jcs.org / serenity
Serenity Operating System
fork atom
serenity / Userland / Libraries / LibWeb / Fetch / Fetching / Fetching.cpp
at master 1899 lines 115 kB view raw
Andreas Kling Everywhere: Rename equals_ignoring_case => equals_ignoring_ascii_case
a504ac3e
1/* 2 * Copyright (c) 2022-2023, Linus Groh <linusg@serenityos.org> 3 * Copyright (c) 2023, Luke Wilde <lukew@serenityos.org> 4 * 5 * SPDX-License-Identifier: BSD-2-Clause 6 */ 7 8#include <AK/Base64.h> 9#include <AK/Debug.h> 10#include <AK/ScopeGuard.h> 11#include <LibJS/Runtime/Completion.h> 12#include <LibWeb/Bindings/MainThreadVM.h> 13#include <LibWeb/Cookie/Cookie.h> 14#include <LibWeb/DOM/Document.h> 15#include <LibWeb/Fetch/BodyInit.h> 16#include <LibWeb/Fetch/Fetching/Checks.h> 17#include <LibWeb/Fetch/Fetching/Fetching.h> 18#include <LibWeb/Fetch/Fetching/PendingResponse.h> 19#include <LibWeb/Fetch/Fetching/RefCountedFlag.h> 20#include <LibWeb/Fetch/Infrastructure/FetchAlgorithms.h> 21#include <LibWeb/Fetch/Infrastructure/FetchController.h> 22#include <LibWeb/Fetch/Infrastructure/FetchParams.h> 23#include <LibWeb/Fetch/Infrastructure/FetchTimingInfo.h> 24#include <LibWeb/Fetch/Infrastructure/HTTP/Methods.h> 25#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h> 26#include <LibWeb/Fetch/Infrastructure/HTTP/Responses.h> 27#include <LibWeb/Fetch/Infrastructure/HTTP/Statuses.h> 28#include <LibWeb/Fetch/Infrastructure/MimeTypeBlocking.h> 29#include <LibWeb/Fetch/Infrastructure/NoSniffBlocking.h> 30#include <LibWeb/Fetch/Infrastructure/PortBlocking.h> 31#include <LibWeb/Fetch/Infrastructure/Task.h> 32#include <LibWeb/Fetch/Infrastructure/URL.h> 33#include <LibWeb/HTML/EventLoop/EventLoop.h> 34#include <LibWeb/HTML/Scripting/Environments.h> 35#include <LibWeb/HTML/Window.h> 36#include <LibWeb/HighResolutionTime/TimeOrigin.h> 37#include <LibWeb/Loader/LoadRequest.h> 38#include <LibWeb/Loader/ResourceLoader.h> 39#include <LibWeb/Platform/EventLoopPlugin.h> 40#include <LibWeb/ReferrerPolicy/AbstractOperations.h> 41#include <LibWeb/URL/URL.h> 42#include <LibWeb/WebIDL/DOMException.h> 43 44namespace Web::Fetch::Fetching { 45 46#define TRY_OR_IGNORE(expression) \ 47 ({ \ 48 auto&& _temporary_result = (expression); \ 49 if (_temporary_result.is_error()) \ 50 return; \ 51 static_assert(!::AK::Detail::IsLvalueReference<decltype(_temporary_result.release_value())>, \ 52 "Do not return a reference from a fallible expression"); \ 53 _temporary_result.release_value(); \ 54 }) 55 56// https://fetch.spec.whatwg.org/#concept-fetch 57WebIDL::ExceptionOr<JS::NonnullGCPtr<Infrastructure::FetchController>> fetch(JS::Realm& realm, Infrastructure::Request& request, Infrastructure::FetchAlgorithms const& algorithms, UseParallelQueue use_parallel_queue) 58{ 59 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'fetch' with: request @ {}", &request); 60 61 auto& vm = realm.vm(); 62 63 // 1. Assert: request’s mode is "navigate" or processEarlyHintsResponse is null. 64 VERIFY(request.mode() == Infrastructure::Request::Mode::Navigate || !algorithms.process_early_hints_response().has_value()); 65 66 // 2. Let taskDestination be null. 67 JS::GCPtr<JS::Object> task_destination; 68 69 // 3. Let crossOriginIsolatedCapability be false. 70 auto cross_origin_isolated_capability = HTML::CanUseCrossOriginIsolatedAPIs::No; 71 72 // 4. If request’s client is non-null, then: 73 if (request.client() != nullptr) { 74 // 1. Set taskDestination to request’s client’s global object. 75 task_destination = request.client()->global_object(); 76 77 // 2. Set crossOriginIsolatedCapability to request’s client’s cross-origin isolated capability. 78 cross_origin_isolated_capability = request.client()->cross_origin_isolated_capability(); 79 } 80 81 // FIXME: 5. If useParallelQueue is true, then set taskDestination to the result of starting a new parallel queue. 82 (void)use_parallel_queue; 83 (void)task_destination; 84 85 // 6. Let timingInfo be a new fetch timing info whose start time and post-redirect start time are the coarsened 86 // shared current time given crossOriginIsolatedCapability, and render-blocking is set to request’s 87 // render-blocking. 88 auto timing_info = Infrastructure::FetchTimingInfo::create(vm); 89 auto now = HighResolutionTime::coarsened_shared_current_time(cross_origin_isolated_capability == HTML::CanUseCrossOriginIsolatedAPIs::Yes); 90 timing_info->set_start_time(now); 91 timing_info->set_post_redirect_start_time(now); 92 timing_info->set_render_blocking(request.render_blocking()); 93 94 // 7. Let fetchParams be a new fetch params whose request is request, timing info is timingInfo, process request 95 // body chunk length is processRequestBodyChunkLength, process request end-of-body is processRequestEndOfBody, 96 // process early hints response is processEarlyHintsResponse, process response is processResponse, process 97 // response consume body is processResponseConsumeBody, process response end-of-body is processResponseEndOfBody, 98 // task destination is taskDestination, and cross-origin isolated capability is crossOriginIsolatedCapability. 99 auto fetch_params = Infrastructure::FetchParams::create(vm, request, timing_info); 100 fetch_params->set_algorithms(algorithms); 101 if (task_destination) 102 fetch_params->set_task_destination({ *task_destination }); 103 fetch_params->set_cross_origin_isolated_capability(cross_origin_isolated_capability); 104 105 // 8. If request’s body is a byte sequence, then set request’s body to request’s body as a body. 106 if (auto const* buffer = request.body().get_pointer<ByteBuffer>()) 107 request.set_body(TRY(Infrastructure::byte_sequence_as_body(realm, buffer->bytes()))); 108 109 // 9. If request’s window is "client", then set request’s window to request’s client, if request’s client’s global 110 // object is a Window object; otherwise "no-window". 111 auto const* window = request.window().get_pointer<Infrastructure::Request::Window>(); 112 if (window && *window == Infrastructure::Request::Window::Client) { 113 if (is<HTML::Window>(request.client()->global_object())) { 114 request.set_window(request.client()); 115 } else { 116 request.set_window(Infrastructure::Request::Window::NoWindow); 117 } 118 } 119 120 // 10. If request’s origin is "client", then set request’s origin to request’s client’s origin. 121 auto const* origin = request.origin().get_pointer<Infrastructure::Request::Origin>(); 122 if (origin && *origin == Infrastructure::Request::Origin::Client) 123 request.set_origin(request.client()->origin()); 124 125 // 12. If request’s policy container is "client", then: 126 auto const* policy_container = request.policy_container().get_pointer<Infrastructure::Request::PolicyContainer>(); 127 if (policy_container) { 128 VERIFY(*policy_container == Infrastructure::Request::PolicyContainer::Client); 129 // 1. If request’s client is non-null, then set request’s policy container to a clone of request’s client’s 130 // policy container. 131 if (request.client() != nullptr) 132 request.set_policy_container(request.client()->policy_container()); 133 // 2. Otherwise, set request’s policy container to a new policy container. 134 else 135 request.set_policy_container(HTML::PolicyContainer {}); 136 } 137 138 // 13. If request’s header list does not contain `Accept`, then: 139 if (!request.header_list()->contains("Accept"sv.bytes())) { 140 // 1. Let value be `*/*`. 141 auto value = "*/*"sv; 142 143 // 2. A user agent should set value to the first matching statement, if any, switching on request’s 144 // destination: 145 if (request.destination().has_value()) { 146 switch (*request.destination()) { 147 // -> "document" 148 // -> "frame" 149 // -> "iframe" 150 case Infrastructure::Request::Destination::Document: 151 case Infrastructure::Request::Destination::Frame: 152 case Infrastructure::Request::Destination::IFrame: 153 // `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8` 154 value = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"sv; 155 break; 156 // -> "image" 157 case Infrastructure::Request::Destination::Image: 158 // `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5` 159 value = "image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"sv; 160 break; 161 // -> "style" 162 case Infrastructure::Request::Destination::Style: 163 // `text/css,*/*;q=0.1` 164 value = "text/css,*/*;q=0.1"sv; 165 break; 166 default: 167 break; 168 } 169 } 170 171 // 3. Append (`Accept`, value) to request’s header list. 172 auto header = TRY_OR_THROW_OOM(vm, Infrastructure::Header::from_string_pair("Accept"sv, value.bytes())); 173 TRY_OR_THROW_OOM(vm, request.header_list()->append(move(header))); 174 } 175 176 // 14. If request’s header list does not contain `Accept-Language`, then user agents should append 177 // (`Accept-Language, an appropriate header value) to request’s header list. 178 if (!request.header_list()->contains("Accept-Language"sv.bytes())) { 179 auto header = MUST(Infrastructure::Header::from_string_pair("Accept-Language"sv, "*"sv)); 180 TRY_OR_THROW_OOM(vm, request.header_list()->append(move(header))); 181 } 182 183 // 15. If request’s priority is null, then use request’s initiator, destination, and render-blocking appropriately 184 // in setting request’s priority to a user-agent-defined object. 185 // NOTE: The user-agent-defined object could encompass stream weight and dependency for HTTP/2, and equivalent 186 // information used to prioritize dispatch and processing of HTTP/1 fetches. 187 188 // 16. If request is a subresource request, then: 189 if (request.is_subresource_request()) { 190 // FIXME: 1. Let record be a new fetch record whose request is request and controller is fetchParams’s controller. 191 // FIXME: 2. Append record to request’s client’s fetch group list of fetch records. 192 } 193 194 // 17. Run main fetch given fetchParams. 195 (void)TRY(main_fetch(realm, fetch_params)); 196 197 // 18. Return fetchParams’s controller. 198 return fetch_params->controller(); 199} 200 201// https://fetch.spec.whatwg.org/#concept-main-fetch 202WebIDL::ExceptionOr<Optional<JS::NonnullGCPtr<PendingResponse>>> main_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, Recursive recursive) 203{ 204 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'main fetch' with: fetch_params @ {}", &fetch_params); 205 206 auto& vm = realm.vm(); 207 208 // 1. Let request be fetchParams’s request. 209 auto request = fetch_params.request(); 210 211 // 2. Let response be null. 212 JS::GCPtr<Infrastructure::Response> response; 213 214 // 3. If request’s local-URLs-only flag is set and request’s current URL is not local, then set response to a 215 // network error. 216 if (request->local_urls_only() && !Infrastructure::is_local_url(request->current_url())) 217 response = Infrastructure::Response::network_error(vm, "Request with 'local-URLs-only' flag must have a local URL"sv); 218 219 // FIXME: 4. Run report Content Security Policy violations for request. 220 // FIXME: 5. Upgrade request to a potentially trustworthy URL, if appropriate. 221 222 // 6. If should request be blocked due to a bad port, should fetching request be blocked as mixed content, or 223 // should request be blocked by Content Security Policy returns blocked, then set response to a network error. 224 if (Infrastructure::block_bad_port(request) == Infrastructure::RequestOrResponseBlocking::Blocked 225 || false // FIXME: "should fetching request be blocked as mixed content" 226 || false // FIXME: "should request be blocked by Content Security Policy returns blocked" 227 ) { 228 response = Infrastructure::Response::network_error(vm, "Request was blocked"sv); 229 } 230 231 // 7. If request’s referrer policy is the empty string, then set request’s referrer policy to request’s policy 232 // container’s referrer policy. 233 if (!request->referrer_policy().has_value()) { 234 VERIFY(request->policy_container().has<HTML::PolicyContainer>()); 235 request->set_referrer_policy(request->policy_container().get<HTML::PolicyContainer>().referrer_policy); 236 } 237 238 // 8. If request’s referrer is not "no-referrer", then set request’s referrer to the result of invoking determine 239 // request’s referrer. 240 // NOTE: As stated in Referrer Policy, user agents can provide the end user with options to override request’s 241 // referrer to "no-referrer" or have it expose less sensitive information. 242 auto const* referrer = request->referrer().get_pointer<Infrastructure::Request::Referrer>(); 243 if (!referrer || *referrer != Infrastructure::Request::Referrer::NoReferrer) { 244 auto determined_referrer = ReferrerPolicy::determine_requests_referrer(request); 245 if (determined_referrer.has_value()) 246 request->set_referrer(*determined_referrer); 247 else 248 request->set_referrer(Infrastructure::Request::Referrer::NoReferrer); 249 } 250 251 // 9. Set request’s current URL’s scheme to "https" if all of the following conditions are true: 252 if ( 253 // - request’s current URL’s scheme is "http" 254 request->current_url().scheme() == "http"sv 255 // - request’s current URL’s host is a domain 256 && URL::host_is_domain(request->current_url().host()) 257 // FIXME: - Matching request’s current URL’s host per Known HSTS Host Domain Name Matching results in either a 258 // superdomain match with an asserted includeSubDomains directive or a congruent match (with or without an 259 // asserted includeSubDomains directive) [HSTS]; or DNS resolution for the request finds a matching HTTPS RR 260 // per section 9.5 of [SVCB]. 