/* * Copyright (C) 2009-2017 Apple Inc. All Rights Reserved. * Copyright (C) 2009, 2011 Google Inc. All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include "WorkerScriptLoader.h" #include "ContentSecurityPolicy.h" #include "Exception.h" #include "FetchIdioms.h" #include "MIMETypeRegistry.h" #include "ResourceResponse.h" #include "ScriptExecutionContext.h" #include "ServiceWorker.h" #include "ServiceWorkerContextData.h" #include "ServiceWorkerGlobalScope.h" #include "TextResourceDecoder.h" #include "WorkerGlobalScope.h" #include "WorkerScriptLoaderClient.h" #include "WorkerThreadableLoader.h" #include namespace WebCore { WorkerScriptLoader::WorkerScriptLoader() : m_script(ScriptBuffer::empty()) { } WorkerScriptLoader::~WorkerScriptLoader() = default; std::optional WorkerScriptLoader::loadSynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, FetchOptions::Mode mode, FetchOptions::Cache cachePolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, const String& initiatorIdentifier) { ASSERT(scriptExecutionContext); auto& workerGlobalScope = downcast(*scriptExecutionContext); m_url = url; m_destination = FetchOptions::Destination::Script; m_isSecureContext = workerGlobalScope.isSecureContext(); #if ENABLE(SERVICE_WORKER) bool isServiceWorkerGlobalScope = is(workerGlobalScope); if (isServiceWorkerGlobalScope) { if (auto* scriptResource = downcast(workerGlobalScope).scriptResource(url)) { m_script = scriptResource->script; m_responseURL = scriptResource->responseURL; m_responseMIMEType = scriptResource->mimeType; return std::nullopt; } } #endif std::unique_ptr request(createResourceRequest(initiatorIdentifier)); if (!request) return std::nullopt; ASSERT_WITH_SECURITY_IMPLICATION(is(scriptExecutionContext)); // Only used for importScripts that prescribes NoCors mode. ASSERT(mode == FetchOptions::Mode::NoCors); request->setRequester(ResourceRequest::Requester::ImportScripts); ThreadableLoaderOptions options; options.credentials = FetchOptions::Credentials::Include; options.mode = mode; options.cache = cachePolicy; options.sendLoadCallbacks = SendCallbackPolicy::SendCallbacks; options.contentSecurityPolicyEnforcement = contentSecurityPolicyEnforcement; options.destination = m_destination; #if ENABLE(SERVICE_WORKER) options.serviceWorkersMode = isServiceWorkerGlobalScope ? ServiceWorkersMode::None : ServiceWorkersMode::All; if (auto* activeServiceWorker = workerGlobalScope.activeServiceWorker()) options.serviceWorkerRegistrationIdentifier = activeServiceWorker->registrationIdentifier(); #endif WorkerThreadableLoader::loadResourceSynchronously(workerGlobalScope, WTFMove(*request), *this, options); // If the fetching attempt failed, throw a NetworkError exception and abort all these steps. if (failed()) return Exception { NetworkError, m_error.sanitizedDescription() }; #if ENABLE(SERVICE_WORKER) if (isServiceWorkerGlobalScope) { if (!MIMETypeRegistry::isSupportedJavaScriptMIMEType(responseMIMEType())) return Exception { NetworkError, "mime type is not a supported JavaScript mime type"_s }; downcast(workerGlobalScope).setScriptResource(url, ServiceWorkerContextData::ImportedScript { script(), m_responseURL, m_responseMIMEType }); } #endif return std::nullopt; } void WorkerScriptLoader::loadAsynchronously(ScriptExecutionContext& scriptExecutionContext, ResourceRequest&& scriptRequest, FetchOptions&& fetchOptions, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, ServiceWorkersMode serviceWorkerMode, WorkerScriptLoaderClient& client, String&& taskMode) { m_client = &client; m_url = scriptRequest.url(); m_destination = fetchOptions.destination; m_isSecureContext = scriptExecutionContext.isSecureContext(); ASSERT(scriptRequest.httpMethod() == "GET"); auto request = makeUnique(WTFMove(scriptRequest)); if (!request) return; ThreadableLoaderOptions options { WTFMove(fetchOptions) }; options.sendLoadCallbacks = SendCallbackPolicy::SendCallbacks; options.contentSecurityPolicyEnforcement = contentSecurityPolicyEnforcement; if (fetchOptions.destination == FetchOptions::Destination::Serviceworker) options.certificateInfoPolicy = CertificateInfoPolicy::IncludeCertificateInfo; // FIXME: We should drop the sameOriginDataURLFlag flag and