ASSERT(m_async || request.httpReferrer().isEmpty());
if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
- loadRequest(request, DoSecurityCheck);
+ loadRequest(request);
return;
}
return;
}
- loadRequest(request, DoSecurityCheck);
+ loadRequest(request);
}
void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
{
ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin());
- loadRequest(preflightRequest, DoSecurityCheck);
+ loadRequest(preflightRequest);
}
DocumentThreadableLoader::~DocumentThreadableLoader()
String accessControlErrorDescription;
if (m_simpleRequest) {
- allowRedirect = checkCrossOriginAccessRedirectionUrl(request.url(), accessControlErrorDescription)
+ allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(request.url(), accessControlErrorDescription)
&& (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription));
} else {
accessControlErrorDescription = "The request was redirected to '"+ request.url().string() + "', which is disallowed for cross-origin requests that require preflight.";
}
if (allowRedirect) {
+ // FIXME: consider combining this with CORS redirect handling performed by
+ // CrossOriginAccessControl::handleRedirect().
clearResource();
RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redirectResponse.url());
clearResource();
- // It should be ok to skip the security check since we already asked about the preflight request.
- loadRequest(*actualRequest, SkipSecurityCheck);
+ loadRequest(*actualRequest);
}
void DocumentThreadableLoader::preflightFailure(const String& url, const String& errorDescription)
m_client->didFailAccessControlCheck(error);
}
-void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck)
+void DocumentThreadableLoader::loadRequest(const ResourceRequest& request)
{
// Any credential should have been removed from the cross-site requests.
const KURL& requestURL = request.url();
- m_options.securityCheck = securityCheck;
ASSERT(m_sameOriginRequest || requestURL.user().isEmpty());
ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty());
ThreadableLoaderOptions options = m_options;
if (m_async) {
- options.crossOriginCredentialPolicy = DoNotAskClientForCrossOriginCredentials;
if (m_actualRequest) {
options.sniffContent = DoNotSniffContent;
options.dataBufferingPolicy = BufferData;
return m_options.securityOrigin ? m_options.securityOrigin.get() : m_document->securityOrigin();
}
-bool DocumentThreadableLoader::checkCrossOriginAccessRedirectionUrl(const KURL& requestUrl, String& errorDescription)
-{
- if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(requestUrl.protocol())) {
- errorDescription = "The request was redirected to a URL ('" + requestUrl.string() + "') which has a disallowed scheme for cross-origin requests.";
- return false;
- }
-
- if (!(requestUrl.user().isEmpty() && requestUrl.pass().isEmpty())) {
- errorDescription = "The request was redirected to a URL ('" + requestUrl.string() + "') containing userinfo, which is disallowed for cross-origin requests.";
- return false;
- }
-
- return true;
-}
-
} // namespace WebCore