diff options
author | bbudge@chromium.org <bbudge@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-14 16:52:52 +0000 |
---|---|---|
committer | bbudge@chromium.org <bbudge@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-14 16:52:52 +0000 |
commit | bb8890e9cee0c997257873e9c978eead7d028568 (patch) | |
tree | 8b73fbe50b6d1f7e5d7b8220124f8e7d2552b93c | |
parent | 84d5b453e3b8f4eef8cab9860a27c25466c7fe0a (diff) | |
download | chromium_src-bb8890e9cee0c997257873e9c978eead7d028568.zip chromium_src-bb8890e9cee0c997257873e9c978eead7d028568.tar.gz chromium_src-bb8890e9cee0c997257873e9c978eead7d028568.tar.bz2 |
Modify the webkit::ppapi::URLLoader to use the underlying AssociatedURLLoader for security checks, and convert URLRequest properties into the configuration for the AssociatedURLLoader. This Issue depends on http://codereview.chromium.org/6755015/
BUG=47354
TEST=ppapi_tests
Review URL: http://codereview.chromium.org/6765040
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81605 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | ppapi/tests/test_url_loader.cc | 21 | ||||
-rw-r--r-- | ppapi/tests/test_url_loader.h | 1 | ||||
-rw-r--r-- | webkit/plugins/ppapi/ppb_url_loader_impl.cc | 43 | ||||
-rw-r--r-- | webkit/plugins/ppapi/ppb_url_loader_impl.h | 2 |
4 files changed, 39 insertions, 28 deletions
diff --git a/ppapi/tests/test_url_loader.cc b/ppapi/tests/test_url_loader.cc index 1faacfc..2e708cf 100644 --- a/ppapi/tests/test_url_loader.cc +++ b/ppapi/tests/test_url_loader.cc @@ -49,6 +49,7 @@ void TestURLLoader::RunTest() { RUN_TEST(CustomRequestHeader); RUN_TEST(IgnoresBogusContentLength); RUN_TEST(SameOriginRestriction); + RUN_TEST(CrossOriginRequest); RUN_TEST(StreamToFile); RUN_TEST(AuditURLRedirect); RUN_TEST(AbortCalls); @@ -270,6 +271,26 @@ std::string TestURLLoader::TestSameOriginRestriction() { PASS(); } +std::string TestURLLoader::TestCrossOriginRequest() { + pp::URLRequestInfo request; + // Create a URL that will be considered to be a different origin. + request.SetURL("http://127.0.0.1/test_url_loader_data/hello.txt"); + request.SetAllowCrossOriginRequests(true); + + TestCompletionCallback callback(instance_->pp_instance()); + + pp::URLLoader loader(*instance_); + int32_t rv = loader.Open(request, callback); + if (rv == PP_ERROR_WOULDBLOCK) + rv = callback.WaitForResult(); + + // We expect success since we allowed a cross-origin request. + if (rv == PP_ERROR_NOACCESS) + return ReportError("URLLoader::Open()", rv); + + PASS(); +} + // This test should cause a redirect and ensure that the loader runs // the callback, rather than following the redirect. std::string TestURLLoader::TestAuditURLRedirect() { diff --git a/ppapi/tests/test_url_loader.h b/ppapi/tests/test_url_loader.h index 0b14bd2..b91ad75 100644 --- a/ppapi/tests/test_url_loader.h +++ b/ppapi/tests/test_url_loader.h @@ -41,6 +41,7 @@ class TestURLLoader : public TestCase { std::string TestIgnoresBogusContentLength(); std::string TestStreamToFile(); std::string TestSameOriginRestriction(); + std::string TestCrossOriginRequest(); std::string TestAuditURLRedirect(); std::string TestAbortCalls(); diff --git a/webkit/plugins/ppapi/ppb_url_loader_impl.cc b/webkit/plugins/ppapi/ppb_url_loader_impl.cc index 1c2323e..378d789 100644 --- a/webkit/plugins/ppapi/ppb_url_loader_impl.cc +++ b/webkit/plugins/ppapi/ppb_url_loader_impl.cc @@ -17,6 +17,7 @@ #include "third_party/WebKit/Source/WebKit/chromium/public/WebPluginContainer.h" #include "third_party/WebKit/Source/WebKit/chromium/public/WebSecurityOrigin.h" #include "third_party/WebKit/Source/WebKit/chromium/public/WebURLLoader.h" +#include "third_party/WebKit/Source/WebKit/chromium/public/WebURLLoaderOptions.h" #include "third_party/WebKit/Source/WebKit/chromium/public/WebURLRequest.h" #include "third_party/WebKit/Source/WebKit/chromium/public/WebURLResponse.h" #include "webkit/appcache/web_application_cache_host_impl.h" @@ -32,6 +33,7 @@ using WebKit::WebString; using WebKit::WebURL; using WebKit::WebURLError; using WebKit::WebURLLoader; +using WebKit::WebURLLoaderOptions; using WebKit::WebURLRequest; using WebKit::WebURLResponse; @@ -188,7 +190,7 @@ const PPB_URLLoaderTrusted ppb_urlloadertrusted = { &SetStatusCallback }; -WebKit::WebFrame* GetFrame(PluginInstance* instance) { +WebFrame* GetFrame(PluginInstance* instance) { return instance->container()->element().document().frame(); } @@ -253,11 +255,20 @@ int32_t PPB_URLLoader_Impl::Open(PPB_URLRequestInfo_Impl* request, return PP_ERROR_FAILED; WebURLRequest web_request(request->ToWebURLRequest(frame)); - rv = CanRequest(frame, web_request.url()); - if (rv != PP_OK) - return rv; + WebURLLoaderOptions options; + if (has_universal_access_) { + // Universal access allows cross-origin requests and sends credentials. + options.crossOriginRequestPolicy = + WebURLLoaderOptions::CrossOriginRequestPolicyAllow; + options.allowCredentials = true; + } else if (request->allow_cross_origin_requests()) { + // Otherwise, allow cross-origin requests with access control. + options.crossOriginRequestPolicy = + WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl; + options.allowCredentials = request->allow_credentials(); + } - loader_.reset(frame->createAssociatedURLLoader()); + loader_.reset(frame->createAssociatedURLLoader(options)); if (!loader_.get()) return PP_ERROR_FAILED; @@ -277,10 +288,6 @@ int32_t PPB_URLLoader_Impl::FollowRedirect(PP_CompletionCallback callback) { WebURL redirect_url = GURL(response_info_->redirect_url()); - rv = CanRequest(GetFrame(instance()), redirect_url); - if (rv != PP_OK) - return rv; - loader_->setDefersLoading(false); // Allow the redirect to continue. RegisterCallback(callback); return PP_OK_COMPLETIONPENDING; @@ -384,12 +391,6 @@ void PPB_URLLoader_Impl::willSendRequest( SaveResponse(redirect_response); loader_->setDefersLoading(true); RunCallback(PP_OK); - } else { - int32_t rv = CanRequest(GetFrame(instance()), new_request.url()); - if (rv != PP_OK) { - loader_->setDefersLoading(true); - RunCallback(rv); - } } } @@ -496,23 +497,13 @@ size_t PPB_URLLoader_Impl::FillUserBuffer() { return bytes_to_copy; } -void PPB_URLLoader_Impl::SaveResponse(const WebKit::WebURLResponse& response) { +void PPB_URLLoader_Impl::SaveResponse(const WebURLResponse& response) { scoped_refptr<PPB_URLResponseInfo_Impl> response_info( new PPB_URLResponseInfo_Impl(instance())); if (response_info->Initialize(response)) response_info_ = response_info; } -// Checks that the client can request the URL. Returns a PPAPI error code. -int32_t PPB_URLLoader_Impl::CanRequest(const WebKit::WebFrame* frame, - const WebKit::WebURL& url) { - if (!has_universal_access_ && - !frame->securityOrigin().canRequest(url)) - return PP_ERROR_NOACCESS; - - return PP_OK; -} - void PPB_URLLoader_Impl::UpdateStatus() { if (status_callback_ && (RecordDownloadProgress() || RecordUploadProgress())) { diff --git a/webkit/plugins/ppapi/ppb_url_loader_impl.h b/webkit/plugins/ppapi/ppb_url_loader_impl.h index 6456900..c46bbb6 100644 --- a/webkit/plugins/ppapi/ppb_url_loader_impl.h +++ b/webkit/plugins/ppapi/ppb_url_loader_impl.h @@ -105,8 +105,6 @@ class PPB_URLLoader_Impl : public Resource, public WebKit::WebURLLoaderClient { // Converts a WebURLResponse to a URLResponseInfo and saves it. void SaveResponse(const WebKit::WebURLResponse& response); - int32_t CanRequest(const WebKit::WebFrame* frame, const WebKit::WebURL& url); - // Calls the status_callback_ (if any) with the current upload and download // progress. Call this function if you update any of these values to // synchronize an out-of-process plugin's state. |