1/*
2 * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
14 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
15 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
17 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
18 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
19 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
21 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
22 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
23 * THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#pragma once
27
28#include "UserContentControllerIdentifier.h"
29#include <WebCore/ContentExtensionActions.h>
30#include <WebCore/ContentSecurityPolicyResponseHeaders.h>
31#include <WebCore/FetchOptions.h>
32#include <WebCore/NetworkLoadInformation.h>
33#include <WebCore/ResourceError.h>
34#include <wtf/CompletionHandler.h>
35#include <wtf/Expected.h>
36#include <wtf/Variant.h>
37#include <wtf/WeakPtr.h>
38
39namespace WebCore {
40class ContentSecurityPolicy;
41struct ContentSecurityPolicyClient;
42class SecurityOrigin;
43enum class PreflightPolicy : uint8_t;
44enum class StoredCredentialsPolicy : uint8_t;
45}
46
47namespace WebKit {
48
49class NetworkCORSPreflightChecker;
50class NetworkProcess;
51
52class NetworkLoadChecker : public CanMakeWeakPtr<NetworkLoadChecker> {
53 WTF_MAKE_FAST_ALLOCATED;
54public:
55 enum class LoadType : bool { MainFrame, Other };
56
57 NetworkLoadChecker(NetworkProcess&, WebCore::FetchOptions&&, PAL::SessionID, WebCore::PageIdentifier, uint64_t frameID, WebCore::HTTPHeaderMap&&, URL&&, RefPtr<WebCore::SecurityOrigin>&&, WebCore::PreflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled = false, bool shouldCaptureExtraNetworkLoadMetrics = false, LoadType requestLoadType = LoadType::Other);
58 ~NetworkLoadChecker();
59
60 struct RedirectionTriplet {
61 WebCore::ResourceRequest request;
62 WebCore::ResourceRequest redirectRequest;
63 WebCore::ResourceResponse redirectResponse;
64 };
65
66 using RequestOrRedirectionTripletOrError = Variant<WebCore::ResourceRequest, RedirectionTriplet, WebCore::ResourceError>;
67 using ValidationHandler = CompletionHandler<void(RequestOrRedirectionTripletOrError&&)>;
68 void check(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, ValidationHandler&&);
69
70 using RedirectionRequestOrError = Expected<RedirectionTriplet, WebCore::ResourceError>;
71 using RedirectionValidationHandler = CompletionHandler<void(RedirectionRequestOrError&&)>;
72 void checkRedirection(WebCore::ResourceRequest&& request, WebCore::ResourceRequest&& redirectRequest, WebCore::ResourceResponse&& redirectResponse, WebCore::ContentSecurityPolicyClient*, RedirectionValidationHandler&&);
73
74 WebCore::ResourceError validateResponse(WebCore::ResourceResponse&);
75
76 void setCSPResponseHeaders(WebCore::ContentSecurityPolicyResponseHeaders&& headers) { m_cspResponseHeaders = WTFMove(headers); }
77#if ENABLE(CONTENT_EXTENSIONS)
78 void setContentExtensionController(URL&& mainDocumentURL, Optional<UserContentControllerIdentifier> identifier)
79 {
80 m_mainDocumentURL = WTFMove(mainDocumentURL);
81 m_userContentControllerIdentifier = identifier;
82 }
83#endif
84
85 const URL& url() const { return m_url; }
86 WebCore::StoredCredentialsPolicy storedCredentialsPolicy() const { return m_storedCredentialsPolicy; }
87
88 WebCore::NetworkLoadInformation takeNetworkLoadInformation() { return WTFMove(m_loadInformation); }
89 void storeRedirectionIfNeeded(const WebCore::ResourceRequest&, const WebCore::ResourceResponse&);
90
91 void enableContentExtensionsCheck() { m_checkContentExtensions = true; }
92
93private:
94 WebCore::ContentSecurityPolicy* contentSecurityPolicy();
95 bool isChecking() const { return !!m_corsPreflightChecker; }
96 bool isRedirected() const { return m_redirectCount; }
97
98 void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, ValidationHandler&&);
99
100 bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*);
101
102 void continueCheckingRequest(WebCore::ResourceRequest&&, ValidationHandler&&);
103 void continueCheckingRequestOrDoSyntheticRedirect(WebCore::ResourceRequest&& originalRequest, WebCore::ResourceRequest&& currentRequest, ValidationHandler&&);
104
105 bool doesNotNeedCORSCheck(const URL&) const;
106 void checkCORSRequest(WebCore::ResourceRequest&&, ValidationHandler&&);
107 void checkCORSRedirectedRequest(WebCore::ResourceRequest&&, ValidationHandler&&);
108 void checkCORSRequestWithPreflight(WebCore::ResourceRequest&&, ValidationHandler&&);
109
110 RequestOrRedirectionTripletOrError accessControlErrorForValidationHandler(String&&);
111
112#if ENABLE(CONTENT_EXTENSIONS)
113 struct ContentExtensionResult {
114 WebCore::ResourceRequest request;
115 const WebCore::ContentRuleListResults& results;
116 };
117 using ContentExtensionResultOrError = Expected<ContentExtensionResult, WebCore::ResourceError>;
118 using ContentExtensionCallback = CompletionHandler<void(ContentExtensionResultOrError)>;
119 void processContentRuleListsForLoad(WebCore::ResourceRequest&&, ContentExtensionCallback&&);
120#endif
121
122 void applyHTTPSUpgradeIfNeeded(WebCore::ResourceRequest&&, CompletionHandler<void(WebCore::ResourceRequest&&)>&&) const;
123
124 WebCore::FetchOptions m_options;
125 WebCore::StoredCredentialsPolicy m_storedCredentialsPolicy;
126 PAL::SessionID m_sessionID;
127 Ref<NetworkProcess> m_networkProcess;
128 WebCore::PageIdentifier m_pageID;
129 uint64_t m_frameID;
130 WebCore::HTTPHeaderMap m_originalRequestHeaders; // Needed for CORS checks.
131 WebCore::HTTPHeaderMap m_firstRequestHeaders; // Needed for CORS checks.
132 URL m_url;
133 RefPtr<WebCore::SecurityOrigin> m_origin;
134 Optional<WebCore::ContentSecurityPolicyResponseHeaders> m_cspResponseHeaders;
135#if ENABLE(CONTENT_EXTENSIONS)
136 URL m_mainDocumentURL;
137 Optional<UserContentControllerIdentifier> m_userContentControllerIdentifier;
138#endif
139
140 std::unique_ptr<NetworkCORSPreflightChecker> m_corsPreflightChecker;
141 bool m_isSameOriginRequest { true };
142 bool m_isSimpleRequest { true };
143 std::unique_ptr<WebCore::ContentSecurityPolicy> m_contentSecurityPolicy;
144 size_t m_redirectCount { 0 };
145 URL m_previousURL;
146 WebCore::PreflightPolicy m_preflightPolicy;
147 String m_referrer;
148 bool m_checkContentExtensions { false };
149 bool m_shouldCaptureExtraNetworkLoadMetrics { false };
150 bool m_isHTTPSUpgradeEnabled { false };
151 WebCore::NetworkLoadInformation m_loadInformation;
152
153 LoadType m_requestLoadType;
154};
155
156}
157