261 && false 262 263 ) { 264 request->current_url().set_scheme("https"sv); 265 } 266 267 JS::SafeFunction<WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>>()> get_response = [&realm, &vm, &fetch_params, request]() -> WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> { 268 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'main fetch' get_response() function"); 269 270 // -> fetchParams’s preloaded response candidate is not null 271 if (!fetch_params.preloaded_response_candidate().has<Empty>()) { 272 // 1. Wait until fetchParams’s preloaded response candidate is not "pending". 273 HTML::main_thread_event_loop().spin_until([&] { 274 return !fetch_params.preloaded_response_candidate().has<Infrastructure::FetchParams::PreloadedResponseCandidatePendingTag>(); 275 }); 276 277 // 2. Assert: fetchParams’s preloaded response candidate is a response. 278 VERIFY(fetch_params.preloaded_response_candidate().has<JS::NonnullGCPtr<Infrastructure::Response>>()); 279 280 // 3. Return fetchParams’s preloaded response candidate. 281 return PendingResponse::create(vm, request, fetch_params.preloaded_response_candidate().get<JS::NonnullGCPtr<Infrastructure::Response>>()); 282 } 283 // -> request’s current URL’s origin is same origin with request’s origin, and request’s response tainting 284 // is "basic" 285 // -> request’s current URL’s scheme is "data" 286 // -> request’s mode is "navigate" or "websocket" 287 else if ( 288 (request->origin().has<HTML::Origin>() && URL::url_origin(request->current_url()).is_same_origin(request->origin().get<HTML::Origin>()) && request->response_tainting() == Infrastructure::Request::ResponseTainting::Basic) 289 || request->current_url().scheme() == "data"sv 290 || (request->mode() == Infrastructure::Request::Mode::Navigate || request->mode() == Infrastructure::Request::Mode::WebSocket)) { 291 // 1. Set request’s response tainting to "basic". 292 request->set_response_tainting(Infrastructure::Request::ResponseTainting::Basic); 293 294 // 2. Return the result of running scheme fetch given fetchParams. 295 return scheme_fetch(realm, fetch_params); 296 297 // NOTE: HTML assigns any documents and workers created from URLs whose scheme is "data" a unique 298 // opaque origin. Service workers can only be created from URLs whose scheme is an HTTP(S) scheme. 299 } 300 // -> request’s mode is "same-origin" 301 else if (request->mode() == Infrastructure::Request::Mode::SameOrigin) { 302 // Return a network error. 303 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'same-origin' mode must have same URL and request origin"sv)); 304 } 305 // -> request’s mode is "no-cors" 306 else if (request->mode() == Infrastructure::Request::Mode::NoCORS) { 307 // 1. If request’s redirect mode is not "follow", then return a network error. 308 if (request->redirect_mode() != Infrastructure::Request::RedirectMode::Follow) 309 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'no-cors' mode must have redirect mode set to 'follow'"sv)); 310 311 // 2. Set request’s response tainting to "opaque". 312 request->set_response_tainting(Infrastructure::Request::ResponseTainting::Opaque); 313 314 // 3. Return the result of running scheme fetch given fetchParams. 315 return scheme_fetch(realm, fetch_params); 316 } 317 // -> request’s current URL’s scheme is not an HTTP(S) scheme 318 else if (!Infrastructure::is_http_or_https_scheme(request->current_url().scheme())) { 319 // NOTE: At this point all other request modes have been handled. Ensure we're not lying in the error message :^) 320 VERIFY(request->mode() == Infrastructure::Request::Mode::CORS); 321 322 // Return a network error. 323 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'cors' mode must have URL with HTTP or HTTPS scheme"sv)); 324 } 325 // -> request’s use-CORS-preflight flag is set 326 // -> request’s unsafe-request flag is set and either request’s method is not a CORS-safelisted method or 327 // CORS-unsafe request-header names with request’s header list is not empty 328 else if ( 329 request->use_cors_preflight() 330 || (request->unsafe_request() 331 && (!Infrastructure::is_cors_safelisted_method(request->method()) 332 || !TRY_OR_THROW_OOM(vm, Infrastructure::get_cors_unsafe_header_names(request->header_list())).is_empty()))) { 333 // 1. Set request’s response tainting to "cors". 334 request->set_response_tainting(Infrastructure::Request::ResponseTainting::CORS); 335 336 auto returned_pending_response = PendingResponse::create(vm, request); 337 338 // 2. Let corsWithPreflightResponse be the result of running HTTP fetch given fetchParams and true. 339 auto cors_with_preflight_response = TRY(http_fetch(realm, fetch_params, MakeCORSPreflight::Yes)); 340 cors_with_preflight_response->when_loaded([returned_pending_response](JS::NonnullGCPtr<Infrastructure::Response> cors_with_preflight_response) { 341 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'main fetch' cors_with_preflight_response load callback"); 342 // 3. If corsWithPreflightResponse is a network error, then clear cache entries using request. 343 if (cors_with_preflight_response->is_network_error()) { 344 // FIXME: Clear cache entries 345 } 346 347 // 4. Return corsWithPreflightResponse. 348 returned_pending_response->resolve(cors_with_preflight_response); 349 }); 350 351 return returned_pending_response; 352 } 353 // -> Otherwise 354 else { 355 // 1. Set request’s response tainting to "cors". 356 request->set_response_tainting(Infrastructure::Request::ResponseTainting::CORS); 357 358 // 2. Return the result of running HTTP fetch given fetchParams. 359 return http_fetch(realm, fetch_params); 360 } 361 }; 362 363 if (recursive == Recursive::Yes) { 364 // 11. If response is null, then set response to the result of running the steps corresponding to the first 365 // matching statement: 366 auto pending_response = !response 367 ? TRY(get_response()) 368 : PendingResponse::create(vm, request, *response); 369 370 // 12. If recursive is true, then return response. 371 return pending_response; 372 } 373 374 // 10. If recursive is false, then run the remaining steps in parallel. 375 Platform::EventLoopPlugin::the().deferred_invoke([&realm, &vm, &fetch_params, request, response, get_response = move(get_response)] { 376 // 11. If response is null, then set response to the result of running the steps corresponding to the first 377 // matching statement: 378 auto pending_response = PendingResponse::create(vm, request, Infrastructure::Response::create(vm)); 379 if (!response) { 380 auto pending_response_or_error = get_response(); 381 if (pending_response_or_error.is_error()) 382 return; 383 pending_response = pending_response_or_error.release_value(); 384 } 385 pending_response->when_loaded([&realm, &vm, &fetch_params, request, response, response_was_null = !response](JS::NonnullGCPtr<Infrastructure::Response> resolved_response) mutable { 386 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'main fetch' pending_response load callback"); 387 if (response_was_null) 388 response = resolved_response; 389 // 13. If response is not a network error and response is not a filtered response, then: 390 if (!response->is_network_error() && !is<Infrastructure::FilteredResponse>(*response)) { 391 // 1. If request’s response tainting is "cors", then: 392 if (request->response_tainting() == Infrastructure::Request::ResponseTainting::CORS) { 393 // FIXME: 1. Let headerNames be the result of extracting header list values given 394 // `Access-Control-Expose-Headers` and response’s header list. 395 // FIXME: 2. If request’s credentials mode is not "include" and headerNames contains `*`, then set 396 // response’s CORS-exposed header-name list to all unique header names in response’s header 397 // list. 398 // FIXME: 3. Otherwise, if headerNames is not null or failure, then set response’s CORS-exposed 399 // header-name list to headerNames. 400 } 401 402 // 2. Set response to the following filtered response with response as its internal response, depending 403 // on request’s response tainting: 404 response = TRY_OR_IGNORE([&]() -> WebIDL::ExceptionOr<JS::NonnullGCPtr<Infrastructure::Response>> { 405 switch (request->response_tainting()) { 406 // -> "basic" 407 case Infrastructure::Request::ResponseTainting::Basic: 408 // basic filtered response 409 return TRY_OR_THROW_OOM(vm, Infrastructure::BasicFilteredResponse::create(vm, *response)); 410 // -> "cors" 411 case Infrastructure::Request::ResponseTainting::CORS: 412 // CORS filtered response 413 return TRY_OR_THROW_OOM(vm, Infrastructure::CORSFilteredResponse::create(vm, *response)); 414 // -> "opaque" 415 case Infrastructure::Request::ResponseTainting::Opaque: 416 // opaque filtered response 417 return Infrastructure::OpaqueFilteredResponse::create(vm, *response); 418 default: 419 VERIFY_NOT_REACHED(); 420 } 421 }()); 422 } 423 424 // 14. Let internalResponse be response, if response is a network error, and response’s internal response 425 // otherwise. 426 auto internal_response = response->is_network_error() 427 ? JS::NonnullGCPtr { *response } 428 : static_cast<Infrastructure::FilteredResponse&>(*response).internal_response(); 429 430 // 15. If internalResponse’s URL list is empty, then set it to a clone of request’s URL list. 431 // NOTE: A response’s URL list can be empty (for example, when the response represents an about URL). 432 if (internal_response->url_list().is_empty()) 433 internal_response->set_url_list(request->url_list()); 434 435 // 16. If request has a redirect-tainted origin, then set internalResponse’s has-cross-origin-redirects to true. 436 if (request->has_redirect_tainted_origin()) 437 internal_response->set_has_cross_origin_redirects(true); 438 439 // 17. If request’s timing allow failed flag is unset, then set internalResponse’s timing allow passed flag. 440 if (!request->timing_allow_failed()) 441 internal_response->set_timing_allow_passed(true); 442 443 // 18. If response is not a network error and any of the following returns blocked 444 if (!response->is_network_error() && ( 445 // FIXME: - should internalResponse to request be blocked as mixed content 446 false 447 // FIXME: - should internalResponse to request be blocked by Content Security Policy 448 || false 449 // - should internalResponse to request be blocked due to its MIME type 450 || TRY_OR_IGNORE(Infrastructure::should_response_to_request_be_blocked_due_to_its_mime_type(internal_response, request)) == Infrastructure::RequestOrResponseBlocking::Blocked 451 // - should internalResponse to request be blocked due to nosniff 452 || TRY_OR_IGNORE(Infrastructure::should_response_to_request_be_blocked_due_to_nosniff(internal_response, request)) == Infrastructure::RequestOrResponseBlocking::Blocked)) { 453 // then set response and internalResponse to a network error. 454 response = internal_response = Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("Response was blocked"_string)); 455 } 456 457 // 19. If response’s type is "opaque", internalResponse’s status is 206, internalResponse’s range-requested 458 // flag is set, and request’s header list does not contain `Range`, then set response and 459 // internalResponse to a network error. 460 // NOTE: Traditionally, APIs accept a ranged response even if a range was not requested. This prevents a 461 // partial response from an earlier ranged request being provided to an API that did not make a range 462 // request. 463 if (response->type() == Infrastructure::Response::Type::Opaque 464 && internal_response->status() == 206 465 && internal_response->range_requested() 466 && !request->header_list()->contains("Range"sv.bytes())) { 467 response = internal_response = Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("Response has status 206 and 'range-requested' flag set, but request has no 'Range' header"_string)); 468 } 469 470 // 20. If response is not a network error and either request’s method is `HEAD` or `CONNECT`, or 471 // internalResponse’s status is a null body status, set internalResponse’s body to null and disregard 472 // any enqueuing toward it (if any). 473 // NOTE: This standardizes the error handling for servers that violate HTTP. 474 if (!response->is_network_error() && (StringView { request->method() }.is_one_of("HEAD"sv, "CONNECT"sv) || Infrastructure::is_null_body_status(internal_response->status()))) 475 internal_response->set_body({}); 476 477 // 21. If request’s integrity metadata is not the empty string, then: 478 if (!request->integrity_metadata().is_empty()) { 479 // 1. Let processBodyError be this step: run fetch response handover given fetchParams and a network 480 // error. 