Stowage/ladybird
2
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2026-04-18 09:50:27 +00:00
Code Issues Projects Releases Packages Wiki Activity
ladybird/Libraries/LibWeb/Fetch/Fetching/Fetching.cpp
Andreas Kling 83e0122d11 LibWeb: Skip 401 retry for non-credential-based auth schemes 
When receiving a 401 response, we previously entered the credential
prompt path for any request with a WWW-Authenticate header. This caused
spurious "Username/password prompt is not implemented" warnings and
unnecessary request retries for auth schemes like PrivateToken
(RFC 9577) that don't involve user credential prompts.

Only enter the 401 handling path when the WWW-Authenticate header
contains a scheme we can handle with a username/password prompt
(Basic or Digest). This is consistent with how Chromium, Firefox,
and WebKit all silently skip unrecognized auth schemes.
2026-04-15 22:43:24 +02:00

2537 lines
144 KiB
C++
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* Copyright (c) 2022-2023, Linus Groh <linusg@serenityos.org>
* Copyright (c) 2023, Luke Wilde <lukew@serenityos.org>
* Copyright (c) 2023, Sam Atkins <atkinssj@serenityos.org>
* Copyright (c) 2024, Jamie Mansfield <jmansfield@cadixdev.org>
* Copyright (c) 2025, Shannon Booth <shannon@serenityos.org>
* Copyright (c) 2025, Kenneth Myhra <kennethmyhra@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <AK/Base64.h>
#include <AK/Debug.h>
#include <AK/ScopeGuard.h>
#include <LibHTTP/Cache/MemoryCache.h>
#include <LibHTTP/Cache/Utilities.h>
#include <LibHTTP/Method.h>
#include <LibJS/Runtime/Completion.h>
#include <LibRequests/Request.h>
#include <LibRequests/RequestTimingInfo.h>
#include <LibTextCodec/Encoder.h>
#include <LibWeb/Bindings/MainThreadVM.h>
#include <LibWeb/Bindings/PrincipalHostDefined.h>
#include <LibWeb/ContentSecurityPolicy/BlockingAlgorithms.h>
#include <LibWeb/DOM/Document.h>
#include <LibWeb/DOMURL/DOMURL.h>
#include <LibWeb/Fetch/BodyInit.h>
#include <LibWeb/Fetch/Fetching/Checks.h>
#include <LibWeb/Fetch/Fetching/FetchedDataReceiver.h>
#include <LibWeb/Fetch/Fetching/Fetching.h>
#include <LibWeb/Fetch/Fetching/PendingResponse.h>
#include <LibWeb/Fetch/Fetching/RefCountedFlag.h>
#include <LibWeb/Fetch/Infrastructure/FetchAlgorithms.h>
#include <LibWeb/Fetch/Infrastructure/FetchController.h>
#include <LibWeb/Fetch/Infrastructure/FetchParams.h>
#include <LibWeb/Fetch/Infrastructure/FetchRecord.h>
#include <LibWeb/Fetch/Infrastructure/FetchTimingInfo.h>
#include <LibWeb/Fetch/Infrastructure/HTTP/CORS.h>
#include <LibWeb/Fetch/Infrastructure/HTTP/MIME.h>
#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
#include <LibWeb/Fetch/Infrastructure/HTTP/Responses.h>
#include <LibWeb/Fetch/Infrastructure/HTTP/Statuses.h>
#include <LibWeb/Fetch/Infrastructure/MimeTypeBlocking.h>
#include <LibWeb/Fetch/Infrastructure/NetworkPartitionKey.h>
#include <LibWeb/Fetch/Infrastructure/NoSniffBlocking.h>
#include <LibWeb/Fetch/Infrastructure/PortBlocking.h>
#include <LibWeb/Fetch/Infrastructure/Task.h>
#include <LibWeb/Fetch/Infrastructure/URL.h>
#include <LibWeb/FileAPI/Blob.h>
#include <LibWeb/FileAPI/BlobURLStore.h>
#include <LibWeb/HTML/EventLoop/EventLoop.h>
#include <LibWeb/HTML/Navigable.h>
#include <LibWeb/HTML/Scripting/Environments.h>
#include <LibWeb/HTML/Scripting/TemporaryExecutionContext.h>
#include <LibWeb/HTML/Window.h>
#include <LibWeb/HTML/WorkerGlobalScope.h>
#include <LibWeb/HighResolutionTime/TimeOrigin.h>
#include <LibWeb/Loader/LoadRequest.h>
#include <LibWeb/Loader/ResourceLoader.h>
