/* * Copyright (C) 2010, 2011, 2012 Google Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following disclaimer * in the documentation and/or other materials provided with the * distribution. * * Neither the name of Google Inc. nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "web/WebAssociatedURLLoaderImpl.h" #include "core/dom/ContextLifecycleObserver.h" #include "core/fetch/CrossOriginAccessControl.h" #include "core/fetch/FetchUtils.h" #include "core/loader/DocumentThreadableLoader.h" #include "core/loader/DocumentThreadableLoaderClient.h" #include "platform/Timer.h" #include "platform/exported/WrappedResourceRequest.h" #include "platform/exported/WrappedResourceResponse.h" #include "platform/network/HTTPParsers.h" #include "platform/network/ResourceError.h" #include "public/platform/WebHTTPHeaderVisitor.h" #include "public/platform/WebString.h" #include "public/platform/WebURLError.h" #include "public/platform/WebURLRequest.h" #include "public/web/WebAssociatedURLLoaderClient.h" #include "public/web/WebDataSource.h" #include "web/WebLocalFrameImpl.h" #include "wtf/HashSet.h" #include "wtf/PtrUtil.h" #include "wtf/text/WTFString.h" #include #include namespace blink { namespace { class HTTPRequestHeaderValidator : public WebHTTPHeaderVisitor { WTF_MAKE_NONCOPYABLE(HTTPRequestHeaderValidator); public: HTTPRequestHeaderValidator() : m_isSafe(true) {} ~HTTPRequestHeaderValidator() override {} void visitHeader(const WebString& name, const WebString& value) override; bool isSafe() const { return m_isSafe; } private: bool m_isSafe; }; void HTTPRequestHeaderValidator::visitHeader(const WebString& name, const WebString& value) { m_isSafe = m_isSafe && isValidHTTPToken(name) && !FetchUtils::isForbiddenHeaderName(name) && isValidHTTPHeaderValue(value); } } // namespace // This class bridges the interface differences between WebCore and WebKit // loader clients. // It forwards its ThreadableLoaderClient notifications to a // WebAssociatedURLLoaderClient. class WebAssociatedURLLoaderImpl::ClientAdapter final : public DocumentThreadableLoaderClient { WTF_MAKE_NONCOPYABLE(ClientAdapter); public: static std::unique_ptr create( WebAssociatedURLLoaderImpl*, WebAssociatedURLLoaderClient*, const WebAssociatedURLLoaderOptions&); // ThreadableLoaderClient void didSendData(unsigned long long /*bytesSent*/, unsigned long long /*totalBytesToBeSent*/) override; void didReceiveResponse(unsigned long, const ResourceResponse&, std::unique_ptr) override; void didDownloadData(int /*dataLength*/) override; void didReceiveData(const char*, unsigned /*dataLength*/) override; void didReceiveCachedMetadata(const char*, int /*dataLength*/) override; void didFinishLoading(unsigned long /*identifier*/, double /*finishTime*/) override; void didFail(const ResourceError&) override; void didFailRedirectCheck() override; // DocumentThreadableLoaderClient bool willFollowRedirect( const ResourceRequest& /*newRequest*/, const ResourceResponse& /*redirectResponse*/) override; // Sets an error to be reported back to the client, asychronously. void setDelayedError(const ResourceError&); // Enables forwarding of error notifications to the // WebAssociatedURLLoaderClient. These // must be deferred until after the call to // WebAssociatedURLLoader::loadAsynchronously() completes. void enableErrorNotifications(); // Stops loading and releases the DocumentThreadableLoader as early as // possible. WebAssociatedURLLoaderClient* releaseClient() { WebAssociatedURLLoaderClient* client = m_client; m_client = nullptr; return client; } private: ClientAdapter(WebAssociatedURLLoaderImpl*, WebAssociatedURLLoaderClient*, const WebAssociatedURLLoaderOptions&); void notifyError(TimerBase*); WebAssociatedURLLoaderImpl* m_loader; WebAssociatedURLLoaderClient* m_client; WebAssociatedURLLoaderOptions m_options; WebURLError m_error; Timer m_errorTimer; bool m_enableErrorNotifications; bool m_didFail; }; std::unique_ptr WebAssociatedURLLoaderImpl::ClientAdapter::create( WebAssociatedURLLoaderImpl* loader, WebAssociatedURLLoaderClient* client, const WebAssociatedURLLoaderOptions& options) { return wrapUnique(new ClientAdapter(loader, client, options)); } WebAssociatedURLLoaderImpl::ClientAdapter::ClientAdapter( WebAssociatedURLLoaderImpl* loader, WebAssociatedURLLoaderClient* client, const WebAssociatedURLLoaderOptions& options) : m_loader(loader), m_client(client), m_options(options), m_errorTimer(this, &ClientAdapter::notifyError), m_enableErrorNotifications(false), m_didFail(false) { DCHECK(m_loader); DCHECK(m_client); } bool