481 auto process_body_error = [&]() -> WebIDL::ExceptionOr<void> { 482 return fetch_response_handover(realm, fetch_params, Infrastructure::Response::network_error(vm, "Response body could not be processed"sv)); 483 }; 484 485 // 2. If response’s body is null, then run processBodyError and abort these steps. 486 if (!response->body().has_value()) { 487 TRY_OR_IGNORE(process_body_error()); 488 return; 489 } 490 491 // FIXME: 3. Let processBody given bytes be these steps: 492 // 1. If bytes do not match request’s integrity metadata, then run processBodyError and abort these steps. 493 // 2. Set response’s body to bytes as a body. 494 // 3. Run fetch response handover given fetchParams and response. 495 496 // FIXME: 4. Fully read response’s body given processBody and processBodyError. 497 } 498 // 22. Otherwise, run fetch response handover given fetchParams and response. 499 else { 500 TRY_OR_IGNORE(fetch_response_handover(realm, fetch_params, *response)); 501 } 502 }); 503 }); 504 505 return Optional<JS::NonnullGCPtr<PendingResponse>> {}; 506} 507 508// https://fetch.spec.whatwg.org/#fetch-finale 509WebIDL::ExceptionOr<void> fetch_response_handover(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, Infrastructure::Response& response) 510{ 511 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'fetch response handover' with: fetch_params @ {}, response @ {}", &fetch_params, &response); 512 513 auto& vm = realm.vm(); 514 515 // 1. Let timingInfo be fetchParams’s timing info. 516 auto timing_info = fetch_params.timing_info(); 517 518 // 2. If response is not a network error and fetchParams’s request’s client is a secure context, then set 519 // timingInfo’s server-timing headers to the result of getting, decoding, and splitting `Server-Timing` from 520 // response’s header list. 521 // The user agent may decide to expose `Server-Timing` headers to non-secure contexts requests as well. 522 auto* client = fetch_params.request()->client(); 523 if (!response.is_network_error() && client != nullptr && HTML::is_secure_context(*client)) { 524 auto server_timing_headers = TRY_OR_THROW_OOM(vm, response.header_list()->get_decode_and_split("Server-Timing"sv.bytes())); 525 if (server_timing_headers.has_value()) 526 timing_info->set_server_timing_headers(server_timing_headers.release_value()); 527 } 528 529 // 3. Let processResponseEndOfBody be the following steps: 530 auto process_response_end_of_body = [&vm, &response, &fetch_params, timing_info] { 531 // 1. Let unsafeEndTime be the unsafe shared current time. 532 auto unsafe_end_time = HighResolutionTime::unsafe_shared_current_time(); 533 534 // 2. If fetchParams’s request’s destination is "document", then set fetchParams’s controller’s full timing 535 // info to fetchParams’s timing info. 536 if (fetch_params.request()->destination() == Infrastructure::Request::Destination::Document) 537 fetch_params.controller()->set_full_timing_info(fetch_params.timing_info()); 538 539 // 3. Set fetchParams’s controller’s report timing steps to the following steps given a global object global: 540 fetch_params.controller()->set_report_timing_steps([&vm, &response, &fetch_params, timing_info, unsafe_end_time](JS::Object const& global) mutable { 541 // 1. If fetchParams’s request’s URL’s scheme is not an HTTP(S) scheme, then return. 542 if (!Infrastructure::is_http_or_https_scheme(fetch_params.request()->url().scheme())) 543 return; 544 545 // 2. Set timingInfo’s end time to the relative high resolution time given unsafeEndTime and global. 546 timing_info->set_end_time(HighResolutionTime::relative_high_resolution_time(unsafe_end_time, global)); 547 548 // 3. Let cacheState be response’s cache state. 549 auto cache_state = response.cache_state(); 550 551 // 4. Let bodyInfo be response’s body info. 552 auto body_info = response.body_info(); 553 554 // 5. If response’s timing allow passed flag is not set, then set timingInfo to the result of creating an 555 // opaque timing info for timingInfo, set bodyInfo to a new response body info, and set cacheState to 556 // the empty string. 557 // NOTE: This covers the case of response being a network error. 558 if (!response.timing_allow_passed()) { 559 timing_info = Infrastructure::create_opaque_timing_info(vm, timing_info); 560 body_info = Infrastructure::Response::BodyInfo {}; 561 cache_state = {}; 562 } 563 564 // 6. Let responseStatus be 0 if fetchParams’s request’s mode is "navigate" and response’s has-cross-origin-redirects is true; otherwise response’s status. 565 auto response_status = fetch_params.request()->mode() == Infrastructure::Request::Mode::Navigate && response.has_cross_origin_redirects() 566 ? 0 567 : response.status(); 568 569 // FIXME: 7. If fetchParams’s request’s initiator type is not null, then mark resource timing given timingInfo, 570 // request’s URL, request’s initiator type, global, cacheState, bodyInfo, and responseStatus. 571 (void)timing_info; 572 (void)global; 573 (void)cache_state; 574 (void)body_info; 575 (void)response_status; 576 }); 577 578 // 4. Let processResponseEndOfBodyTask be the following steps: 579 auto process_response_end_of_body_task = [&fetch_params, &response] { 580 // 1. Set fetchParams’s request’s done flag. 581 fetch_params.request()->set_done(true); 582 583 // 2. If fetchParams’s process response end-of-body is non-null, then run fetchParams’s process response 584 // end-of-body given response. 585 if (fetch_params.algorithms()->process_response_end_of_body().has_value()) 586 (*fetch_params.algorithms()->process_response_end_of_body())(response); 587 588 // 3. If fetchParams’s request’s initiator type is non-null and fetchParams’s request’s client’s global 589 // object is fetchParams’s task destination, then run fetchParams’s controller’s report timing steps 590 // given fetchParams’s request’s client’s global object. 591 auto* client = fetch_params.request()->client(); 592 auto const* task_destination_global_object = fetch_params.task_destination().get_pointer<JS::NonnullGCPtr<JS::Object>>(); 593 if (client != nullptr && task_destination_global_object != nullptr) { 594 if (fetch_params.request()->initiator_type().has_value() && &client->global_object() == task_destination_global_object->ptr()) 595 fetch_params.controller()->report_timing(client->global_object()); 596 } 597 }; 598 599 // FIXME: Handle 'parallel queue' task destination 600 auto task_destination = fetch_params.task_destination().get<JS::NonnullGCPtr<JS::Object>>(); 601 602 // 5. Queue a fetch task to run processResponseEndOfBodyTask with fetchParams’s task destination. 603 Infrastructure::queue_fetch_task(task_destination, move(process_response_end_of_body_task)); 604 }; 605 606 // FIXME: Handle 'parallel queue' task destination 607 auto task_destination = fetch_params.task_destination().get<JS::NonnullGCPtr<JS::Object>>(); 608 609 // 4. If fetchParams’s process response is non-null, then queue a fetch task to run fetchParams’s process response 610 // given response, with fetchParams’s task destination. 611 if (fetch_params.algorithms()->process_response().has_value()) { 612 Infrastructure::queue_fetch_task(task_destination, [&fetch_params, &response]() { 613 (*fetch_params.algorithms()->process_response())(response); 614 }); 615 } 616 617 // 5. If response’s body is null, then run processResponseEndOfBody. 618 if (!response.body().has_value()) { 619 process_response_end_of_body(); 620 } 621 // 6. Otherwise: 622 else { 623 // FIXME: 1. Let transformStream be a new TransformStream. 624 // FIXME: 2. Let identityTransformAlgorithm be an algorithm which, given chunk, enqueues chunk in transformStream. 625 // FIXME: 3. Set up transformStream with transformAlgorithm set to identityTransformAlgorithm and flushAlgorithm set 626 // to processResponseEndOfBody. 627 // FIXME: 4. Set response’s body’s stream to the result of response’s body’s stream piped through transformStream. 628 } 629 630 // 7. If fetchParams’s process response consume body is non-null, then: 631 if (fetch_params.algorithms()->process_response_consume_body().has_value()) { 632 // 1. Let processBody given nullOrBytes be this step: run fetchParams’s process response consume body given 633 // response and nullOrBytes. 634 auto process_body = [&fetch_params, &response](Variant<ByteBuffer, Empty> const& null_or_bytes) { 635 (*fetch_params.algorithms()->process_response_consume_body())(response, null_or_bytes); 636 }; 637 638 // 2. Let processBodyError be this step: run fetchParams’s process response consume body given response and 639 // failure. 640 auto process_body_error = [&fetch_params, &response](auto&) { 641 (*fetch_params.algorithms()->process_response_consume_body())(response, Infrastructure::FetchAlgorithms::ConsumeBodyFailureTag {}); 642 }; 643 644 // 3. If response’s body is null, then queue a fetch task to run processBody given null, with fetchParams’s 645 // task destination. 646 if (!response.body().has_value()) { 647 Infrastructure::queue_fetch_task(task_destination, [process_body = move(process_body)]() { 648 process_body({}); 649 }); 650 } 651 // 4. Otherwise, fully read response’s body given processBody, processBodyError, and fetchParams’s task 652 // destination. 653 else { 654 TRY(response.body()->fully_read(realm, move(process_body), move(process_body_error), fetch_params.task_destination())); 655 } 656 } 657 658 return {}; 659} 660 661// https://fetch.spec.whatwg.org/#concept-scheme-fetch 662WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> scheme_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params) 663{ 664 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'scheme fetch' with: fetch_params @ {}", &fetch_params); 665 666 auto& vm = realm.vm(); 667 668 // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. 669 if (fetch_params.is_canceled()) 670 return PendingResponse::create(vm, fetch_params.request(), Infrastructure::Response::appropriate_network_error(vm, fetch_params)); 671 672 // 2. Let request be fetchParams’s request. 673 auto request = fetch_params.request(); 674 675 // 3. Switch on request’s current URL’s scheme and run the associated steps: 676 // -> "about" 677 if (request->current_url().scheme() == "about"sv) { 678 // If request’s current URL’s path is the string "blank", then return a new response whose status message is 679 // `OK`, header list is « (`Content-Type`, `text/html;charset=utf-8`) », and body is the empty byte sequence as 680 // a body. 681 // NOTE: URLs such as "about:config" are handled during navigation and result in a network error in the context 682 // of fetching. 683 if (request->current_url().path() == "blank"sv) { 684 auto response = Infrastructure::Response::create(vm); 685 response->set_status_message(MUST(ByteBuffer::copy("OK"sv.bytes()))); 686 auto header = MUST(Infrastructure::Header::from_string_pair("Content-Type"sv, "text/html;charset=utf-8"sv)); 687 TRY_OR_THROW_OOM(vm, response->header_list()->append(move(header))); 688 response->set_body(MUST(Infrastructure::byte_sequence_as_body(realm, ""sv.bytes()))); 689 return PendingResponse::create(vm, request, response); 690 } 691 } 692 // -> "blob" 693 else if (request->current_url().scheme() == "blob"sv) { 694 // FIXME: Support 'blob://' URLs 695 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has 'blob:' URL which is currently unsupported"sv)); 696 } 697 // -> "data" 698 else if (request->current_url().scheme() == "data"sv) { 699 // 1. Let dataURLStruct be the result of running the data: URL processor on request’s current URL. 700 auto const& url = request->current_url(); 701 auto data_or_error = url.data_payload_is_base64() 702 ? decode_base64(url.data_payload()) 703 : TRY_OR_THROW_OOM(vm, ByteBuffer::copy(url.data_payload().bytes())); 704 705 // 2. If dataURLStruct is failure, then return a network error. 706 if (data_or_error.is_error()) 707 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has invalid base64 'data:' URL"sv)); 708 709 // 3. Let mimeType be dataURLStruct’s MIME type, serialized. 710 auto const& mime_type = url.data_mime_type(); 711 712 // 4. Return a new response whose status message is `OK`, header list is « (`Content-Type`, mimeType) », and 713 // body is dataURLStruct’s body as a body. 714 auto response = Infrastructure::Response::create(vm); 715 response->set_status_message(MUST(ByteBuffer::copy("OK"sv.bytes()))); 716 auto header = TRY_OR_THROW_OOM(vm, Infrastructure::Header::from_string_pair("Content-Type"sv, mime_type)); 717 TRY_OR_THROW_OOM(vm, response->header_list()->append(move(header))); 718 response->set_body(TRY(Infrastructure::byte_sequence_as_body(realm, data_or_error.value().span()))); 719 return PendingResponse::create(vm, request, response); 720 } 721 // -> "file" 722 else if (request->current_url().scheme() == "file"sv) { 723 // For now, unfortunate as it is, file: URLs are left as an exercise for the reader. 