#include <LibWeb/MixedContent/AbstractOperations.h>
#include <LibWeb/Platform/EventLoopPlugin.h>
#include <LibWeb/ReferrerPolicy/AbstractOperations.h>
#include <LibWeb/ResourceTiming/PerformanceResourceTiming.h>
#include <LibWeb/SRI/SRI.h>
#include <LibWeb/SecureContexts/AbstractOperations.h>
#include <LibWeb/Streams/TransformStream.h>
#include <LibWeb/Streams/TransformStreamDefaultController.h>
#include <LibWeb/Streams/TransformStreamOperations.h>
#include <LibWeb/Streams/Transformer.h>
#include <LibWeb/WebIDL/DOMException.h>
namespace Web::Fetch::Fetching {
static bool g_http_memory_cache_enabled = false;
#define TRY_OR_IGNORE(expression) \
({ \
auto&& _temporary_result = (expression); \
if (_temporary_result.is_error()) \
return; \
static_assert(!::AK::Detail::IsLvalueReference<decltype(_temporary_result.release_value())>, \
"Do not return a reference from a fallible expression"); \
_temporary_result.release_value(); \
})
class HTTPCache {
public:
HTTP::MemoryCache& get(Infrastructure::NetworkPartitionKey const& key)
{
return *m_cache.ensure(key, [] {
return HTTP::MemoryCache::create();
});
}
static HTTPCache& the()
{
static HTTPCache s_cache;
return s_cache;
}
void clear_cache()
{
m_cache.clear();
}
private:
HashMap<Infrastructure::NetworkPartitionKey, NonnullRefPtr<HTTP::MemoryCache>> m_cache;
};
// https://fetch.spec.whatwg.org/#determine-the-http-cache-partition
static RefPtr<HTTP::MemoryCache> determine_the_http_cache_partition(Infrastructure::Request const& request)
{
// 1. Let key be the result of determining the network partition key given request.
auto key = Infrastructure::determine_the_network_partition_key(request);
// 2. If key is null, then return null.
if (!key.has_value())
return nullptr;
// 3. Return the unique HTTP cache associated with key. [HTTP-CACHING]
return HTTPCache::the().get(key.value());
}
static GC::Ptr<Infrastructure::Response> select_response_from_cache(JS::Realm& realm, HTTP::MemoryCache& http_cache, Infrastructure::Request const& request)
{
if (!g_http_memory_cache_enabled)
return {};
auto cache_entry = http_cache.open_entry(request.current_url(), request.method(), request.header_list(), request.cache_mode());
if (!cache_entry.has_value())
return {};
auto response = Infrastructure::Response::create(realm.vm());
response->url_list().append(request.current_url());
response->set_method(request.method());
response->set_status(cache_entry->status_code);
response->set_status_message(cache_entry->reason_phrase);
response->set_header_list(cache_entry->response_headers);
auto [response_body, _] = safely_extract_body(realm, cache_entry->response_body.bytes());
response->set_body(response_body);
return response;
}
static void store_response_in_cache(HTTP::MemoryCache& http_cache, Infrastructure::Request const& request, Infrastructure::Response const& response)
{
if (!g_http_memory_cache_enabled)
return;
if (request.cache_mode() == HTTP::CacheMode::NoStore)
return;
http_cache.create_entry(request.current_url(), request.method(), request.header_list(), request.request_time(), response.status(), response.status_message(), response.header_list());
}
// https://fetch.spec.whatwg.org/#concept-fetch
GC::Ref<Infrastructure::FetchController> fetch(JS::Realm& realm, Infrastructure::Request& request, Infrastructure::FetchAlgorithms const& algorithms, UseParallelQueue use_parallel_queue)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'fetch' with: request @ {}", &request);
auto& vm = realm.vm();
// 1. Assert: requests mode is "navigate" or processEarlyHintsResponse is null.