implement the latest Fetch specification. options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set; // A service worker job can be executed from a worker context or a document context. options.serviceWorkersMode = serviceWorkerMode; #if ENABLE(SERVICE_WORKER) if (auto* activeServiceWorker = scriptExecutionContext.activeServiceWorker()) options.serviceWorkerRegistrationIdentifier = activeServiceWorker->registrationIdentifier(); #endif // During create, callbacks may happen which remove the last reference to this object. Ref protectedThis(*this); m_threadableLoader = ThreadableLoader::create(scriptExecutionContext, *this, WTFMove(*request), options, { }, WTFMove(taskMode)); } const URL& WorkerScriptLoader::responseURL() const { ASSERT(!failed()); return m_responseURL; } std::unique_ptr WorkerScriptLoader::createResourceRequest(const String& initiatorIdentifier) { auto request = makeUnique(m_url); request->setHTTPMethod("GET"_s); request->setInitiatorIdentifier(initiatorIdentifier); return request; } ResourceError WorkerScriptLoader::validateWorkerResponse(const ResourceResponse& response, FetchOptions::Destination destination) { if (response.httpStatusCode() / 100 != 2 && response.httpStatusCode()) return { errorDomainWebKitInternal, 0, response.url(), "Response is not 2xx"_s, ResourceError::Type::General }; if (!isScriptAllowedByNosniff(response)) { auto message = makeString("Refused to execute ", response.url().stringCenterEllipsizedToLength(), " as script because \"X-Content-Type-Options: nosniff\" was given and its Content-Type is not a script MIME type."); return { errorDomainWebKitInternal, 0, response.url(), WTFMove(message), ResourceError::Type::General }; } if (shouldBlockResponseDueToMIMEType(response, destination)) { auto message = makeString("Refused to execute ", response.url().stringCenterEllipsizedToLength(), " as script because ", response.mimeType(), " is not a script MIME type."); return { errorDomainWebKitInternal, 0, response.url(), WTFMove(message), ResourceError::Type::General }; } return { }; } void WorkerScriptLoader::didReceiveResponse(unsigned long identifier, const ResourceResponse& response) { m_error = validateWorkerResponse(response, m_destination); if (!m_error.isNull()) { m_failed = true; return; } m_responseURL = response.url(); m_certificateInfo = response.certificateInfo() ? *response.certificateInfo() : CertificateInfo(); m_responseMIMEType = response.mimeType(); m_responseEncoding = response.textEncodingName(); m_responseSource = response.source(); m_isRedirected = response.isRedirected(); m_contentSecurityPolicy = ContentSecurityPolicyResponseHeaders { response }; m_crossOriginEmbedderPolicy = obtainCrossOriginEmbedderPolicy(response, m_isSecureContext ? IsSecureContext::Yes : IsSecureContext::No); m_referrerPolicy = response.httpHeaderField(HTTPHeaderName::ReferrerPolicy); if (m_client) m_client->didReceiveResponse(identifier, response); } void WorkerScriptLoader::didReceiveData(const uint8_t* data, int len) { if (m_failed) return; if (!m_decoder) { if (!m_responseEncoding.isEmpty()) m_decoder = TextResourceDecoder::create("text/javascript"_s, m_responseEncoding); else m_decoder = TextResourceDecoder::create("text/javascript"_s, "UTF-8"); } if (!len) return; if (len == -1) len = strlen(reinterpret_cast(data)); m_script.append(m_decoder->decode(data, len)); } void WorkerScriptLoader::didFinishLoading(unsigned long identifier) { if (m_failed) { notifyError(); return; } if (m_decoder) m_script.append(m_decoder->flush()); m_identifier = identifier; notifyFinished(); } void WorkerScriptLoader::didFail(const ResourceError& error) { m_error = error; notifyError(); } void WorkerScriptLoader::notifyError() { m_failed = true; if (m_error.isNull()) m_error = { errorDomainWebKitInternal, 0, url(), "Failed to load script", ResourceError::Type::General }; notifyFinished(); } void WorkerScriptLoader::notifyFinished() { m_threadableLoader = nullptr; if (!m_client || m_finishing) return; m_finishing = true; m_client->notifyFinished(); } void WorkerScriptLoader::cancel() { if (!m_threadableLoader) return; m_client = nullptr; m_threadableLoader->cancel(); m_threadableLoader = nullptr; } } // namespace WebCore