services/network/cors/cors_url_loader.cc - chromium/src - Git at Google

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "services/network/cors/cors_url_loader.h"

 #include "base/stl_util.h"
 #include "services/network/cors/preflight_controller.h"
 #include "services/network/public/cpp/cors/cors.h"
 #include "url/url_util.h"

 namespace network {

 namespace cors {

 namespace {

 bool CalculateCORSFlag(const ResourceRequest& request) {
   if (request.fetch_request_mode == mojom::FetchRequestMode::kNavigate)
     return false;
   url::Origin url_origin = url::Origin::Create(request.url);
   if (!request.request_initiator.has_value())
     return true;
   url::Origin security_origin(request.request_initiator.value());
   return !security_origin.IsSameOriginWith(url_origin);
 }

 base::Optional<std::string> GetHeaderString(
     const scoped_refptr<net::HttpResponseHeaders>& headers,
     const std::string& header_name) {
   std::string header_value;
   if (!headers->GetNormalizedHeader(header_name, &header_value))
     return base::nullopt;
   return header_value;
 }

 bool NeedsPreflight(const ResourceRequest& request) {
   if (request.is_external_request)
     return true;

   if (request.fetch_request_mode ==
       mojom::FetchRequestMode::kCORSWithForcedPreflight) {
     return true;
   }

   if (!IsCORSSafelistedMethod(request.method))
     return true;

   for (const auto& header : request.headers.GetHeaderVector()) {
     if (!IsCORSSafelistedHeader(header.key, header.value) &&
         !IsForbiddenHeader(header.key)) {
       return true;
     }
   }
   return false;
 }

 }  // namespace

 // TODO(toyoshim): This class still lacks right CORS checks in redirects.
 // See http://crbug/736308 to track the progress.
 CORSURLLoader::CORSURLLoader(
     int32_t routing_id,
     int32_t request_id,
     uint32_t options,
     const ResourceRequest& resource_request,
     mojom::URLLoaderClientPtr client,
     const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
     mojom::URLLoaderFactory* network_loader_factory,
     const base::RepeatingCallback<void(int)>& preflight_finalizer)
     : network_loader_factory_(network_loader_factory),
       network_client_binding_(this),
       request_(resource_request),
       forwarding_client_(std::move(client)),
       last_response_url_(resource_request.url),
       fetch_cors_flag_(CalculateCORSFlag(resource_request)),
       weak_factory_(this) {
   DCHECK(network_loader_factory_);
   DCHECK(resource_request.request_initiator);

   if (fetch_cors_flag_ &&
       request_.fetch_request_mode == mojom::FetchRequestMode::kSameOrigin) {
     forwarding_client_->OnComplete(URLLoaderCompletionStatus(
         CORSErrorStatus(mojom::CORSError::kDisallowedByMode)));
     forwarding_client_.reset();
     return;
   }

   if (fetch_cors_flag_ &&
       cors::IsCORSEnabledRequestMode(request_.fetch_request_mode)) {
     // Username and password should be stripped in a CORS-enabled request.
     if (request_.url.has_username() || request_.url.has_password()) {
       GURL::Replacements replacements;
       replacements.SetUsernameStr("");
       replacements.SetPasswordStr("");
       request_.url = request_.url.ReplaceComponents(replacements);
       last_response_url_ = request_.url;
     }
   }

   if (fetch_cors_flag_) {
     request_.headers.SetHeader(net::HttpRequestHeaders::kOrigin,
                                request_.request_initiator->Serialize());
   }

   if (!fetch_cors_flag_ || !NeedsPreflight(request_)) {
     StartNetworkRequest(routing_id, request_id, options, traffic_annotation,
                         base::nullopt);
     return;
   }

   base::OnceCallback<void()> preflight_finalizer_for_request;
   if (preflight_finalizer) {
     preflight_finalizer_for_request =
         base::BindOnce(preflight_finalizer, request_id);
   }

   PreflightController::GetDefaultController()->PerformPreflightCheck(
       base::BindOnce(&CORSURLLoader::StartNetworkRequest,
                      weak_factory_.GetWeakPtr(), routing_id, request_id,
                      options, traffic_annotation),
       request_id, request_,
       net::NetworkTrafficAnnotationTag(traffic_annotation),
       network_loader_factory, std::move(preflight_finalizer_for_request));
 }