VERIFY(request.mode() == Infrastructure::Request::Mode::Navigate || !algorithms.process_early_hints_response());
// 2. Let taskDestination be null.
Infrastructure::TaskDestination task_destination;
// 3. Let crossOriginIsolatedCapability be false.
auto cross_origin_isolated_capability = HTML::CanUseCrossOriginIsolatedAPIs::No;
// 4. Populate request from client given request.
populate_request_from_client(realm, request);
// 5. If requests client is non-null, then:
if (request.client() != nullptr) {
// 1. Set taskDestination to requests clients global object.
task_destination = GC::Ref { request.client()->global_object() };
// 2. Set crossOriginIsolatedCapability to requests clients cross-origin isolated capability.
cross_origin_isolated_capability = request.client()->cross_origin_isolated_capability();
}
// 6. If useParallelQueue is true, then set taskDestination to the result of starting a new parallel queue.
if (use_parallel_queue == UseParallelQueue::Yes)
task_destination = HTML::ParallelQueue::create();
// 7. Let timingInfo be a new fetch timing info whose start time and post-redirect start time are the coarsened
// shared current time given crossOriginIsolatedCapability, and render-blocking is set to requests
// render-blocking.
auto timing_info = Infrastructure::FetchTimingInfo::create(vm);
auto now = HighResolutionTime::coarsened_shared_current_time(cross_origin_isolated_capability);
timing_info->set_start_time(now);
timing_info->set_post_redirect_start_time(now);
timing_info->set_render_blocking(request.render_blocking());
// 8. Let fetchParams be a new fetch params whose request is request, timing info is timingInfo, process request
// body chunk length is processRequestBodyChunkLength, process request end-of-body is processRequestEndOfBody,
// process early hints response is processEarlyHintsResponse, process response is processResponse, process
// response consume body is processResponseConsumeBody, process response end-of-body is processResponseEndOfBody,
// task destination is taskDestination, and cross-origin isolated capability is crossOriginIsolatedCapability.
auto fetch_params = Infrastructure::FetchParams::create(vm, request, timing_info);
fetch_params->set_algorithms(algorithms);
fetch_params->set_task_destination(task_destination);
fetch_params->set_cross_origin_isolated_capability(cross_origin_isolated_capability);
// 9. If requests body is a byte sequence, then set requests body to requests body as a body.
if (auto const* buffer = request.body().get_pointer<ByteBuffer>())
request.set_body(Infrastructure::byte_sequence_as_body(realm, buffer->bytes()));
// 10. If all of the following conditions are true:
if (
// - requests URLs scheme is an HTTP(S) scheme
Infrastructure::is_http_or_https_scheme(request.url().scheme())
// - requests mode is "same-origin", "cors", or "no-cors"
&& (request.mode() == Infrastructure::Request::Mode::SameOrigin || request.mode() == Infrastructure::Request::Mode::CORS || request.mode() == Infrastructure::Request::Mode::NoCORS)
// - requests client is not null, and requests clients global object is a Window object
&& request.client() && is<HTML::Window>(request.client()->global_object())
// - requests method is `GET`
&& request.method().equals_ignoring_ascii_case("GET"sv)
// - requests unsafe-request flag is not set or requests header list is empty
&& (!request.unsafe_request() || request.header_list()->is_empty())) {
// 1. Assert: requests origin is same origin with requests clients origin.