WebAssociatedURLLoaderImpl::ClientAdapter::willFollowRedirect( const ResourceRequest& newRequest, const ResourceResponse& redirectResponse) { if (!m_client) return true; WrappedResourceRequest wrappedNewRequest(newRequest); WrappedResourceResponse wrappedRedirectResponse(redirectResponse); return m_client->willFollowRedirect(wrappedNewRequest, wrappedRedirectResponse); } void WebAssociatedURLLoaderImpl::ClientAdapter::didSendData( unsigned long long bytesSent, unsigned long long totalBytesToBeSent) { if (!m_client) return; m_client->didSendData(bytesSent, totalBytesToBeSent); } void WebAssociatedURLLoaderImpl::ClientAdapter::didReceiveResponse( unsigned long, const ResourceResponse& response, std::unique_ptr handle) { ALLOW_UNUSED_LOCAL(handle); DCHECK(!handle); if (!m_client) return; if (m_options.exposeAllResponseHeaders || m_options.crossOriginRequestPolicy != WebAssociatedURLLoaderOptions:: CrossOriginRequestPolicyUseAccessControl) { // Use the original ResourceResponse. m_client->didReceiveResponse(WrappedResourceResponse(response)); return; } HTTPHeaderSet exposedHeaders; extractCorsExposedHeaderNamesList(response, exposedHeaders); HTTPHeaderSet blockedHeaders; for (const auto& header : response.httpHeaderFields()) { if (FetchUtils::isForbiddenResponseHeaderName(header.key) || (!isOnAccessControlResponseHeaderWhitelist(header.key) && !exposedHeaders.contains(header.key))) blockedHeaders.add(header.key); } if (blockedHeaders.isEmpty()) { // Use the original ResourceResponse. m_client->didReceiveResponse(WrappedResourceResponse(response)); return; } // If there are blocked headers, copy the response so we can remove them. WebURLResponse validatedResponse = WrappedResourceResponse(response); for (const auto& header : blockedHeaders) validatedResponse.clearHTTPHeaderField(header); m_client->didReceiveResponse(validatedResponse); } void WebAssociatedURLLoaderImpl::ClientAdapter::didDownloadData( int dataLength) { if (!m_client) return; m_client->didDownloadData(dataLength); } void WebAssociatedURLLoaderImpl::ClientAdapter::didReceiveData( const char* data, unsigned dataLength) { if (!m_client) return; CHECK_LE(dataLength, static_cast(std::numeric_limits::max())); m_client->didReceiveData(data, dataLength); } void WebAssociatedURLLoaderImpl::ClientAdapter::didReceiveCachedMetadata( const char* data, int dataLength) { if (!m_client) return; m_client->didReceiveCachedMetadata(data, dataLength); } void WebAssociatedURLLoaderImpl::ClientAdapter::didFinishLoading( unsigned long identifier, double finishTime) { if (!m_client) return; m_loader->clientAdapterDone(); releaseClient()->didFinishLoading(finishTime); // |this| may be dead here. } void WebAssociatedURLLoaderImpl::ClientAdapter::didFail( const ResourceError& error) { if (!m_client) return; m_loader->clientAdapterDone(); m_didFail = true; m_error = WebURLError(error); if (m_enableErrorNotifications) notifyError(&m_errorTimer); } void WebAssociatedURLLoaderImpl::ClientAdapter::didFailRedirectCheck() { didFail(ResourceError()); } void WebAssociatedURLLoaderImpl::ClientAdapter::enableErrorNotifications() { m_enableErrorNotifications = true; // If an error has already been received, start a timer to report it to the // client after WebAssociatedURLLoader::loadAsynchronously has returned to the // caller. if (m_didFail) m_errorTimer.startOneShot(0, BLINK_FROM_HERE); } void WebAssociatedURLLoaderImpl::ClientAdapter::notifyError(TimerBase* timer) { DCHECK_EQ(timer, &m_errorTimer); if (m_client) releaseClient()->didFail(m_error); // |this| may be dead here. } class WebAssociatedURLLoaderImpl::Observer final : public GarbageCollected, public ContextLifecycleObserver { USING_GARBAGE_COLLECTED_MIXIN(Observer); public: Observer(WebAssociatedURLLoaderImpl* parent, Document* document) : ContextLifecycleObserver(document), m_parent(parent) {} void dispose() { m_parent = nullptr; clearContext(); } void contextDestroyed() override { if (m_parent) m_parent->documentDestroyed(); } DEFINE_INLINE_VIRTUAL_TRACE() { ContextLifecycleObserver::trace(visitor); } WebAssociatedURLLoaderImpl* m_parent; }; WebAssociatedURLLoaderImpl::WebAssociatedURLLoaderImpl( WebLocalFrameImpl* frameImpl, const WebAssociatedURLLoaderOptions& options) : m_client(nullptr), m_options(options), m_observer(new Observer(this, frameImpl->frame()->document())) {} WebAssociatedURLLoaderImpl::~WebAssociatedURLLoaderImpl() { cancel(); } #define STATIC_ASSERT_ENUM(a, b) \ static_assert(static_cast(a) == static_cast(b), \ "mismatching enum: " #a) STATIC_ASSERT_ENUM(WebAssociatedURLLoaderOptions::CrossOriginRequestPolicyDeny, DenyCrossOriginRequests); STATIC_ASSERT_ENUM( WebAssociatedURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl, UseAccessControl); STATIC_ASSERT_ENUM(WebAssociatedURLLoaderOptions::CrossOriginRequestPolicyAllow, AllowCrossOriginRequests); STATIC_ASSERT_ENUM(WebAssociatedURLLoaderOptions::ConsiderPreflight, ConsiderPreflight); STATIC_ASSERT_ENUM(WebAssociatedURLLoaderOptions::ForcePreflight, ForcePreflight); STATIC_ASSERT_ENUM(WebAssociatedURLLoaderOptions::PreventPreflight, PreventPreflight); void WebAssociatedURLLoaderImpl::loadAsynchronously( const WebURLRequest& request, WebAssociatedURLLoaderClient* client) { DCHECK(!m_client); DCHECK(!m_loader); DCHECK(!m_clientAdapter); DCHECK(client); bool allowLoad = true; WebURLRequest newRequest(request); if (m_options.untrustedHTTP) { WebString method = newRequest.httpMethod(); allowLoad = m_observer && isValidHTTPToken(method) && FetchUtils::isUsefulMethod(method); if (allowLoad) { newRequest.setHTTPMethod(FetchUtils::normalizeMethod(method)); HTTPRequestHeaderValidator validator; newRequest.visitHTTPHeaderFields(&validator); allowLoad = validator.isSafe(); } } m_client = client; m_clientAdapter = ClientAdapter::create(this, client, m_options); if (allowLoad) { ThreadableLoaderOptions options; options.preflightPolicy = static_cast(m_options.preflightPolicy); options.crossOriginRequestPolicy = static_cast( m_options.crossOriginRequestPolicy); ResourceLoaderOptions resourceLoaderOptions; resourceLoaderOptions.allowCredentials = m_options.allowCredentials ? AllowStoredCredentials : DoNotAllowStoredCredentials; resourceLoaderOptions.dataBufferingPolicy = DoNotBufferData; const ResourceRequest& webcoreRequest = newRequest.toResourceRequest(); if (webcoreRequest.requestContext() == WebURLRequest::RequestContextUnspecified) { // FIXME: We load URLs without setting a TargetType (and therefore a // request context) in several places in content/ // (P2PPortAllocatorSession::AllocateLegacyRelaySession, for example). // Remove this once those places are patched up. newRequest.setRequestContext(WebURLRequest::RequestContextInternal); } Document* document = toDocument(m_observer->lifecycleContext()); DCHECK(document); m_loader = DocumentThreadableLoader::create( *document, m_clientAdapter.get(), options, resourceLoaderOptions); m_loader->start(webcoreRequest); } if (!m_loader) { // FIXME: return meaningful error codes. m_clientAdapter->didFail(ResourceError()); } m_clientAdapter->enableErrorNotifications(); } void WebAssociatedURLLoaderImpl::cancel() { disposeObserver(); cancelLoader(); releaseClient(); } void WebAssociatedURLLoaderImpl::clientAdapterDone() { disposeObserver(); releaseClient(); } void WebAssociatedURLLoaderImpl::cancelLoader() { if (!m_clientAdapter) return; // Prevent invocation of the WebAssociatedURLLoaderClient methods. m_clientAdapter->releaseClient(); if (m_loader) { m_loader->cancel(); m_loader = nullptr; } m_clientAdapter.reset(); } void WebAssociatedURLLoaderImpl::setDefersLoading(bool defersLoading) { if (m_loader) m_loader->setDefersLoading(defersLoading); } void WebAssociatedURLLoaderImpl::setLoadingTaskRunner(blink::WebTaskRunner*) { // TODO(alexclarke): Maybe support this one day if it proves worthwhile. } void WebAssociatedURLLoaderImpl::documentDestroyed() { disposeObserver(); cancelLoader(); if (!m_client) return; releaseClient()->didFail(ResourceError()); // |this| may be dead here. } void WebAssociatedURLLoaderImpl::disposeObserver() { if (!m_observer) return; // TODO(tyoshino): Remove this assert once Document is fixed so that // contextDestroyed() is invoked for all kinds of Documents. // // Currently, the method of detecting Document destruction implemented here // doesn't work for all kinds of Documents. In case we reached here after // the Oilpan is destroyed, we just crash the renderer process to prevent // UaF. // // We could consider just skipping the rest of code in case // ThreadState::current() is null. However, the fact we reached here // without cancelling the loader means that it's possible there're some // non-Blink non-on-heap objects still facing on-heap Blink objects. E.g. // there could be a WebURLLoader instance behind the // DocumentThreadableLoader instance. So, for safety, we chose to just // crash here. CHECK(ThreadState::current()); m_observer->dispose(); m_observer = nullptr; } } // namespace blink