 CORSURLLoader::~CORSURLLoader() {}

 void CORSURLLoader::FollowRedirect(
     const base::Optional<std::vector<std::string>>&
         to_be_removed_request_headers,
     const base::Optional<net::HttpRequestHeaders>& modified_request_headers) {
   DCHECK(!to_be_removed_request_headers.has_value());
   DCHECK(!modified_request_headers.has_value()) << "Redirect with modified "
                                                    "headers was not supported "
                                                    "yet. crbug.com/845683";
   DCHECK(network_loader_);
   DCHECK(is_waiting_follow_redirect_call_);
   is_waiting_follow_redirect_call_ = false;
   network_loader_->FollowRedirect(base::nullopt, base::nullopt);
 }

 void CORSURLLoader::ProceedWithResponse() {
   NOTREACHED();
 }

 void CORSURLLoader::SetPriority(net::RequestPriority priority,
                                 int32_t intra_priority_value) {
   if (network_loader_)
     network_loader_->SetPriority(priority, intra_priority_value);
 }

 void CORSURLLoader::PauseReadingBodyFromNet() {
   DCHECK(!is_waiting_follow_redirect_call_);
   if (network_loader_)
     network_loader_->PauseReadingBodyFromNet();
 }

 void CORSURLLoader::ResumeReadingBodyFromNet() {
   DCHECK(!is_waiting_follow_redirect_call_);
   if (network_loader_)
     network_loader_->ResumeReadingBodyFromNet();
 }

 void CORSURLLoader::OnReceiveResponse(
     const ResourceResponseHead& response_head) {
   DCHECK(network_loader_);
   DCHECK(forwarding_client_);
   DCHECK(!is_waiting_follow_redirect_call_);
   if (fetch_cors_flag_ &&
       IsCORSEnabledRequestMode(request_.fetch_request_mode)) {
     // TODO(toyoshim): Reflect --allow-file-access-from-files flag.
     base::Optional<mojom::CORSError> cors_error = CheckAccess(
         last_response_url_, response_head.headers->response_code(),
         GetHeaderString(response_head.headers,
                         header_names::kAccessControlAllowOrigin),
         GetHeaderString(response_head.headers,
                         header_names::kAccessControlAllowCredentials),
         request_.fetch_credentials_mode, *request_.request_initiator);
     if (cors_error) {
       // TODO(toyoshim): Generate related_response_headers here.
       CORSErrorStatus cors_error_status(*cors_error);
       HandleComplete(URLLoaderCompletionStatus(cors_error_status));
       return;
     }
   }
   forwarding_client_->OnReceiveResponse(response_head);
 }

 void CORSURLLoader::OnReceiveRedirect(
     const net::RedirectInfo& redirect_info,
     const ResourceResponseHead& response_head) {
   DCHECK(network_loader_);
   DCHECK(forwarding_client_);
   DCHECK(!is_waiting_follow_redirect_call_);

   // TODO(toyoshim): Following code expects OnReceivedRedirect is invoked
   // asynchronously, and |last_response_url_| and other methods should not be
   // accessed until FollowRedirect() is called.
   // We need to ensure callback behaviors once redirect implementation in this
   // class is ready for testing.
   is_waiting_follow_redirect_call_ = true;
   last_response_url_ = redirect_info.new_url;
   forwarding_client_->OnReceiveRedirect(redirect_info, response_head);
 }

 void CORSURLLoader::OnUploadProgress(int64_t current_position,
                                      int64_t total_size,
                                      OnUploadProgressCallback ack_callback) {
   DCHECK(network_loader_);
   DCHECK(forwarding_client_);
   DCHECK(!is_waiting_follow_redirect_call_);
   forwarding_client_->OnUploadProgress(current_position, total_size,
                                        std::move(ack_callback));
 }

 void CORSURLLoader::OnReceiveCachedMetadata(const std::vector<uint8_t>& data) {
   DCHECK(network_loader_);
   DCHECK(forwarding_client_);
   DCHECK(!is_waiting_follow_redirect_call_);
   forwarding_client_->OnReceiveCachedMetadata(data);
 }

 void CORSURLLoader::OnTransferSizeUpdated(int32_t transfer_size_diff) {
   DCHECK(network_loader_);
   DCHECK(forwarding_client_);
   DCHECK(!is_waiting_follow_redirect_call_);
   forwarding_client_->OnTransferSizeUpdated(transfer_size_diff);
 }

 void CORSURLLoader::OnStartLoadingResponseBody(
     mojo::ScopedDataPipeConsumerHandle body) {
   DCHECK(network_loader_);
   DCHECK(forwarding_client_);
   DCHECK(!is_waiting_follow_redirect_call_);
   forwarding_client_->OnStartLoadingResponseBody(std::move(body));
 }

 void CORSURLLoader::OnComplete(const URLLoaderCompletionStatus& status) {
   DCHECK(network_loader_);
   DCHECK(forwarding_client_);
   DCHECK(!is_waiting_follow_redirect_call_);
   HandleComplete(status);
 }

 void CORSURLLoader::StartNetworkRequest(
     int32_t routing_id,
     int32_t request_id,
     uint32_t options,
     const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
     base::Optional<CORSErrorStatus> status) {
   if (status) {
     forwarding_client_->OnComplete(URLLoaderCompletionStatus(*status));
     forwarding_client_.reset();
     return;
   }

   mojom::URLLoaderClientPtr network_client;
   network_client_binding_.Bind(mojo::MakeRequest(&network_client));
   // Binding |this| as an unretained pointer is safe because
   // |network_client_binding_| shares this object's lifetime.
   network_client_binding_.set_connection_error_handler(base::BindOnce(
       &CORSURLLoader::OnUpstreamConnectionError, base::Unretained(this)));
   network_loader_factory_->CreateLoaderAndStart(
       mojo::MakeRequest(&network_loader_), routing_id, request_id, options,
       request_, std::move(network_client), traffic_annotation);
 }

 void CORSURLLoader::OnUpstreamConnectionError() {
   // |network_client_binding_| has experienced a connection error and will no
   // longer call any of the mojom::URLLoaderClient methods above. The client
   // pipe to the downstream client is closed to inform it of this failure. The
   // client should respond by closing its mojom::URLLoader pipe which will cause
   // this object to be destroyed.
   forwarding_client_.reset();
 }

 void CORSURLLoader::HandleComplete(const URLLoaderCompletionStatus& status) {
   forwarding_client_->OnComplete(status);

   // Close pipes to ignore possible subsequent callback invocations.
   network_client_binding_.Close();

   forwarding_client_.reset();
   network_loader_.reset();
 }

 }  // namespace cors

 }  // namespace network
	// Copyright 2017 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "services/network/cors/cors_url_loader.h"

	#include "base/stl_util.h"
	#include "services/network/cors/preflight_controller.h"
	#include "services/network/public/cpp/cors/cors.h"
	#include "url/url_util.h"

	namespace network {

	namespace cors {

	namespace {

	bool CalculateCORSFlag(const ResourceRequest& request) {
	if (request.fetch_request_mode == mojom::FetchRequestMode::kNavigate)
	return false;
	url::Origin url_origin = url::Origin::Create(request.url);
	if (!request.request_initiator.has_value())
	return true;
	url::Origin security_origin(request.request_initiator.value());
	return !security_origin.IsSameOriginWith(url_origin);
	}

	base::Optional<std::string> GetHeaderString(
	const scoped_refptr<net::HttpResponseHeaders>& headers,
	const std::string& header_name) {
	std::string header_value;
	if (!headers->GetNormalizedHeader(header_name, &header_value))
	return base::nullopt;
	return header_value;
	}

	bool NeedsPreflight(const ResourceRequest& request) {
	if (request.is_external_request)
	return true;

	if (request.fetch_request_mode ==
	mojom::FetchRequestMode::kCORSWithForcedPreflight) {
	return true;
	}

	if (!IsCORSSafelistedMethod(request.method))
	return true;

	for (const auto& header : request.headers.GetHeaderVector()) {
	if (!IsCORSSafelistedHeader(header.key, header.value) &&
	!IsForbiddenHeader(header.key)) {
	return true;
	}
	}
	return false;
	}

	} // namespace

	// TODO(toyoshim): This class still lacks right CORS checks in redirects.
	// See http://crbug/736308 to track the progress.
	CORSURLLoader::CORSURLLoader(
	int32_t routing_id,
	int32_t request_id,
	uint32_t options,
	const ResourceRequest& resource_request,
	mojom::URLLoaderClientPtr client,
	const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
	mojom::URLLoaderFactory* network_loader_factory,
	const base::RepeatingCallback<void(int)>& preflight_finalizer)
	: network_loader_factory_(network_loader_factory),
	network_client_binding_(this),
	request_(resource_request),
	forwarding_client_(std::move(client)),
	last_response_url_(resource_request.url),
	fetch_cors_flag_(CalculateCORSFlag(resource_request)),
	weak_factory_(this) {
	DCHECK(network_loader_factory_);
	DCHECK(resource_request.request_initiator);

	if (fetch_cors_flag_ &&
	request_.fetch_request_mode == mojom::FetchRequestMode::kSameOrigin) {
	forwarding_client_->OnComplete(URLLoaderCompletionStatus(
	CORSErrorStatus(mojom::CORSError::kDisallowedByMode)));
	forwarding_client_.reset();
	return;
	}

	if (fetch_cors_flag_ &&
	cors::IsCORSEnabledRequestMode(request_.fetch_request_mode)) {
	// Username and password should be stripped in a CORS-enabled request.
	if (request_.url.has_username() \|\| request_.url.has_password()) {
	GURL::Replacements replacements;
	replacements.SetUsernameStr("");
	replacements.SetPasswordStr("");
	request_.url = request_.url.ReplaceComponents(replacements);
	last_response_url_ = request_.url;
	}
	}

	if (fetch_cors_flag_) {
	request_.headers.SetHeader(net::HttpRequestHeaders::kOrigin,
	request_.request_initiator->Serialize());
	}

	if (!fetch_cors_flag_ \|\| !NeedsPreflight(request_)) {
	StartNetworkRequest(routing_id, request_id, options, traffic_annotation,
	base::nullopt);
	return;
	}

	base::OnceCallback<void()> preflight_finalizer_for_request;
	if (preflight_finalizer) {
	preflight_finalizer_for_request =
	base::BindOnce(preflight_finalizer, request_id);
	}

	PreflightController::GetDefaultController()->PerformPreflightCheck(
	base::BindOnce(&CORSURLLoader::StartNetworkRequest,
	weak_factory_.GetWeakPtr(), routing_id, request_id,
	options, traffic_annotation),
	request_id, request_,
	net::NetworkTrafficAnnotationTag(traffic_annotation),
	network_loader_factory, std::move(preflight_finalizer_for_request));
	}

	CORSURLLoader::~CORSURLLoader() {}

	void CORSURLLoader::FollowRedirect(
	const base::Optional<std::vector<std::string>>&
	to_be_removed_request_headers,
	const base::Optional<net::HttpRequestHeaders>& modified_request_headers) {
	DCHECK(!to_be_removed_request_headers.has_value());
	DCHECK(!modified_request_headers.has_value()) << "Redirect with modified "
	"headers was not supported "
	"yet. crbug.com/845683";
	DCHECK(network_loader_);
	DCHECK(is_waiting_follow_redirect_call_);
	is_waiting_follow_redirect_call_ = false;
	network_loader_->FollowRedirect(base::nullopt, base::nullopt);
	}

	void CORSURLLoader::ProceedWithResponse() {
	NOTREACHED();
	}

	void CORSURLLoader::SetPriority(net::RequestPriority priority,
	int32_t intra_priority_value) {
	if (network_loader_)
	network_loader_->SetPriority(priority, intra_priority_value);
	}

	void CORSURLLoader::PauseReadingBodyFromNet() {
	DCHECK(!is_waiting_follow_redirect_call_);
	if (network_loader_)
	network_loader_->PauseReadingBodyFromNet();
	}

	void CORSURLLoader::ResumeReadingBodyFromNet() {
	DCHECK(!is_waiting_follow_redirect_call_);
	if (network_loader_)
	network_loader_->ResumeReadingBodyFromNet();
	}

	void CORSURLLoader::OnReceiveResponse(
	const ResourceResponseHead& response_head) {
	DCHECK(network_loader_);
	DCHECK(forwarding_client_);
	DCHECK(!is_waiting_follow_redirect_call_);
	if (fetch_cors_flag_ &&
	IsCORSEnabledRequestMode(request_.fetch_request_mode)) {
	// TODO(toyoshim): Reflect --allow-file-access-from-files flag.
	base::Optional<mojom::CORSError> cors_error = CheckAccess(
	last_response_url_, response_head.headers->response_code(),
	GetHeaderString(response_head.headers,
	header_names::kAccessControlAllowOrigin),
	GetHeaderString(response_head.headers,
	header_names::kAccessControlAllowCredentials),
	request_.fetch_credentials_mode, *request_.request_initiator);
	if (cors_error) {
	// TODO(toyoshim): Generate related_response_headers here.
	CORSErrorStatus cors_error_status(*cors_error);
	HandleComplete(URLLoaderCompletionStatus(cors_error_status));
	return;
	}
	}
	forwarding_client_->OnReceiveResponse(response_head);
	}

	void CORSURLLoader::OnReceiveRedirect(
	const net::RedirectInfo& redirect_info,
	const ResourceResponseHead& response_head) {
	DCHECK(network_loader_);
	DCHECK(forwarding_client_);
	DCHECK(!is_waiting_follow_redirect_call_);