724 // When in doubt, return a network error. 725 // FIXME: Support 'file://' URLs 726 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has 'file:' URL which is currently unsupported"sv)); 727 } 728 // -> HTTP(S) scheme 729 else if (Infrastructure::is_http_or_https_scheme(request->current_url().scheme())) { 730 // Return the result of running HTTP fetch given fetchParams. 731 return http_fetch(realm, fetch_params); 732 } 733 734 // 4. Return a network error. 735 auto message = request->current_url().scheme() == "about"sv 736 ? TRY_OR_THROW_OOM(vm, "Request has invalid 'about:' URL, only 'about:blank' can be fetched"_string) 737 : TRY_OR_THROW_OOM(vm, "Request URL has invalid scheme, must be one of 'about', 'blob', 'data', 'file', 'http', or 'https'"_string); 738 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, move(message))); 739} 740 741// https://fetch.spec.whatwg.org/#concept-http-fetch 742WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> http_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, MakeCORSPreflight make_cors_preflight) 743{ 744 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' with: fetch_params @ {}, make_cors_preflight = {}", 745 &fetch_params, make_cors_preflight == MakeCORSPreflight::Yes ? "Yes"sv : "No"sv); 746 747 auto& vm = realm.vm(); 748 749 // 1. Let request be fetchParams’s request. 750 auto request = fetch_params.request(); 751 752 // 2. Let response be null. 753 JS::GCPtr<Infrastructure::Response> response; 754 755 // 3. Let actualResponse be null. 756 JS::GCPtr<Infrastructure::Response> actual_response; 757 758 // 4. If request’s service-workers mode is "all", then: 759 if (request->service_workers_mode() == Infrastructure::Request::ServiceWorkersMode::All) { 760 // 1. Let requestForServiceWorker be a clone of request. 761 auto request_for_service_worker = TRY(request->clone(realm)); 762 763 // 2. If requestForServiceWorker’s body is non-null, then: 764 if (!request_for_service_worker->body().has<Empty>()) { 765 // FIXME: 1. Let transformStream be a new TransformStream. 766 // FIXME: 2. Let transformAlgorithm given chunk be these steps: 767 // FIXME: 3. Set up transformStream with transformAlgorithm set to transformAlgorithm. 768 // FIXME: 4. Set requestForServiceWorker’s body’s stream to the result of requestForServiceWorker’s body’s stream 769 // piped through transformStream. 770 } 771 772 // 3. Let serviceWorkerStartTime be the coarsened shared current time given fetchParams’s cross-origin isolated 773 // capability. 774 auto service_worker_start_time = HighResolutionTime::coarsened_shared_current_time(fetch_params.cross_origin_isolated_capability() == HTML::CanUseCrossOriginIsolatedAPIs::Yes); 775 776 // FIXME: 4. Set response to the result of invoking handle fetch for requestForServiceWorker, with fetchParams’s 777 // controller and fetchParams’s cross-origin isolated capability. 778 779 // 5. If response is not null, then: 780 if (response) { 781 // 1. Set fetchParams’s timing info’s final service worker start time to serviceWorkerStartTime. 782 fetch_params.timing_info()->set_final_service_worker_start_time(service_worker_start_time); 783 784 // 2. If request’s body is non-null, then cancel request’s body with undefined. 785 if (!request->body().has<Empty>()) { 786 // FIXME: Implement cancelling streams 787 } 788 789 // 3. Set actualResponse to response, if response is not a filtered response, and to response’s internal 790 // response otherwise. 791 actual_response = !is<Infrastructure::FilteredResponse>(*response) 792 ? JS::NonnullGCPtr { *response } 793 : static_cast<Infrastructure::FilteredResponse const&>(*response).internal_response(); 794 795 // 4. If one of the following is true 796 if ( 797 // - response’s type is "error" 798 response->type() == Infrastructure::Response::Type::Error 799 // - request’s mode is "same-origin" and response’s type is "cors" 800 || (request->mode() == Infrastructure::Request::Mode::SameOrigin && response->type() == Infrastructure::Response::Type::CORS) 801 // - request’s mode is not "no-cors" and response’s type is "opaque" 802 || (request->mode() != Infrastructure::Request::Mode::NoCORS && response->type() == Infrastructure::Response::Type::Opaque) 803 // - request’s redirect mode is not "manual" and response’s type is "opaqueredirect" 804 || (request->redirect_mode() != Infrastructure::Request::RedirectMode::Manual && response->type() == Infrastructure::Response::Type::OpaqueRedirect) 805 // - request’s redirect mode is not "follow" and response’s URL list has more than one item. 806 || (request->redirect_mode() != Infrastructure::Request::RedirectMode::Follow && response->url_list().size() > 1)) { 807 // then return a network error. 808 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Invalid request/response state combination"sv)); 809 } 810 } 811 } 812 813 JS::GCPtr<PendingResponse> pending_actual_response; 814 815 auto returned_pending_response = PendingResponse::create(vm, request); 816 817 // 5. If response is null, then: 818 if (!response) { 819 // 1. If makeCORSPreflight is true and one of these conditions is true: 820 // NOTE: This step checks the CORS-preflight cache and if there is no suitable entry it performs a 821 // CORS-preflight fetch which, if successful, populates the cache. The purpose of the CORS-preflight 822 // fetch is to ensure the fetched resource is familiar with the CORS protocol. The cache is there to 823 // minimize the number of CORS-preflight fetches. 824 JS::GCPtr<PendingResponse> pending_preflight_response; 825 if (make_cors_preflight == MakeCORSPreflight::Yes && ( 826 // - There is no method cache entry match for request’s method using request, and either request’s 827 // method is not a CORS-safelisted method or request’s use-CORS-preflight flag is set. 828 // FIXME: We currently have no cache, so there will always be no method cache entry. 829 (!Infrastructure::is_cors_safelisted_method(request->method()) || request->use_cors_preflight()) 830 // - There is at least one item in the CORS-unsafe request-header names with request’s header list for 831 // which there is no header-name cache entry match using request. 832 // FIXME: We currently have no cache, so there will always be no header-name cache entry. 833 || !TRY_OR_THROW_OOM(vm, Infrastructure::get_cors_unsafe_header_names(request->header_list())).is_empty())) { 834 // 1. Let preflightResponse be the result of running CORS-preflight fetch given request. 835 pending_preflight_response = TRY(cors_preflight_fetch(realm, request)); 836 837 // NOTE: Step 2 is performed in pending_preflight_response's load callback below. 838 } 839 840 auto fetch_main_content = [request = JS::make_handle(request), realm = JS::make_handle(realm), fetch_params = JS::make_handle(fetch_params)]() -> WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> { 841 // 2. If request’s redirect mode is "follow", then set request’s service-workers mode to "none". 842 // NOTE: Redirects coming from the network (as opposed to from a service worker) are not to be exposed to a 843 // service worker. 844 if (request->redirect_mode() == Infrastructure::Request::RedirectMode::Follow) 845 request->set_service_workers_mode(Infrastructure::Request::ServiceWorkersMode::None); 846 847 // 3. Set response and actualResponse to the result of running HTTP-network-or-cache fetch given fetchParams. 848 return http_network_or_cache_fetch(*realm, *fetch_params); 849 }; 850 851 if (pending_preflight_response) { 852 pending_actual_response = PendingResponse::create(vm, request); 853 pending_preflight_response->when_loaded([returned_pending_response, pending_actual_response, fetch_main_content = move(fetch_main_content)](JS::NonnullGCPtr<Infrastructure::Response> preflight_response) { 854 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' pending_preflight_response load callback"); 855 856 // 2. If preflightResponse is a network error, then return preflightResponse. 857 if (preflight_response->is_network_error()) { 858 returned_pending_response->resolve(preflight_response); 859 return; 860 } 861 862 auto pending_main_content_response = TRY_OR_IGNORE(fetch_main_content()); 863 pending_main_content_response->when_loaded([pending_actual_response](JS::NonnullGCPtr<Infrastructure::Response> main_content_response) { 864 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' pending_main_content_response load callback"); 865 pending_actual_response->resolve(main_content_response); 866 }); 867 }); 868 } else { 869 pending_actual_response = TRY(fetch_main_content()); 870 } 871 } else { 872 pending_actual_response = PendingResponse::create(vm, request, Infrastructure::Response::create(vm)); 873 } 874 875 pending_actual_response->when_loaded([&realm, &vm, &fetch_params, request, response, actual_response, returned_pending_response, response_was_null = !response](JS::NonnullGCPtr<Infrastructure::Response> resolved_actual_response) mutable { 876 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' pending_actual_response load callback"); 877 if (response_was_null) { 878 response = actual_response = resolved_actual_response; 879 // 4. If request’s response tainting is "cors" and a CORS check for request and response returns failure, 880 // then return a network error. 881 // NOTE: As the CORS check is not to be applied to responses whose status is 304 or 407, or responses from 882 // a service worker for that matter, it is applied here. 883 if (request->response_tainting() == Infrastructure::Request::ResponseTainting::CORS 884 && !TRY_OR_IGNORE(cors_check(request, *response))) { 885 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("Request with 'cors' response tainting failed CORS check"_string))); 886 return; 887 } 888 889 // 5. If the TAO check for request and response returns failure, then set request’s timing allow failed flag. 890 if (!TRY_OR_IGNORE(tao_check(request, *response))) 891 request->set_timing_allow_failed(true); 892 } 893 894 // 6. If either request’s response tainting or response’s type is "opaque", and the cross-origin resource 895 // policy check with request’s origin, request’s client, request’s destination, and actualResponse returns 896 // blocked, then return a network error. 897 // NOTE: The cross-origin resource policy check runs for responses coming from the network and responses coming 898 // from the service worker. This is different from the CORS check, as request’s client and the service 899 // worker can have different embedder policies. 900 if ((request->response_tainting() == Infrastructure::Request::ResponseTainting::Opaque || response->type() == Infrastructure::Response::Type::Opaque) 901 && false // FIXME: "and the cross-origin resource policy check with request’s origin, request’s client, request’s destination, and actualResponse returns blocked" 902 ) { 903 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("Response was blocked by cross-origin resource policy check"_string))); 904 return; 905 } 906 907 JS::GCPtr<PendingResponse> inner_pending_response; 908 909 // 7. If actualResponse’s status is a redirect status, then: 910 if (Infrastructure::is_redirect_status(actual_response->status())) { 911 // FIXME: 1. If actualResponse’s status is not 303, request’s body is not null, and the connection uses HTTP/2, 912 // then user agents may, and are even encouraged to, transmit an RST_STREAM frame. 913 // NOTE: 303 is excluded as certain communities ascribe special status to it. 914 915 // 2. Switch on request’s redirect mode: 916 switch (request->redirect_mode()) { 917 // -> "error" 918 case Infrastructure::Request::RedirectMode::Error: 919 // Set response to a network error. 920 response = Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("Request with 'error' redirect mode received redirect response"_string)); 921 break; 922 // -> "manual" 923 case Infrastructure::Request::RedirectMode::Manual: 924 // Set response to an opaque-redirect filtered response whose internal response is actualResponse. If 925 // request’s mode is "navigate", then set fetchParams’s controller’s next manual redirect steps to run 926 // HTTP-redirect fetch given fetchParams and response. 927 response = Infrastructure::OpaqueRedirectFilteredResponse::create(vm, *actual_response); 928 if (request->mode() == Infrastructure::Request::Mode::Navigate) { 929 fetch_params.controller()->set_next_manual_redirect_steps([&realm, &fetch_params, response] { 930 (void)http_redirect_fetch(realm, fetch_params, *response); 931 }); 932 } 933 break; 934 // -> "follow" 935 case Infrastructure::Request::RedirectMode::Follow: 936 // Set response to the result of running HTTP-redirect fetch given fetchParams and response. 