 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription));
396 m_client->didReceiveResponse(identifier, response);
399 void DocumentThreadableLoader::dataReceived(Resource* resource, const char* data, int dataLength)
401 ASSERT_UNUSED(resource, resource == this->resource());
402 handleReceivedData(data, dataLength);
405 void DocumentThreadableLoader::handleReceivedData(const char* data, int dataLength)
408 // Preflight data should be invisible to clients.
409 if (!m_actualRequest)
410 m_client->didReceiveData(data, dataLength);
413 void DocumentThreadableLoader::notifyFinished(Resource* resource)
416 ASSERT(resource == this->resource());
418 m_timeoutTimer.stop();
420 if (resource->errorOccurred())
421 m_client->didFail(resource->resourceError());
423 handleSuccessfulFinish(resource->identifier(), resource->loadFinishTime());
426 void DocumentThreadableLoader::handleSuccessfulFinish(unsigned long identifier, double finishTime)
428 if (m_actualRequest) {
429 ASSERT(!m_sameOriginRequest);
430 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
433 // FIXME: Should prevent timeout from being overridden after finished loading, without
434 // resetting m_requestStartedSeconds to 0.0
435 m_client->didFinishLoading(identifier, finishTime);
439 void DocumentThreadableLoader::didTimeout(Timer<DocumentThreadableLoader>* timer)
441 ASSERT_UNUSED(timer, timer == &m_timeoutTimer);
443 // Using values from net/base/net_error_list.h ERR_TIMED_OUT,
444 // Same as existing FIXME above - this error should be coming from FrameLoaderClient to be identifiable.
445 static const int timeoutError = -7;
446 ResourceError error("net", timeoutError, resource()->url(), String());
447 error.setIsTimeout(true);
448 cancelWithError(error);
451 void DocumentThreadableLoader::loadActualRequest()
453 OwnPtr<ResourceRequest> actualRequest;
454 actualRequest.swap(m_actualRequest);
455 OwnPtr<ResourceLoaderOptions> actualOptions;
456 actualOptions.swap(m_actualOptions);
458 actualRequest->setHTTPOrigin(securityOrigin()->toAtomicString());
462 loadRequest(*actualRequest, *actualOptions);
465 void DocumentThreadableLoader::handlePreflightFailure(const String& url, const String& errorDescription)
467 ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription);
469 // Prevent handleSuccessfulFinish() from bypassing access check.
470 m_actualRequest = nullptr;
472 // FIXME: Should prevent timeout from being overridden after preflight failure, without
473 // resetting m_requestStartedSeconds to 0.0
474 m_client->didFailAccessControlCheck(error);
477 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, ResourceLoaderOptions resourceLoaderOptions)
479 // Any credential should have been removed from the cross-site requests.
480 const KURL& requestURL = request.url();
481 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty());
482 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty());
484 // Update resourceLoaderOptions with enforced values.
485 if (m_forceDoNotAllowStoredCredentials)
486 resourceLoaderOptions.allowCredentials = DoNotAllowStoredCredentials;
487 resourceLoaderOptions.securityOrigin = m_securityOrigin;
490 resourceLoaderOptions.dataBufferingPolicy = BufferData;
492 if (m_options.timeoutMilliseconds > 0)
493 m_timeoutTimer.startOneShot(m_options.timeoutMilliseconds / 1000.0, FROM_HERE);
495 FetchRequest newRequest(request, m_options.initiator, resourceLoaderOptions);
496 if (m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)
497 newRequest.setOriginRestriction(FetchRequest::NoOriginRestriction);
499 if (request.requestContext() == blink::WebURLRequest::RequestContextVideo || request.requestContext() == blink::WebURLRequest::RequestContextAudio)
500 setResource(m_document.fetcher()->fetchMedia(newRequest));
502 setResource(m_document.fetcher()->fetchRawResource(newRequest));
503 if (resource() && resource()->loader()) {
504 unsigned long identifier = resource()->identifier();
505 InspectorInstrumentation::documentThreadableLoaderStartedLoadingForClient(&m_document, identifier, m_client);
510 FetchRequest fetchRequest(request, m_options.initiator, resourceLoaderOptions);
511 if (m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)
512 fetchRequest.setOriginRestriction(FetchRequest::NoOriginRestriction);
513 ResourcePtr<Resource> resource = m_document.fetcher()->fetchSynchronously(fetchRequest);
514 ResourceResponse response = resource ? resource->response() : ResourceResponse();
515 unsigned long identifier = resource ? resource->identifier() : std::numeric_limits<unsigned long>::max();
516 ResourceError error = resource ? resource->resourceError() : ResourceError();
518 InspectorInstrumentation::documentThreadableLoaderStartedLoadingForClient(&m_document, identifier, m_client);
521 m_client->didFail(error);
525 // No exception for file:/// resources, see <rdar://problem/4962298>.
526 // Also, if we have an HTTP response, then it wasn't a network error in fact.
527 if (!error.isNull() && !requestURL.isLocalFile() && response.httpStatusCode() <= 0) {
528 m_client->didFail(error);
532 // FIXME: A synchronous request does not tell us whether a redirect happened or not, so we guess by comparing the
533 // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
534 // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
535 if (requestURL != response.url() && (!isAllowedByPolicy(response.url()) || !isAllowedRedirect(response.url()))) {
536 m_client->didFailRedirectCheck();
540 handleResponse(identifier, response);
542 SharedBuffer* data = resource->resourceBuffer();
544 handleReceivedData(data->data(), data->size());
546 handleSuccessfulFinish(identifier, 0.0);
549 bool DocumentThreadableLoader::isAllowedRedirect(const KURL& url) const
551 if (m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)
554 return m_sameOriginRequest && securityOrigin()->canRequest(url);
557 bool DocumentThreadableLoader::isAllowedByPolicy(const KURL& url) const
559 if (m_options.contentSecurityPolicyEnforcement != EnforceConnectSrcDirective)
561 return m_document.contentSecurityPolicy()->allowConnectToSource(url);
564 StoredCredentials DocumentThreadableLoader::effectiveAllowCredentials() const
566 if (m_forceDoNotAllowStoredCredentials)
567 return DoNotAllowStoredCredentials;
568 return m_resourceLoaderOptions.allowCredentials;
571 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
573 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin();