diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-10-24 11:30:15 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-10-30 12:56:19 +0000 |
commit | 6036726eb981b6c4b42047513b9d3f4ac865daac (patch) | |
tree | 673593e70678e7789766d1f732eb51f613a2703b /chromium/third_party/blink/renderer/core/loader/modulescript | |
parent | 466052c4e7c052268fd931888cd58961da94c586 (diff) | |
download | qtwebengine-chromium-6036726eb981b6c4b42047513b9d3f4ac865daac.tar.gz |
BASELINE: Update Chromium to 70.0.3538.78
Change-Id: Ie634710bf039e26c1957f4ae45e101bd4c434ae7
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/third_party/blink/renderer/core/loader/modulescript')
8 files changed, 66 insertions, 45 deletions
diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/document_module_script_fetcher.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/document_module_script_fetcher.cc index 81cbd3aba62..da5a8736d80 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/document_module_script_fetcher.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/document_module_script_fetcher.cc @@ -6,8 +6,8 @@ #include "third_party/blink/renderer/core/inspector/console_message.h" #include "third_party/blink/renderer/core/script/layered_api.h" +#include "third_party/blink/renderer/platform/bindings/parkable_string.h" #include "third_party/blink/renderer/platform/runtime_enabled_features.h" -#include "third_party/blink/renderer/platform/wtf/text/movable_string.h" #include "third_party/blink/renderer/platform/wtf/vector.h" namespace blink { @@ -44,8 +44,7 @@ void DocumentModuleScriptFetcher::NotifyFinished(Resource* resource) { ModuleScriptCreationParams params( script_resource->GetResponse().Url(), script_resource->SourceText(), script_resource->GetResourceRequest().GetFetchCredentialsMode(), - script_resource->CalculateAccessControlStatus( - fetcher_->Context().GetSecurityOrigin())); + script_resource->CalculateAccessControlStatus()); client_->NotifyFetchFinished(params, error_messages); } @@ -77,7 +76,7 @@ bool DocumentModuleScriptFetcher::FetchIfLayeredAPI( } ModuleScriptCreationParams params( - layered_api_url, MovableString(source_text.ReleaseImpl()), + layered_api_url, ParkableString(source_text.ReleaseImpl()), fetch_params.GetResourceRequest().GetFetchCredentialsMode(), kSharableCrossOrigin); client_->NotifyFetchFinished(params, HeapVector<Member<ConsoleMessage>>()); diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_creation_params.h b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_creation_params.h index f9d9b548116..a161709660c 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_creation_params.h +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_creation_params.h @@ -7,10 +7,10 @@ #include "base/optional.h" #include "third_party/blink/public/platform/web_url_request.h" +#include "third_party/blink/renderer/platform/bindings/parkable_string.h" #include "third_party/blink/renderer/platform/cross_thread_copier.h" #include "third_party/blink/renderer/platform/loader/fetch/access_control_status.h" #include "third_party/blink/renderer/platform/weborigin/kurl.h" -#include "third_party/blink/renderer/platform/wtf/text/movable_string.h" #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h" namespace blink { @@ -20,7 +20,7 @@ class ModuleScriptCreationParams { public: ModuleScriptCreationParams( const KURL& response_url, - const MovableString& source_text, + const ParkableString& source_text, network::mojom::FetchCredentialsMode fetch_credentials_mode, AccessControlStatus access_control_status) : response_url_(response_url), @@ -39,10 +39,10 @@ class ModuleScriptCreationParams { GetFetchCredentialsMode(), GetAccessControlStatus()); } - const KURL& GetResponseUrl() const { return response_url_; }; - const MovableString& GetSourceText() const { + const KURL& GetResponseUrl() const { return response_url_; } + const ParkableString& GetSourceText() const { if (is_isolated_) { - source_text_ = MovableString(isolated_source_text_.ReleaseImpl()); + source_text_ = ParkableString(isolated_source_text_.ReleaseImpl()); isolated_source_text_ = String(); is_isolated_ = false; } @@ -78,7 +78,7 @@ class ModuleScriptCreationParams { // Mutable because an isolated copy can become bound to a thread when // calling GetSourceText(). mutable bool is_isolated_; - mutable MovableString source_text_; + mutable ParkableString source_text_; mutable String isolated_source_text_; const network::mojom::FetchCredentialsMode fetch_credentials_mode_; diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_fetch_request.h b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_fetch_request.h index 687c8cfa85a..518c7d4bf62 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_fetch_request.h +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_fetch_request.h @@ -8,7 +8,6 @@ #include "third_party/blink/public/platform/web_url_request.h" #include "third_party/blink/renderer/platform/loader/fetch/script_fetch_options.h" #include "third_party/blink/renderer/platform/weborigin/kurl.h" -#include "third_party/blink/renderer/platform/weborigin/referrer.h" #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h" namespace blink { @@ -24,32 +23,32 @@ class ModuleScriptFetchRequest final { ModuleScriptFetchRequest(const KURL& url, WebURLRequest::RequestContext destination, const ScriptFetchOptions& options, - const Referrer& referrer, + const String& referrer_string, const TextPosition& referrer_position) : url_(url), destination_(destination), options_(options), - referrer_(referrer), + referrer_string_(referrer_string), referrer_position_(referrer_position) {} static ModuleScriptFetchRequest CreateForTest(const KURL& url) { - return ModuleScriptFetchRequest(url, WebURLRequest::kRequestContextScript, - ScriptFetchOptions(), Referrer(), - TextPosition::MinimumPosition()); + return ModuleScriptFetchRequest( + url, WebURLRequest::kRequestContextScript, ScriptFetchOptions(), + Referrer::ClientReferrerString(), TextPosition::MinimumPosition()); } ~ModuleScriptFetchRequest() = default; const KURL& Url() const { return url_; } WebURLRequest::RequestContext Destination() const { return destination_; } const ScriptFetchOptions& Options() const { return options_; } - const Referrer& GetReferrer() const { return referrer_; } + const String& ReferrerString() const { return referrer_string_; } const TextPosition& GetReferrerPosition() const { return referrer_position_; } private: const KURL url_; const WebURLRequest::RequestContext destination_; const ScriptFetchOptions options_; - const Referrer referrer_; + const String referrer_string_; const TextPosition referrer_position_; }; diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc index 5b6548957fa..9ba4cfc2814 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc @@ -92,7 +92,7 @@ void ModuleScriptLoader::Fetch( custom_fetch_type); } -// https://html.spec.whatwg.org/#fetch-a-single-module-script +// https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-single-module-script void ModuleScriptLoader::FetchInternal( const ModuleScriptFetchRequest& module_request, FetchClientSettingsObjectSnapshot* fetch_client_settings_object, @@ -122,13 +122,13 @@ void ModuleScriptLoader::FetchInternal( options.parser_disposition = options_.ParserState(); // As initiator for module script fetch is not specified in HTML spec, - // we specity "" as initiator per: + // we specify "" as initiator per: // https://fetch.spec.whatwg.org/#concept-request-initiator options.initiator_info.name = g_empty_atom; if (level == ModuleGraphLevel::kDependentModuleFetch) { options.initiator_info.imported_module_referrer = - module_request.GetReferrer().referrer; + module_request.ReferrerString(); options.initiator_info.position = module_request.GetReferrerPosition(); } @@ -145,6 +145,12 @@ void ModuleScriptLoader::FetchInternal( // cryptographic nonce, ..." [spec text] fetch_params.SetContentSecurityPolicyNonce(options_.Nonce()); + // [SMSR] "... its referrer policy to options's referrer policy." [spec text] + // Note: For now this is done below with SetHTTPReferrer() + ReferrerPolicy referrer_policy = module_request.Options().GetReferrerPolicy(); + if (referrer_policy == kReferrerPolicyDefault) + referrer_policy = fetch_client_settings_object->GetReferrerPolicy(); + // Step 5. "... mode is "cors", ..." // [SMSR] "... and its credentials mode to options's credentials mode." // [spec text] @@ -153,14 +159,23 @@ void ModuleScriptLoader::FetchInternal( options_.CredentialsMode()); // Step 5. "... referrer is referrer, ..." [spec text] + // Note: For now this is done below with SetHTTPReferrer() + String referrer_string = module_request.ReferrerString(); + if (referrer_string == Referrer::ClientReferrerString()) + referrer_string = fetch_client_settings_object->GetOutgoingReferrer(); + + // TODO(domfarolino): Stop storing ResourceRequest's referrer as a + // blink::Referrer (https://crbug.com/850813). fetch_params.MutableResourceRequest().SetHTTPReferrer( - module_request.GetReferrer()); + SecurityPolicy::GenerateReferrer(referrer_policy, + fetch_params.GetResourceRequest().Url(), + referrer_string)); // Step 5. "... and client is fetch client settings object." [spec text] // -> set by ResourceFetcher // Note: The fetch request's "origin" isn't specified in - // https://html.spec.whatwg.org/#fetch-a-single-module-script + // https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-single-module-script // Thus, the "origin" is "client" per // https://fetch.spec.whatwg.org/#concept-request-origin diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader_test.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader_test.cc index 0e9271fc523..a89913ce278 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader_test.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader_test.cc @@ -186,13 +186,15 @@ void ModuleScriptLoaderTest::InitializeForWorklet() { GetDocument().Url(), ScriptType::kModule, GetDocument().UserAgent(), Vector<CSPHeaderAndType>(), GetDocument().GetReferrerPolicy(), GetDocument().GetSecurityOrigin(), GetDocument().IsSecureContext(), - nullptr /* worker_clients */, GetDocument().AddressSpace(), + GetDocument().GetHttpsState(), nullptr /* worker_clients */, + GetDocument().AddressSpace(), OriginTrialContext::GetTokens(&GetDocument()).get(), base::UnguessableToken::Create(), nullptr /* worker_settings */, kV8CacheOptionsDefault, new WorkletModuleResponsesMap); global_scope_ = new MainThreadWorkletGlobalScope( &GetFrame(), std::move(creation_params), *reporting_proxy_); - global_scope_->ScriptController()->InitializeContextIfNeeded("Dummy Context"); + global_scope_->ScriptController()->InitializeContextIfNeeded("Dummy Context", + NullURL()); modulator_ = new ModuleScriptLoaderTestModulator( global_scope_->ScriptController()->GetScriptState(), GetDocument().GetSecurityOrigin(), fetcher); diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/module_tree_linker.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/module_tree_linker.cc index 67a0ecfa41a..bfd13580d31 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/module_tree_linker.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/module_tree_linker.cc @@ -163,10 +163,8 @@ void ModuleTreeLinker::FetchRoot(const KURL& original_url, // href="https://github.com/drufball/layered-apis/blob/master/spec.md#fetch-a-module-script-graph" // step="1">Set url to the layered API fetching URL given url and the current // settings object's API base URL.</spec> - if (RuntimeEnabledFeatures::LayeredAPIEnabled()) { - url = blink::layered_api::ResolveFetchingURL( - url, fetch_client_settings_object_->BaseURL()); - } + if (RuntimeEnabledFeatures::LayeredAPIEnabled()) + url = blink::layered_api::ResolveFetchingURL(url); #if DCHECK_IS_ON() url_ = url; @@ -188,13 +186,11 @@ void ModuleTreeLinker::FetchRoot(const KURL& original_url, visited_set_.insert(url); // Step 2. Perform the internal module script graph fetching procedure given - // ... with the top-level module fetch flag set. ... - ModuleScriptFetchRequest request( - url, destination_, options, - SecurityPolicy::GenerateReferrer( - options.GetReferrerPolicy(), url, - fetch_client_settings_object_->GetOutgoingReferrer()), - TextPosition::MinimumPosition()); + // url, settings object, destination, options, settings object, visited set, + // "client", and with the top-level module fetch flag set. + ModuleScriptFetchRequest request(url, destination_, options, + Referrer::ClientReferrerString(), + TextPosition::MinimumPosition()); InitiateInternalModuleScriptGraphFetching( request, ModuleGraphLevel::kTopLevelModuleFetch); @@ -386,11 +382,9 @@ void ModuleTreeLinker::FetchDescendants(ModuleScript* module_script) { // procedure given url, fetch client settings object, destination, options, // module script's settings object, visited set, module script's base URL, // and with the top-level module fetch flag unset. ... - ModuleScriptFetchRequest request( - urls[i], destination_, options, - SecurityPolicy::GenerateReferrer(options.GetReferrerPolicy(), urls[i], - module_script->BaseURL().GetString()), - positions[i]); + ModuleScriptFetchRequest request(urls[i], destination_, options, + module_script->BaseURL().GetString(), + positions[i]); InitiateInternalModuleScriptGraphFetching( request, ModuleGraphLevel::kDependentModuleFetch); } diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc index 54878e001e2..092915a99d8 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc @@ -4,6 +4,7 @@ #include "third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.h" +#include "third_party/blink/renderer/core/inspector/console_message.h" #include "third_party/blink/renderer/core/workers/worker_global_scope.h" #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h" #include "third_party/blink/renderer/platform/network/http_names.h" @@ -61,6 +62,19 @@ void WorkerModuleScriptFetcher::NotifyFinished(Resource* resource) { // and run them after module loading. This may require the spec change. // (https://crbug.com/845285) + // Ensure redirects don't affect SecurityOrigin. + const KURL request_url = resource->Url(); + const KURL response_url = resource->GetResponse().Url(); + if (request_url != response_url && + !global_scope_->GetSecurityOrigin()->IsSameSchemeHostPort( + SecurityOrigin::Create(response_url).get())) { + error_messages.push_back(ConsoleMessage::Create( + kSecurityMessageSource, kErrorMessageLevel, + "Refused to cross-origin redirects of the top-level worker script.")); + client_->NotifyFetchFinished(base::nullopt, error_messages); + return; + } + // Step 13.3. "Set worker global scope's url to response's url." [spec text] // Step 13.4. "Set worker global scope's HTTPS state to response's HTTPS // state." [spec text] @@ -85,8 +99,7 @@ void WorkerModuleScriptFetcher::NotifyFinished(Resource* resource) { ModuleScriptCreationParams params( script_resource->GetResponse().Url(), script_resource->SourceText(), script_resource->GetResourceRequest().GetFetchCredentialsMode(), - script_resource->CalculateAccessControlStatus( - global_scope_->EnsureFetcher()->Context().GetSecurityOrigin())); + script_resource->CalculateAccessControlStatus()); // Step 13.7. "Asynchronously complete the perform the fetch steps with // response." [spec text] diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/worklet_module_script_fetcher.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/worklet_module_script_fetcher.cc index 4edfaeadd2d..b14d8929c2a 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/worklet_module_script_fetcher.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/worklet_module_script_fetcher.cc @@ -51,8 +51,7 @@ void WorkletModuleScriptFetcher::NotifyFinished(Resource* resource) { params.emplace( script_resource->GetResponse().Url(), script_resource->SourceText(), script_resource->GetResourceRequest().GetFetchCredentialsMode(), - script_resource->CalculateAccessControlStatus( - fetcher_->Context().GetSecurityOrigin())); + script_resource->CalculateAccessControlStatus()); } // This will eventually notify |client| passed to |