937 inner_pending_response = TRY_OR_IGNORE(http_redirect_fetch(realm, fetch_params, *response)); 938 break; 939 default: 940 VERIFY_NOT_REACHED(); 941 } 942 } 943 944 if (inner_pending_response) { 945 inner_pending_response->when_loaded([returned_pending_response](JS::NonnullGCPtr<Infrastructure::Response> response) { 946 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' inner_pending_response load callback"); 947 returned_pending_response->resolve(response); 948 }); 949 } else { 950 returned_pending_response->resolve(*response); 951 } 952 }); 953 954 // 8. Return response. 955 // NOTE: Typically actualResponse’s body’s stream is still being enqueued to after returning. 956 return returned_pending_response; 957} 958 959// https://fetch.spec.whatwg.org/#concept-http-redirect-fetch 960WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> http_redirect_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, Infrastructure::Response& response) 961{ 962 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP-redirect fetch' with: fetch_params @ {}, response = {}", &fetch_params, &response); 963 964 auto& vm = realm.vm(); 965 966 // 1. Let request be fetchParams’s request. 967 auto request = fetch_params.request(); 968 969 // 2. Let actualResponse be response, if response is not a filtered response, and response’s internal response 970 // otherwise. 971 auto actual_response = !is<Infrastructure::FilteredResponse>(response) 972 ? JS::NonnullGCPtr { response } 973 : static_cast<Infrastructure::FilteredResponse const&>(response).internal_response(); 974 975 // 3. Let locationURL be actualResponse’s location URL given request’s current URL’s fragment. 976 auto const& fragment = request->current_url().fragment(); 977 auto fragment_string = fragment.is_null() ? Optional<String> {} : TRY_OR_THROW_OOM(vm, String::from_deprecated_string(fragment)); 978 auto location_url_or_error = actual_response->location_url(fragment_string); 979 980 // 4. If locationURL is null, then return response. 981 if (!location_url_or_error.is_error() && !location_url_or_error.value().has_value()) 982 return PendingResponse::create(vm, request, response); 983 984 // 5. If locationURL is failure, then return a network error. 985 if (location_url_or_error.is_error()) 986 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request redirect URL is invalid"sv)); 987 988 auto location_url = location_url_or_error.release_value().release_value(); 989 990 // 6. If locationURL’s scheme is not an HTTP(S) scheme, then return a network error. 991 if (!Infrastructure::is_http_or_https_scheme(location_url.scheme())) 992 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request redirect URL must have HTTP or HTTPS scheme"sv)); 993 994 // 7. If request’s redirect count is 20, then return a network error. 995 if (request->redirect_count() == 20) 996 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has reached maximum redirect count of 20"sv)); 997 998 // 8. Increase request’s redirect count by 1. 999 request->set_redirect_count(request->redirect_count() + 1); 1000 1001 // 8. If request’s mode is "cors", locationURL includes credentials, and request’s origin is not same origin with 1002 // locationURL’s origin, then return a network error. 1003 if (request->mode() == Infrastructure::Request::Mode::CORS 1004 && location_url.includes_credentials() 1005 && request->origin().has<HTML::Origin>() 1006 && !request->origin().get<HTML::Origin>().is_same_origin(URL::url_origin(location_url))) { 1007 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'cors' mode and different URL and request origin must not include credentials in redirect URL"sv)); 1008 } 1009 1010 // 10. If request’s response tainting is "cors" and locationURL includes credentials, then return a network error. 1011 // NOTE: This catches a cross-origin resource redirecting to a same-origin URL. 1012 if (request->response_tainting() == Infrastructure::Request::ResponseTainting::CORS && location_url.includes_credentials()) 1013 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'cors' response tainting must not include credentials in redirect URL"sv)); 1014 1015 // 11. If actualResponse’s status is not 303, request’s body is non-null, and request’s body’s source is null, then 1016 // return a network error. 1017 if (actual_response->status() != 303 1018 && !request->body().has<Empty>() 1019 && request->body().get<Infrastructure::Body>().source().has<Empty>()) { 1020 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has body but no body source"sv)); 1021 } 1022 1023 // 12. If one of the following is true 1024 if ( 1025 // - actualResponse’s status is 301 or 302 and request’s method is `POST` 1026 ((actual_response->status() == 301 || actual_response->status() == 302) && request->method() == "POST"sv.bytes()) 1027 // - actualResponse’s status is 303 and request’s method is not `GET` or `HEAD` 1028 || (actual_response->status() == 303 && !(request->method() == "GET"sv.bytes() || request->method() == "HEAD"sv.bytes())) 1029 // then: 1030 ) { 1031 // 1. Set request’s method to `GET` and request’s body to null. 1032 request->set_method(MUST(ByteBuffer::copy("GET"sv.bytes()))); 1033 request->set_body({}); 1034 1035 static constexpr Array request_body_header_names { 1036 "Content-Encoding"sv, 1037 "Content-Language"sv, 1038 "Content-Location"sv, 1039 "Content-Type"sv 1040 }; 1041 // 2. For each headerName of request-body-header name, delete headerName from request’s header list. 1042 for (auto header_name : request_body_header_names.span()) 1043 request->header_list()->delete_(header_name.bytes()); 1044 } 1045 1046 // 13. If request’s current URL’s origin is not same origin with locationURL’s origin, then for each headerName of 1047 // CORS non-wildcard request-header name, delete headerName from request’s header list. 1048 // NOTE: I.e., the moment another origin is seen after the initial request, the `Authorization` header is removed. 1049 if (!URL::url_origin(request->current_url()).is_same_origin(URL::url_origin(location_url))) { 1050 static constexpr Array cors_non_wildcard_request_header_names { 1051 "Authorization"sv 1052 }; 1053 for (auto header_name : cors_non_wildcard_request_header_names) 1054 request->header_list()->delete_(header_name.bytes()); 1055 } 1056 1057 // 14. If request’s body is non-null, then set request’s body to the body of the result of safely extracting 1058 // request’s body’s source. 1059 // NOTE: request’s body’s source’s nullity has already been checked. 1060 if (!request->body().has<Empty>()) { 1061 auto const& source = request->body().get<Infrastructure::Body>().source(); 1062 // NOTE: BodyInitOrReadableBytes is a superset of Body::SourceType 1063 auto converted_source = source.has<ByteBuffer>() 1064 ? BodyInitOrReadableBytes { source.get<ByteBuffer>() } 1065 : BodyInitOrReadableBytes { source.get<JS::Handle<FileAPI::Blob>>() }; 1066 auto [body, _] = TRY(safely_extract_body(realm, converted_source)); 1067 request->set_body(move(body)); 1068 } 1069 1070 // 15. Let timingInfo be fetchParams’s timing info. 1071 auto timing_info = fetch_params.timing_info(); 1072 1073 // 16. Set timingInfo’s redirect end time and post-redirect start time to the coarsened shared current time given 1074 // fetchParams’s cross-origin isolated capability. 1075 auto now = HighResolutionTime::coarsened_shared_current_time(fetch_params.cross_origin_isolated_capability() == HTML::CanUseCrossOriginIsolatedAPIs::Yes); 1076 timing_info->set_redirect_end_time(now); 1077 timing_info->set_post_redirect_start_time(now); 1078 1079 // 17. If timingInfo’s redirect start time is 0, then set timingInfo’s redirect start time to timingInfo’s start 1080 // time. 1081 if (timing_info->redirect_start_time() == 0) 1082 timing_info->set_redirect_start_time(timing_info->start_time()); 1083 1084 // 18. Append locationURL to request’s URL list. 1085 request->url_list().append(location_url); 1086 1087 // FIXME: 19. Invoke set request’s referrer policy on redirect on request and actualResponse. 1088 1089 // 20. Return the result of running main fetch given fetchParams and true. 1090 return TRY(main_fetch(realm, fetch_params, Recursive::Yes)).release_value(); 1091} 1092 1093// https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch 1094WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> http_network_or_cache_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, IsAuthenticationFetch is_authentication_fetch, IsNewConnectionFetch is_new_connection_fetch) 1095{ 1096 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP-network-or-cache fetch' with: fetch_params @ {}, is_authentication_fetch = {}, is_new_connection_fetch = {}", 1097 &fetch_params, is_authentication_fetch == IsAuthenticationFetch::Yes ? "Yes"sv : "No"sv, is_new_connection_fetch == IsNewConnectionFetch::Yes ? "Yes"sv : "No"sv); 1098 1099 auto& vm = realm.vm(); 1100 1101 // 1. Let request be fetchParams’s request. 1102 auto request = fetch_params.request(); 1103 1104 // 2. Let httpFetchParams be null. 1105 JS::GCPtr<Infrastructure::FetchParams const> http_fetch_params; 1106 1107 // 3. Let httpRequest be null. 1108 JS::GCPtr<Infrastructure::Request> http_request; 1109 1110 // 4. Let response be null. 1111 JS::GCPtr<Infrastructure::Response> response; 1112 1113 // 5. Let storedResponse be null. 1114 JS::GCPtr<Infrastructure::Response> stored_response; 1115 1116 // 6. Let httpCache be null. 1117 // (Typeless until we actually implement it, needed for checks below) 1118 void* http_cache = nullptr; 1119 1120 // 7. Let the revalidatingFlag be unset. 1121 auto revalidating_flag = RefCountedFlag::create(false); 1122 1123 auto include_credentials = IncludeCredentials::No; 1124 1125 // 8. Run these steps, but abort when fetchParams is canceled: 1126 // NOTE: There's an 'if aborted' check after this anyway, so not doing this is fine and only incurs a small delay. 1127 // For now, support for aborting fetch requests is limited anyway as ResourceLoader doesn't support it. 1128 auto aborted = false; 1129 { 1130 ScopeGuard set_aborted = [&] { 1131 if (fetch_params.is_canceled()) 1132 aborted = true; 1133 }; 1134 1135 // 1. If request’s window is "no-window" and request’s redirect mode is "error", then set httpFetchParams to 1136 // fetchParams and httpRequest to request. 1137 if (request->window().has<Infrastructure::Request::Window>() 1138 && request->window().get<Infrastructure::Request::Window>() == Infrastructure::Request::Window::NoWindow 1139 && request->redirect_mode() == Infrastructure::Request::RedirectMode::Error) { 1140 http_fetch_params = fetch_params; 1141 http_request = request; 1142 } 1143 // 2. Otherwise: 1144 else { 1145 // 1. Set httpRequest to a clone of request. 1146 // NOTE: Implementations are encouraged to avoid teeing request’s body’s stream when request’s body’s 1147 // source is null as only a single body is needed in that case. E.g., when request’s body’s source 1148 // is null, redirects and authentication will end up failing the fetch. 1149 http_request = TRY(request->clone(realm)); 1150 1151 // 2. Set httpFetchParams to a copy of fetchParams. 1152 // 3. Set httpFetchParams’s request to httpRequest. 1153 auto new_http_fetch_params = Infrastructure::FetchParams::create(vm, *http_request, fetch_params.timing_info()); 1154 new_http_fetch_params->set_algorithms(fetch_params.algorithms()); 1155 new_http_fetch_params->set_task_destination(fetch_params.task_destination()); 1156 new_http_fetch_params->set_cross_origin_isolated_capability(fetch_params.cross_origin_isolated_capability()); 1157 new_http_fetch_params->set_preloaded_response_candidate(fetch_params.preloaded_response_candidate()); 1158 http_fetch_params = new_http_fetch_params; 1159 } 1160 1161 // 3. Let includeCredentials be true if one of 1162 if ( 1163 // - request’s credentials mode is "include" 1164 request->credentials_mode() == Infrastructure::Request::CredentialsMode::Include 1165 // - request’s credentials mode is "same-origin" and request’s response tainting is "basic" 1166 || (request->credentials_mode() == Infrastructure::Request::CredentialsMode::SameOrigin 1167 && request->response_tainting() == Infrastructure::Request::ResponseTainting::Basic) 1168 // is true; otherwise false. 1169 ) { 1170 include_credentials = IncludeCredentials::Yes; 1171 } else { 1172 include_credentials = IncludeCredentials::No; 1173 } 1174 1175 // 4. If Cross-Origin-Embedder-Policy allows credentials with request returns false, then set 1176 // includeCredentials to false. 1177 if (!request->cross_origin_embedder_policy_allows_credentials()) 1178 include_credentials = IncludeCredentials::No; 1179 1180 // 5. Let contentLength be httpRequest’s body’s length, if httpRequest’s body is non-null; otherwise null. 1181 auto content_length = http_request->body().has<Infrastructure::Body>() 1182 ? http_request->body().get<Infrastructure::Body>().length() 1183 : Optional<u64> {}; 1184 1185 // 6. Let contentLengthHeaderValue be null. 1186 auto content_length_header_value = Optional<ByteBuffer> {}; 1187 1188 // 7. If httpRequest’s body is null and httpRequest’s method is `POST` or `PUT`, then set 1189 // contentLengthHeaderValue to `0`. 1190 if (http_request->body().has<Empty>() && StringView { http_request->method() }.is_one_of("POST"sv, "PUT"sv)) 1191 content_length_header_value = MUST(ByteBuffer::copy("0"sv.bytes())); 1192 1193 // 8. If contentLength is non-null, then set contentLengthHeaderValue to contentLength, serialized and 1194 // isomorphic encoded. 1195 if (content_length.has_value()) 1196 content_length_header_value = MUST(ByteBuffer::copy(TRY_OR_THROW_OOM(vm, String::number(*content_length)).bytes())); 1197 1198 // 9. If contentLengthHeaderValue is non-null, then append (`Content-Length`, contentLengthHeaderValue) to 1199 // httpRequest’s header list. 1200 if (content_length_header_value.has_value()) { 1201 auto header = Infrastructure::Header { 1202 .name = MUST(ByteBuffer::copy("Content-Length"sv.bytes())), 1203 .value = content_length_header_value.release_value(), 1204 }; 1205 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1206 } 1207 1208 // FIXME: 10. If contentLength is non-null and httpRequest’s keepalive is true, then: 1209 if (content_length.has_value() && http_request->keepalive()) { 1210 // FIXME: 1-5., requires 'fetch records' and 'fetch group' concepts. 1211 // NOTE: The above limit ensures that requests that are allowed to outlive the environment settings object 1212 // and contain a body, have a bounded size and are not allowed to stay alive indefinitely. 1213 } 1214 1215 // 11. If httpRequest’s referrer is a URL, then: 1216 if (http_request->referrer().has<AK::URL>()) { 1217 // 1. Let referrerValue be httpRequest’s referrer, serialized and isomorphic encoded. 1218 auto referrer_value = TRY_OR_THROW_OOM(vm, ByteBuffer::copy(http_request->referrer().get<AK::URL>().serialize().bytes())); 1219 1220 // 2. Append (`Referer`, referrerValue) to httpRequest’s header list. 1221 auto header = Infrastructure::Header { 1222 .name = MUST(ByteBuffer::copy("Referer"sv.bytes())), 1223 .value = move(referrer_value), 1224 }; 1225 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1226 } 1227 1228 // 12. Append a request `Origin` header for httpRequest. 1229 TRY_OR_THROW_OOM(vm, http_request->add_origin_header()); 1230 1231 // FIXME: 13. Append the Fetch metadata headers for httpRequest. 1232 1233 // 14. If httpRequest’s header list does not contain `User-Agent`, then user agents should append 1234 // (`User-Agent`, default `User-Agent` value) to httpRequest’s header list. 1235 if (!http_request->header_list()->contains("User-Agent"sv.bytes())) { 1236 auto header = Infrastructure::Header { 1237 .name = MUST(ByteBuffer::copy("User-Agent"sv.bytes())), 1238 .value = TRY_OR_THROW_OOM(vm, Infrastructure::default_user_agent_value()), 1239 }; 1240 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1241 } 1242 1243 // 15. If httpRequest’s cache mode is "default" and httpRequest’s header list contains `If-Modified-Since`, 1244 // `If-None-Match`, `If-Unmodified-Since`, `If-Match`, or `If-Range`, then set httpRequest’s cache mode to 1245 // "no-store". 1246 if (http_request->cache_mode() == Infrastructure::Request::CacheMode::Default 1247 && (http_request->header_list()->contains("If-Modified-Since"sv.bytes()) 1248 || http_request->header_list()->contains("If-None-Match"sv.bytes()) 1249 || http_request->header_list()->contains("If-Unmodified-Since"sv.bytes()) 1250 || http_request->header_list()->contains("If-Match"sv.bytes()) 1251 || http_request->header_list()->contains("If-Range"sv.bytes()))) { 1252 http_request->set_cache_mode(Infrastructure::Request::CacheMode::NoStore); 1253 } 1254 1255 // 16. If httpRequest’s cache mode is "no-cache", httpRequest’s prevent no-cache cache-control header 1256 // modification flag is unset, and httpRequest’s header list does not contain `Cache-Control`, then append 1257 // (`Cache-Control`, `max-age=0`) to httpRequest’s header list. 1258 if (http_request->cache_mode() == Infrastructure::Request::CacheMode::NoCache 1259 && !http_request->prevent_no_cache_cache_control_header_modification() 1260 && !http_request->header_list()->contains("Cache-Control"sv.bytes())) { 1261 auto header = MUST(Infrastructure::Header::from_string_pair("Cache-Control"sv, "max-age=0"sv)); 1262 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1263 } 1264 1265 // 17. If httpRequest’s cache mode is "no-store" or "reload", then: 1266 if (http_request->cache_mode() == Infrastructure::Request::CacheMode::NoStore 1267 || http_request->cache_mode() == Infrastructure::Request::CacheMode::Reload) { 1268 // 1. If httpRequest’s header list does not contain `Pragma`, then append (`Pragma`, `no-cache`) to 1269 // httpRequest’s header list. 1270 if (!http_request->header_list()->contains("Pragma"sv.bytes())) { 1271 auto header = MUST(Infrastructure::Header::from_string_pair("Pragma"sv, "no-cache"sv)); 1272 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1273 } 1274 1275 // 2. If httpRequest’s header list does not contain `Cache-Control`, then append 1276 // (`Cache-Control`, `no-cache`) to httpRequest’s header list. 1277 if (!http_request->header_list()->contains("Cache-Control"sv.bytes())) { 1278 auto header = MUST(Infrastructure::Header::from_string_pair("Cache-Control"sv, "no-cache"sv)); 1279 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1280 } 1281 } 1282 1283 // 18. If httpRequest’s header list contains `Range`, then append (`Accept-Encoding`, `identity`) to 1284 // httpRequest’s header list. 1285 // NOTE: This avoids a failure when handling content codings with a part of an encoded response. 1286 // Additionally, many servers mistakenly ignore `Range` headers if a non-identity encoding is accepted. 1287 if (http_request->header_list()->contains("Range"sv.bytes())) { 1288 auto header = MUST(Infrastructure::Header::from_string_pair("Accept-Encoding"sv, "identity"sv)); 1289 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1290 } 1291 1292 // 19. Modify httpRequest’s header list per HTTP. Do not append a given header if httpRequest’s header list 1293 // contains that header’s name. 1294 // NOTE: It would be great if we could make this more normative somehow. At this point headers such as 1295 // `Accept-Encoding`, `Connection`, `DNT`, and `Host`, are to be appended if necessary. 1296 // `Accept`, `Accept-Charset`, and `Accept-Language` must not be included at this point. 1297 // NOTE: `Accept` and `Accept-Language` are already included (unless fetch() is used, which does not include 1298 // the latter by default), and `Accept-Charset` is a waste of bytes. See HTTP header layer division for 1299 // more details. 1300 1301 // 20. If includeCredentials is true, then: 1302 if (include_credentials == IncludeCredentials::Yes) { 1303 // 1. If the user agent is not configured to block cookies for httpRequest (see section 7 of [COOKIES]), 1304 // then: 1305 if (true) { 1306 // 1. Let cookies be the result of running the "cookie-string" algorithm (see section 5.4 of [COOKIES]) 1307 // with the user agent’s cookie store and httpRequest’s current URL. 1308 auto cookies = ([&] { 1309 // FIXME: Getting to the page client reliably is way too complicated, and going via the document won't work in workers. 1310 auto document = Bindings::host_defined_environment_settings_object(realm).responsible_document(); 1311 if (!document) 1312 return DeprecatedString::empty(); 1313 auto* page = document->page(); 1314 if (!page) 1315 return DeprecatedString::empty(); 1316 return page->client().page_did_request_cookie(http_request->current_url(), Cookie::Source::Http); 1317 })(); 1318 1319 // 2. If cookies is not the empty string, then append (`Cookie`, cookies) to httpRequest’s header list. 1320 if (!cookies.is_empty()) { 1321 auto header = TRY_OR_THROW_OOM(vm, Infrastructure::Header::from_string_pair("Cookie"sv, cookies)); 1322 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1323 } 1324 } 1325 1326 // 2. If httpRequest’s header list does not contain `Authorization`, then: 1327 if (!http_request->header_list()->contains("Authorization"sv.bytes())) { 1328 // 1. Let authorizationValue be null. 1329 auto authorization_value = Optional<String> {}; 1330 1331 // 2. If there’s an authentication entry for httpRequest and either httpRequest’s use-URL-credentials 1332 // flag is unset or httpRequest’s current URL does not include credentials, then set 1333 // authorizationValue to authentication entry. 1334 if (false // FIXME: "If there’s an authentication entry for httpRequest" 1335 && (!http_request->use_url_credentials() || !http_request->current_url().includes_credentials())) { 1336 // FIXME: "set authorizationValue to authentication entry." 1337 } 1338 // 3. Otherwise, if httpRequest’s current URL does include credentials and isAuthenticationFetch is 1339 // true, set authorizationValue to httpRequest’s current URL, converted to an `Authorization` value. 1340 else if (http_request->current_url().includes_credentials() && is_authentication_fetch == IsAuthenticationFetch::Yes) { 1341 auto const& url = http_request->current_url(); 1342 auto payload = TRY_OR_THROW_OOM(vm, String::formatted("{}:{}", url.username(), url.password())); 1343 authorization_value = TRY_OR_THROW_OOM(vm, encode_base64(payload.bytes())); 1344 } 1345 1346 // 4. If authorizationValue is non-null, then append (`Authorization`, authorizationValue) to 1347 // httpRequest’s header list. 1348 if (authorization_value.has_value()) { 1349 auto header = TRY_OR_THROW_OOM(vm, Infrastructure::Header::from_string_pair("Authorization"sv, *authorization_value)); 1350 TRY_OR_THROW_OOM(vm, http_request->header_list()->append(move(header))); 1351 } 1352 } 1353 } 1354 1355 // FIXME: 21. If there’s a proxy-authentication entry, use it as appropriate. 1356 // NOTE: This intentionally does not depend on httpRequest’s credentials mode. 1357 1358 // FIXME: 22. Set httpCache to the result of determining the HTTP cache partition, given httpRequest. 1359 1360 // 23. If httpCache is null, then set httpRequest’s cache mode to "no-store". 1361 if (!http_cache) 1362 http_request->set_cache_mode(Infrastructure::Request::CacheMode::NoStore); 1363 1364 // 24. If httpRequest’s cache mode is neither "no-store" nor "reload", then: 1365 if (http_request->cache_mode() != Infrastructure::Request::CacheMode::NoStore 1366 && http_request->cache_mode() != Infrastructure::Request::CacheMode::Reload) { 1367 // 1. Set storedResponse to the result of selecting a response from the httpCache, possibly needing 1368 // validation, as per the "Constructing Responses from Caches" chapter of HTTP Caching [HTTP-CACHING], 1369 // if any. 1370 // NOTE: As mandated by HTTP, this still takes the `Vary` header into account. 1371 stored_response = nullptr; 1372 1373 // 2. If storedResponse is non-null, then: 1374 if (stored_response) { 1375 // FIXME: Caching is not implemented yet. 1376 VERIFY_NOT_REACHED(); 1377 } 1378 } 1379 } 1380 1381 // 9. If aborted, then return the appropriate network error for fetchParams. 1382 if (aborted) 1383 return PendingResponse::create(vm, request, Infrastructure::Response::appropriate_network_error(vm, fetch_params)); 1384 1385 JS::GCPtr<PendingResponse> pending_forward_response; 1386 1387 // 10. If response is null, then: 1388 if (!response) { 1389 // 1. If httpRequest’s cache mode is "only-if-cached", then return a network error. 1390 if (http_request->cache_mode() == Infrastructure::Request::CacheMode::OnlyIfCached) 1391 return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'only-if-cached' cache mode doesn't have a cached response"sv)); 1392 1393 // 2. Let forwardResponse be the result of running HTTP-network fetch given httpFetchParams, includeCredentials, 1394 // and isNewConnectionFetch. 1395 pending_forward_response = TRY(nonstandard_resource_loader_http_network_fetch(realm, *http_fetch_params, include_credentials, is_new_connection_fetch)); 1396 } else { 1397 pending_forward_response = PendingResponse::create(vm, request, Infrastructure::Response::create(vm)); 1398 } 1399 1400 auto returned_pending_response = PendingResponse::create(vm, request); 1401 1402 pending_forward_response->when_loaded([&realm, &vm, &fetch_params, request, response, stored_response, http_request, returned_pending_response, is_authentication_fetch, is_new_connection_fetch, revalidating_flag, include_credentials, response_was_null = !response](JS::NonnullGCPtr<Infrastructure::Response> resolved_forward_response) mutable { 1403 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP-network-or-cache fetch' pending_forward_response load callback"); 1404 if (response_was_null) { 1405 auto forward_response = resolved_forward_response; 1406 1407 // NOTE: TRACE is omitted as it is a forbidden method in Fetch. 1408 auto method_is_unsafe = StringView { http_request->method() }.is_one_of("GET"sv, "HEAD"sv, "OPTIONS"sv); 1409 1410 // 3. If httpRequest’s method is unsafe and forwardResponse’s status is in the range 200 to 399, inclusive, 1411 // invalidate appropriate stored responses in httpCache, as per the "Invalidation" chapter of HTTP 1412 // Caching, and set storedResponse to null. 1413 if (method_is_unsafe && forward_response->status() >= 200 && forward_response->status() <= 399) { 1414 // FIXME: "invalidate appropriate stored responses in httpCache, as per the "Invalidation" chapter of HTTP Caching" 1415 stored_response = nullptr; 1416 } 1417 1418 // 4. If the revalidatingFlag is set and forwardResponse’s status is 304, then: 1419 if (revalidating_flag->value() && forward_response->status() == 304) { 1420 // FIXME: 1. Update storedResponse’s header list using forwardResponse’s header list, as per the "Freshening 1421 // Stored Responses upon Validation" chapter of HTTP Caching. 1422 // NOTE: This updates the stored response in cache as well. 1423 1424 // 2. Set response to storedResponse. 1425 response = stored_response; 1426 1427 // 3. Set response’s cache state to "validated". 1428 if (response) 1429 response->set_cache_state(Infrastructure::Response::CacheState::Validated); 1430 } 1431 1432 // 5. If response is null, then: 1433 if (!response) { 1434 // 1. Set response to forwardResponse. 1435 response = forward_response; 1436 1437 // FIXME: 2. Store httpRequest and forwardResponse in httpCache, as per the "Storing Responses in Caches" 1438 // chapter of HTTP Caching. 1439 // NOTE: If forwardResponse is a network error, this effectively caches the network error, which is 1440 // sometimes known as "negative caching". 1441 // NOTE: The associated body info is stored in the cache alongside the response. 1442 } 1443 } 1444 1445 // 11. Set response’s URL list to a clone of httpRequest’s URL list. 1446 response->set_url_list(http_request->url_list()); 1447 1448 // 12. If httpRequest’s header list contains `Range`, then set response’s range-requested flag. 1449 if (http_request->header_list()->contains("Range"sv.bytes())) 1450 response->set_range_requested(true); 1451 1452 // 13. Set response’s request-includes-credentials to includeCredentials. 1453 response->set_request_includes_credentials(include_credentials == IncludeCredentials::Yes); 1454 1455 auto inner_pending_response = PendingResponse::create(vm, request, *response); 1456 1457 // 14. If response’s status is 401, httpRequest’s response tainting is not "cors", includeCredentials is true, 1458 // and request’s window is an environment settings object, then: 1459 if (response->status() == 401 1460 && http_request->response_tainting() != Infrastructure::Request::ResponseTainting::CORS 1461 && include_credentials == IncludeCredentials::Yes 1462 && request->window().has<HTML::EnvironmentSettingsObject*>()) { 1463 // 1. Needs testing: multiple `WWW-Authenticate` headers, missing, parsing issues. 1464 // (Red box in the spec, no-op) 1465 1466 // 2. If request’s body is non-null, then: 1467 if (!request->body().has<Empty>()) { 1468 // 1. If request’s body’s source is null, then return a network error. 1469 if (request->body().get<Infrastructure::Body>().source().has<Empty>()) { 1470 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("Request has body but no body source"_string))); 1471 return; 1472 } 1473 1474 // 2. Set request’s body to the body of the result of safely extracting request’s body’s source. 1475 auto const& source = request->body().get<Infrastructure::Body>().source(); 1476 // NOTE: BodyInitOrReadableBytes is a superset of Body::SourceType 1477 auto converted_source = source.has<ByteBuffer>() 1478 ? BodyInitOrReadableBytes { source.get<ByteBuffer>() } 1479 : BodyInitOrReadableBytes { source.get<JS::Handle<FileAPI::Blob>>() }; 1480 auto [body, _] = TRY_OR_IGNORE(safely_extract_body(realm, converted_source)); 1481 request->set_body(move(body)); 1482 } 1483 1484 // 3. If request’s use-URL-credentials flag is unset or isAuthenticationFetch is true, then: 1485 if (!request->use_url_credentials() || is_authentication_fetch == IsAuthenticationFetch::Yes) { 1486 // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. 1487 if (fetch_params.is_canceled()) { 1488 returned_pending_response->resolve(Infrastructure::Response::appropriate_network_error(vm, fetch_params)); 1489 return; 1490 } 1491 1492 // FIXME: 2. Let username and password be the result of prompting the end user for a username and password, 1493 // respectively, in request’s window. 1494 dbgln("Fetch: Username/password prompt is not implemented, using empty strings. This request will probably fail."); 1495 auto username = DeprecatedString::empty(); 1496 auto password = DeprecatedString::empty(); 1497 1498 // 3. Set the username given request’s current URL and username. 1499 request->current_url().set_username(move(username)); 1500 1501 // 4. Set the password given request’s current URL and password. 1502 request->current_url().set_password(move(password)); 1503 } 1504 1505 // 4. Set response to the result of running HTTP-network-or-cache fetch given fetchParams and true. 1506 inner_pending_response = TRY_OR_IGNORE(http_network_or_cache_fetch(realm, fetch_params, IsAuthenticationFetch::Yes)); 1507 } 1508 1509 inner_pending_response->when_loaded([&realm, &vm, &fetch_params, request, returned_pending_response, is_authentication_fetch, is_new_connection_fetch](JS::NonnullGCPtr<Infrastructure::Response> response) { 1510 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP network-or-cache fetch' inner_pending_response load callback"); 1511 // 15. If response’s status is 407, then: 1512 if (response->status() == 407) { 1513 // 1. If request’s window is "no-window", then return a network error. 1514 if (request->window().has<Infrastructure::Request::Window>() 1515 && request->window().get<Infrastructure::Request::Window>() == Infrastructure::Request::Window::NoWindow) { 1516 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("Request requires proxy authentication but has 'no-window' set"_string))); 1517 return; 1518 } 1519 1520 // 2. Needs testing: multiple `Proxy-Authenticate` headers, missing, parsing issues. 1521 // (Red box in the spec, no-op) 1522 1523 // 3. If fetchParams is canceled, then return the appropriate network error for fetchParams. 1524 if (fetch_params.is_canceled()) { 1525 returned_pending_response->resolve(Infrastructure::Response::appropriate_network_error(vm, fetch_params)); 1526 return; 1527 } 1528 1529 // FIXME: 4. Prompt the end user as appropriate in request’s window and store the result as a 1530 // proxy-authentication entry. 1531 // NOTE: Remaining details surrounding proxy authentication are defined by HTTP. 1532 1533 // FIXME: 5. Set response to the result of running HTTP-network-or-cache fetch given fetchParams. 1534 // (Doing this without step 4 would potentially lead to an infinite request cycle.) 1535 } 1536 1537 auto inner_pending_response = PendingResponse::create(vm, request, *response); 1538 1539 // 16. If all of the following are true 1540 if ( 1541 // - response’s status is 421 1542 response->status() == 421 1543 // - isNewConnectionFetch is false 1544 && is_new_connection_fetch == IsNewConnectionFetch::No 1545 // - request’s body is null, or request’s body is non-null and request’s body’s source is non-null 1546 && (request->body().has<Empty>() || !request->body().get<Infrastructure::Body>().source().has<Empty>()) 1547 // then: 1548 ) { 1549 // 1. If fetchParams is canceled, then return the appropriate network error for fetchParams. 1550 if (fetch_params.is_canceled()) { 1551 returned_pending_response->resolve(Infrastructure::Response::appropriate_network_error(vm, fetch_params)); 1552 return; 1553 } 1554 // 2. Set response to the result of running HTTP-network-or-cache fetch given fetchParams, 1555 // isAuthenticationFetch, and true. 1556 inner_pending_response = TRY_OR_IGNORE(http_network_or_cache_fetch(realm, fetch_params, is_authentication_fetch, IsNewConnectionFetch::Yes)); 1557 } 1558 1559 inner_pending_response->when_loaded([returned_pending_response, is_authentication_fetch](JS::NonnullGCPtr<Infrastructure::Response> response) { 1560 // 17. If isAuthenticationFetch is true, then create an authentication entry for request and the given 1561 // realm. 1562 if (is_authentication_fetch == IsAuthenticationFetch::Yes) { 1563 // FIXME: "create an authentication entry for request and the given realm" 1564 } 1565 1566 returned_pending_response->resolve(response); 1567 }); 1568 }); 1569 }); 1570 1571 // 18. Return response. 1572 // NOTE: Typically response’s body’s stream is still being enqueued to after returning. 1573 return returned_pending_response; 1574} 1575 1576#if defined(WEB_FETCH_DEBUG) 1577static void log_load_request(auto const& load_request) 1578{ 1579 dbgln("Fetch: Invoking ResourceLoader"); 1580 dbgln("> {} {} HTTP/1.1", load_request.method(), load_request.url()); 1581 for (auto const& [name, value] : load_request.headers()) 1582 dbgln("> {}: {}", name, value); 1583 dbgln(">"); 1584 for (auto line : StringView { load_request.body() }.split_view('\n', SplitBehavior::KeepEmpty)) 1585 dbgln("> {}", line); 1586} 1587 1588static void log_response(auto const& status_code, auto const& headers, auto const& data) 1589{ 1590 dbgln("< HTTP/1.1 {}", status_code.value_or(0)); 1591 for (auto const& [name, value] : headers) 1592 dbgln("< {}: {}", name, value); 1593 dbgln("<"); 1594 for (auto line : StringView { data }.split_view('\n', SplitBehavior::KeepEmpty)) 1595 dbgln("< {}", line); 1596} 1597#endif 1598 1599// https://fetch.spec.whatwg.org/#concept-http-network-fetch 1600// Drop-in replacement for 'HTTP-network fetch', but obviously non-standard :^) 1601WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> nonstandard_resource_loader_http_network_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, IncludeCredentials include_credentials, IsNewConnectionFetch is_new_connection_fetch) 1602{ 1603 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'non-standard HTTP-network fetch' with: fetch_params @ {}", &fetch_params); 1604 1605 auto& vm = realm.vm(); 1606 1607 (void)include_credentials; 1608 (void)is_new_connection_fetch; 1609 1610 auto request = fetch_params.request(); 1611 1612 Page* page = nullptr; 1613 auto& global_object = realm.global_object(); 1614 if (is<HTML::Window>(global_object)) 1615 page = static_cast<HTML::Window&>(global_object).page(); 1616 1617 // NOTE: Using LoadRequest::create_for_url_on_page here will unconditionally add cookies as long as there's a page available. 1618 // However, it is up to http_network_or_cache_fetch to determine if cookies should be added to the request. 1619 LoadRequest load_request; 1620 load_request.set_url(request->current_url()); 1621 if (page) 1622 load_request.set_page(*page); 1623 load_request.set_method(DeprecatedString::copy(request->method())); 1624 for (auto const& header : *request->header_list()) 1625 load_request.set_header(DeprecatedString::copy(header.name), DeprecatedString::copy(header.value)); 1626 if (auto const* body = request->body().get_pointer<Infrastructure::Body>()) { 1627 TRY(body->source().visit( 1628 [&](ByteBuffer const& byte_buffer) -> WebIDL::ExceptionOr<void> { 1629 load_request.set_body(TRY_OR_THROW_OOM(vm, ByteBuffer::copy(byte_buffer))); 1630 return {}; 1631 }, 1632 [&](JS::Handle<FileAPI::Blob> const& blob_handle) -> WebIDL::ExceptionOr<void> { 1633 load_request.set_body(TRY_OR_THROW_OOM(vm, ByteBuffer::copy(blob_handle->bytes()))); 1634 return {}; 1635 }, 1636 [](Empty) -> WebIDL::ExceptionOr<void> { 1637 return {}; 1638 })); 1639 } 1640 1641 auto pending_response = PendingResponse::create(vm, request); 1642 1643 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Invoking ResourceLoader"); 1644 if constexpr (WEB_FETCH_DEBUG) 1645 log_load_request(load_request); 1646 1647 ResourceLoader::the().load( 1648 load_request, 1649 [&realm, &vm, request, pending_response](auto data, auto& response_headers, auto status_code) { 1650 dbgln_if(WEB_FETCH_DEBUG, "Fetch: ResourceLoader load for '{}' complete", request->url()); 1651 if constexpr (WEB_FETCH_DEBUG) 1652 log_response(status_code, response_headers, data); 1653 auto [body, _] = TRY_OR_IGNORE(extract_body(realm, data)); 1654 auto response = Infrastructure::Response::create(vm); 1655 response->set_status(status_code.value_or(200)); 1656 response->set_body(move(body)); 1657 for (auto const& [name, value] : response_headers) { 1658 auto header = TRY_OR_IGNORE(Infrastructure::Header::from_string_pair(name, value)); 1659 TRY_OR_IGNORE(response->header_list()->append(header)); 1660 } 1661 // FIXME: Set response status message 1662 pending_response->resolve(response); 1663 }, 1664 [&vm, request, pending_response](auto& error, auto status_code) { 1665 dbgln_if(WEB_FETCH_DEBUG, "Fetch: ResourceLoader load for '{}' failed: {} (status {})", request->url(), error, status_code.value_or(0)); 1666 auto response = Infrastructure::Response::create(vm); 1667 // FIXME: This is ugly, ResourceLoader should tell us. 1668 if (status_code.value_or(0) == 0) { 1669 response = Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("HTTP request failed"_string)); 1670 } else { 1671 response->set_status(status_code.value_or(200)); 1672 // FIXME: Set response status message and body 1673 } 1674 pending_response->resolve(response); 1675 }); 1676 1677 return pending_response; 1678} 1679 1680// https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 1681WebIDL::ExceptionOr<JS::NonnullGCPtr<PendingResponse>> cors_preflight_fetch(JS::Realm& realm, Infrastructure::Request& request) 1682{ 1683 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'CORS-preflight fetch' with request @ {}", &request); 1684 1685 auto& vm = realm.vm(); 1686 1687 // 1. Let preflight be a new request whose method is `OPTIONS`, URL list is a clone of request’s URL list, initiator is 1688 // request’s initiator, destination is request’s destination, origin is request’s origin, referrer is request’s referrer, 1689 // referrer policy is request’s referrer policy, mode is "cors", and response tainting is "cors". 1690 auto preflight = Fetch::Infrastructure::Request::create(vm); 1691 preflight->set_method(TRY_OR_THROW_OOM(vm, ByteBuffer::copy("OPTIONS"sv.bytes()))); 1692 preflight->set_url_list(request.url_list()); 1693 preflight->set_initiator(request.initiator()); 1694 preflight->set_destination(request.destination()); 1695 preflight->set_origin(request.origin()); 1696 preflight->set_referrer(request.referrer()); 1697 preflight->set_referrer_policy(request.referrer_policy()); 1698 preflight->set_mode(Infrastructure::Request::Mode::CORS); 1699 preflight->set_response_tainting(Infrastructure::Request::ResponseTainting::CORS); 1700 1701 // 2. Append (`Accept`, `*/*`) to preflight’s header list. 1702 auto temp_header = TRY_OR_THROW_OOM(vm, Infrastructure::Header::from_string_pair("Accept"sv, "*/*"sv)); 1703 TRY_OR_THROW_OOM(vm, preflight->header_list()->append(move(temp_header))); 1704 1705 // 3. Append (`Access-Control-Request-Method`, request’s method) to preflight’s header list. 1706 temp_header = TRY_OR_THROW_OOM(vm, Infrastructure::Header::from_string_pair("Access-Control-Request-Method"sv, request.method())); 1707 TRY_OR_THROW_OOM(vm, preflight->header_list()->append(move(temp_header))); 1708 1709 // 4. Let headers be the CORS-unsafe request-header names with request’s header list. 1710 auto headers = TRY_OR_THROW_OOM(vm, Infrastructure::get_cors_unsafe_header_names(request.header_list())); 1711 1712 // 5. If headers is not empty, then: 1713 if (!headers.is_empty()) { 1714 // 1. Let value be the items in headers separated from each other by `,`. 1715 // NOTE: This intentionally does not use combine, as 0x20 following 0x2C is not the way this was implemented, 1716 // for better or worse. 1717 ByteBuffer value; 1718 1719 bool first = true; 1720 for (auto const& header : headers) { 1721 if (!first) 1722 TRY_OR_THROW_OOM(vm, value.try_append(',')); 1723 TRY_OR_THROW_OOM(vm, value.try_append(header)); 1724 first = false; 1725 } 1726 1727 // 2. Append (`Access-Control-Request-Headers`, value) to preflight’s header list. 1728 temp_header = Infrastructure::Header { 1729 .name = TRY_OR_THROW_OOM(vm, ByteBuffer::copy("Access-Control-Request-Headers"sv.bytes())), 1730 .value = move(value), 1731 }; 1732 TRY_OR_THROW_OOM(vm, preflight->header_list()->append(move(temp_header))); 1733 } 1734 1735 // 6. Let response be the result of running HTTP-network-or-cache fetch given a new fetch params whose request is preflight. 1736 // FIXME: The spec doesn't say anything about timing_info here, but FetchParams requires a non-null FetchTimingInfo object. 1737 auto timing_info = Infrastructure::FetchTimingInfo::create(vm); 1738 auto fetch_params = Infrastructure::FetchParams::create(vm, preflight, timing_info); 1739 1740 auto returned_pending_response = PendingResponse::create(vm, request); 1741 1742 auto preflight_response = TRY(http_network_or_cache_fetch(realm, fetch_params)); 1743 1744 preflight_response->when_loaded([&vm, &request, returned_pending_response](JS::NonnullGCPtr<Infrastructure::Response> response) { 1745 dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'CORS-preflight fetch' preflight_response load callback"); 1746 1747 // 7. If a CORS check for request and response returns success and response’s status is an ok status, then: 1748 // NOTE: The CORS check is done on request rather than preflight to ensure the correct credentials mode is used. 1749 if (TRY_OR_IGNORE(cors_check(request, response)) && Infrastructure::is_ok_status(response->status())) { 1750 // 1. Let methods be the result of extracting header list values given `Access-Control-Allow-Methods` and response’s header list. 1751 auto methods_or_failure = TRY_OR_IGNORE(Infrastructure::extract_header_list_values("Access-Control-Allow-Methods"sv.bytes(), response->header_list())); 1752 1753 // 2. Let headerNames be the result of extracting header list values given `Access-Control-Allow-Headers` and 1754 // response’s header list. 1755 auto header_names_or_failure = TRY_OR_IGNORE(Infrastructure::extract_header_list_values("Access-Control-Allow-Headers"sv.bytes(), response->header_list())); 1756 1757 // 3. If either methods or headerNames is failure, return a network error. 1758 if (methods_or_failure.has<Infrastructure::ExtractHeaderParseFailure>()) { 1759 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("The Access-Control-Allow-Methods in the CORS-preflight response is syntactically invalid"_string))); 1760 return; 1761 } 1762 1763 if (header_names_or_failure.has<Infrastructure::ExtractHeaderParseFailure>()) { 1764 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("The Access-Control-Allow-Headers in the CORS-preflight response is syntactically invalid"_string))); 1765 return; 1766 } 1767 1768 // NOTE: We treat "methods_or_failure" being `Empty` as empty Vector here. 1769 auto methods = methods_or_failure.has<Vector<ByteBuffer>>() ? methods_or_failure.get<Vector<ByteBuffer>>() : Vector<ByteBuffer> {}; 1770 1771 // NOTE: We treat "header_names_or_failure" being `Empty` as empty Vector here. 1772 auto header_names = header_names_or_failure.has<Vector<ByteBuffer>>() ? header_names_or_failure.get<Vector<ByteBuffer>>() : Vector<ByteBuffer> {}; 1773 1774 // FIXME: Remove this once extract_header_list_values validates the header and returns multiple values. 1775 if (!methods.is_empty()) { 1776 VERIFY(methods.size() == 1); 1777 1778 auto split_methods = StringView { methods.first() }.split_view(','); 1779 Vector<ByteBuffer> trimmed_methods; 1780 1781 for (auto const& method : split_methods) { 1782 auto trimmed_method = method.trim(" \t"sv); 1783 auto trimmed_method_as_byte_buffer = TRY_OR_IGNORE(ByteBuffer::copy(trimmed_method.bytes())); 1784 TRY_OR_IGNORE(trimmed_methods.try_append(move(trimmed_method_as_byte_buffer))); 1785 } 1786 1787 methods = move(trimmed_methods); 1788 } 1789 1790 // FIXME: Remove this once extract_header_list_values validates the header and returns multiple values. 1791 if (!header_names.is_empty()) { 1792 VERIFY(header_names.size() == 1); 1793 1794 auto split_header_names = StringView { header_names.first() }.split_view(','); 1795 Vector<ByteBuffer> trimmed_header_names; 1796 1797 for (auto const& header_name : split_header_names) { 1798 auto trimmed_header_name = header_name.trim(" \t"sv); 1799 auto trimmed_header_name_as_byte_buffer = TRY_OR_IGNORE(ByteBuffer::copy(trimmed_header_name.bytes())); 1800 TRY_OR_IGNORE(trimmed_header_names.try_append(move(trimmed_header_name_as_byte_buffer))); 1801 } 1802 1803 header_names = move(trimmed_header_names); 1804 } 1805 1806 // 4. If methods is null and request’s use-CORS-preflight flag is set, then set methods to a new list containing request’s method. 1807 // NOTE: This ensures that a CORS-preflight fetch that happened due to request’s use-CORS-preflight flag being set is cached. 1808 if (methods.is_empty() && request.use_cors_preflight()) 1809 methods = Vector { TRY_OR_IGNORE(ByteBuffer::copy(request.method())) }; 1810 1811 // 5. If request’s method is not in methods, request’s method is not a CORS-safelisted method, and request’s credentials mode 1812 // is "include" or methods does not contain `*`, then return a network error. 1813 if (!methods.contains_slow(request.method()) && !Infrastructure::is_cors_safelisted_method(request.method())) { 1814 if (request.credentials_mode() == Infrastructure::Request::CredentialsMode::Include) { 1815 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("Non-CORS-safelisted method '{}' not found in the CORS-preflight response's Access-Control-Allow-Methods header (the header may be missing). '*' is not allowed as the main request includes credentials."sv, StringView { request.method() })))); 1816 return; 1817 } 1818 1819 if (!methods.contains_slow("*"sv.bytes())) { 1820 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("Non-CORS-safelisted method '{}' not found in the CORS-preflight response's Access-Control-Allow-Methods header and there was no '*' entry. The header may be missing."sv, StringView { request.method() })))); 1821 return; 1822 } 1823 } 1824 1825 // 6. If one of request’s header list’s names is a CORS non-wildcard request-header name and is not a byte-case-insensitive match 1826 // for an item in headerNames, then return a network error. 1827 for (auto const& header : *request.header_list()) { 1828 if (Infrastructure::is_cors_non_wildcard_request_header_name(header.name)) { 1829 bool is_in_header_names = false; 1830 1831 for (auto const& allowed_header_name : header_names) { 1832 if (StringView { allowed_header_name }.equals_ignoring_ascii_case(header.name)) { 1833 is_in_header_names = true; 1834 break; 1835 } 1836 } 1837 1838 if (!is_in_header_names) { 1839 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("Main request contains the header '{}' that is not specified in the CORS-preflight response's Access-Control-Allow-Headers header (the header may be missing). '*' does not capture this header."sv, StringView { header.name })))); 1840 return; 1841 } 1842 } 1843 } 1844 1845 // 7. For each unsafeName of the CORS-unsafe request-header names with request’s header list, if unsafeName is not a 1846 // byte-case-insensitive match for an item in headerNames and request’s credentials mode is "include" or headerNames 1847 // does not contain `*`, return a network error. 1848 auto unsafe_names = TRY_OR_IGNORE(Infrastructure::get_cors_unsafe_header_names(request.header_list())); 1849 for (auto const& unsafe_name : unsafe_names) { 1850 bool is_in_header_names = false; 1851 1852 for (auto const& header_name : header_names) { 1853 if (StringView { unsafe_name }.equals_ignoring_ascii_case(header_name)) { 1854 is_in_header_names = true; 1855 break; 1856 } 1857 } 1858 1859 if (!is_in_header_names) { 1860 if (request.credentials_mode() == Infrastructure::Request::CredentialsMode::Include) { 1861 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("CORS-unsafe request-header '{}' not found in the CORS-preflight response's Access-Control-Allow-Headers header (the header may be missing). '*' is not allowed as the main request includes credentials."sv, StringView { unsafe_name })))); 1862 return; 1863 } 1864 1865 if (!header_names.contains_slow("*"sv.bytes())) { 1866 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("CORS-unsafe request-header '{}' not found in the CORS-preflight response's Access-Control-Allow-Headers header and there was no '*' entry. The header may be missing."sv, StringView { unsafe_name })))); 1867 return; 1868 } 1869 } 1870 } 1871 1872 // FIXME: 8. Let max-age be the result of extracting header list values given `Access-Control-Max-Age` and response’s header list. 1873 // FIXME: 9. If max-age is failure or null, then set max-age to 5. 1874 // FIXME: 10. If max-age is greater than an imposed limit on max-age, then set max-age to the imposed limit. 1875 1876 // 11. If the user agent does not provide for a cache, then return response. 1877 // NOTE: Since we don't currently have a cache, this is always true. 1878 returned_pending_response->resolve(response); 1879 return; 1880 1881 // FIXME: 12. For each method in methods for which there is a method cache entry match using request, set matching entry’s max-age 1882 // to max-age. 1883 // FIXME: 13. For each method in methods for which there is no method cache entry match using request, create a new cache entry 1884 // with request, max-age, method, and null. 1885 // FIXME: 14. For each headerName in headerNames for which there is a header-name cache entry match using request, set matching 1886 // entry’s max-age to max-age. 1887 // FIXME: 15. For each headerName in headerNames for which there is no header-name cache entry match using request, create a 1888 // new cache entry with request, max-age, null, and headerName. 1889 // FIXME: 16. Return response. 1890 } 1891 1892 // 8. Otherwise, return a network error. 1893 returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE("CORS-preflight check failed"_string))); 1894 }); 1895 1896 return returned_pending_response; 1897} 1898 1899}