	// TODO(toyoshim): Following code expects OnReceivedRedirect is invoked
	// asynchronously, and \|last_response_url_\| and other methods should not be
	// accessed until FollowRedirect() is called.
	// We need to ensure callback behaviors once redirect implementation in this
	// class is ready for testing.
	is_waiting_follow_redirect_call_ = true;
	last_response_url_ = redirect_info.new_url;
	forwarding_client_->OnReceiveRedirect(redirect_info, response_head);
	}

	void CORSURLLoader::OnUploadProgress(int64_t current_position,
	int64_t total_size,
	OnUploadProgressCallback ack_callback) {
	DCHECK(network_loader_);
	DCHECK(forwarding_client_);
	DCHECK(!is_waiting_follow_redirect_call_);
	forwarding_client_->OnUploadProgress(current_position, total_size,
	std::move(ack_callback));
	}

	void CORSURLLoader::OnReceiveCachedMetadata(const std::vector<uint8_t>& data) {
	DCHECK(network_loader_);
	DCHECK(forwarding_client_);
	DCHECK(!is_waiting_follow_redirect_call_);
	forwarding_client_->OnReceiveCachedMetadata(data);
	}

	void CORSURLLoader::OnTransferSizeUpdated(int32_t transfer_size_diff) {
	DCHECK(network_loader_);
	DCHECK(forwarding_client_);
	DCHECK(!is_waiting_follow_redirect_call_);
	forwarding_client_->OnTransferSizeUpdated(transfer_size_diff);
	}

	void CORSURLLoader::OnStartLoadingResponseBody(
	mojo::ScopedDataPipeConsumerHandle body) {
	DCHECK(network_loader_);
	DCHECK(forwarding_client_);
	DCHECK(!is_waiting_follow_redirect_call_);
	forwarding_client_->OnStartLoadingResponseBody(std::move(body));
	}

	void CORSURLLoader::OnComplete(const URLLoaderCompletionStatus& status) {
	DCHECK(network_loader_);
	DCHECK(forwarding_client_);
	DCHECK(!is_waiting_follow_redirect_call_);
	HandleComplete(status);
	}

	void CORSURLLoader::StartNetworkRequest(
	int32_t routing_id,
	int32_t request_id,
	uint32_t options,
	const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
	base::Optional<CORSErrorStatus> status) {
	if (status) {
	forwarding_client_->OnComplete(URLLoaderCompletionStatus(*status));
	forwarding_client_.reset();
	return;
	}

	mojom::URLLoaderClientPtr network_client;
	network_client_binding_.Bind(mojo::MakeRequest(&network_client));
	// Binding \|this\| as an unretained pointer is safe because
	// \|network_client_binding_\| shares this object's lifetime.
	network_client_binding_.set_connection_error_handler(base::BindOnce(
	&CORSURLLoader::OnUpstreamConnectionError, base::Unretained(this)));
	network_loader_factory_->CreateLoaderAndStart(
	mojo::MakeRequest(&network_loader_), routing_id, request_id, options,
	request_, std::move(network_client), traffic_annotation);
	}

	void CORSURLLoader::OnUpstreamConnectionError() {
	// \|network_client_binding_\| has experienced a connection error and will no
	// longer call any of the mojom::URLLoaderClient methods above. The client
	// pipe to the downstream client is closed to inform it of this failure. The
	// client should respond by closing its mojom::URLLoader pipe which will cause
	// this object to be destroyed.
	forwarding_client_.reset();
	}

	void CORSURLLoader::HandleComplete(const URLLoaderCompletionStatus& status) {
	forwarding_client_->OnComplete(status);

	// Close pipes to ignore possible subsequent callback invocations.
	network_client_binding_.Close();

	forwarding_client_.reset();
	network_loader_.reset();
	}

	} // namespace cors

	} // namespace network