VERIFY(request.origin().has<URL::Origin>() && request.origin().get<URL::Origin>().is_same_origin(request.client()->origin()));
// 2. Let onPreloadedResponseAvailable be an algorithm that runs the following step given a response
// response: set fetchParamss preloaded response candidate to response.
auto on_preloaded_response_available = GC::create_function(realm.heap(), [fetch_params](GC::Ref<Infrastructure::Response> response) {
fetch_params->set_preloaded_response_candidate(response);
});
// FIXME: 3. Let foundPreloadedResource be the result of invoking consume a preloaded resource for requests
// window, given requests URL, requests destination, requests mode, requests credentials mode,
// requests integrity metadata, and onPreloadedResponseAvailable.
auto found_preloaded_resource = false;
(void)on_preloaded_response_available;
// 4. If foundPreloadedResource is true and fetchParamss preloaded response candidate is null, then set
// fetchParamss preloaded response candidate to "pending".
if (found_preloaded_resource && fetch_params->preloaded_response_candidate().has<Empty>())
fetch_params->set_preloaded_response_candidate(Infrastructure::FetchParams::PreloadedResponseCandidatePendingTag {});
}
// 11. If requests header list does not contain `Accept`, then:
if (!request.header_list()->contains("Accept"sv)) {
// 1. Let value be `*/*`.
auto value = "*/*"sv;
// 2. If requests initiator is "prefetch", then set value to the document `Accept` header value.
if (request.initiator() == Infrastructure::Request::Initiator::Prefetch) {
value = document_accept_header_value;
}
// 3. Otherwise, the user agent should set value to the first matching statement, if any, switching on requests destination:
else if (request.destination().has_value()) {
switch (*request.destination()) {
// -> "document"
// -> "frame"
// -> "iframe"
case Infrastructure::Request::Destination::Document:
case Infrastructure::Request::Destination::Frame:
case Infrastructure::Request::Destination::IFrame:
// the document `Accept` header value
value = document_accept_header_value;
break;
// -> "image"
case Infrastructure::Request::Destination::Image:
// `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5`
value = "image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"sv;
break;
// -> "json"
case Infrastructure::Request::Destination::JSON:
// `application/json,*/*;q=0.5`
value = "application/json,*/*;q=0.5"sv;
break;
// -> "style"
case Infrastructure::Request::Destination::Style:
// `text/css,*/*;q=0.1`
value = "text/css,*/*;q=0.1"sv;
break;
default:
break;
}
}
// 4. Append (`Accept`, value) to requests header list.
auto header = HTTP::Header::isomorphic_encode("Accept"sv, value);
request.header_list()->append(move(header));
}
// 12. If requests header list does not contain `Accept-Language`, then user agents should append
// (`Accept-Language, an appropriate header value) to requests header list.
if (!request.header_list()->contains("Accept-Language"sv)) {
StringBuilder accept_language;
accept_language.join(","sv, ResourceLoader::the().preferred_languages());
auto header = HTTP::Header::isomorphic_encode("Accept-Language"sv, accept_language.string_view());
request.header_list()->append(move(header));
}
// 13. If requests internal priority is null, then use requests priority, initiator, destination, and
// render-blocking in an implementation-defined manner to set requests internal priority to an
// implementation-defined object.
// NOTE: The user-agent-defined object could encompass stream weight and dependency for HTTP/2, and equivalent
// information used to prioritize dispatch and processing of HTTP/1 fetches.
// 14. If request is a subresource request, then:
if (request.is_subresource_request()) {
// 1. Let record be a new fetch record whose request is request and controller is fetchParamss controller.
auto record = Infrastructure::FetchRecord::create(vm, request, fetch_params->controller());
// 2. Append record to requests clients fetch groups fetch records.
request.client()->fetch_group().append(record);
}
// 15. Run main fetch given fetchParams.
(void)main_fetch(realm, fetch_params);
// 16. Return fetchParamss controller.
return fetch_params->controller();
}
// https://fetch.spec.whatwg.org/#populate-request-from-client
void populate_request_from_client(JS::Realm const& realm, Infrastructure::Request& request)
{
auto& heap = realm.heap();
// 1. If requests traversable for user prompts is "client":
auto const* traversable_for_user_prompts = request.traversable_for_user_prompts().get_pointer<Infrastructure::Request::TraversableForUserPrompts>();
if (traversable_for_user_prompts && *traversable_for_user_prompts == Infrastructure::Request::TraversableForUserPrompts::Client) {
// 1. Set requests traversable for user prompts to "no-traversable".
request.set_traversable_for_user_prompts(Infrastructure::Request::TraversableForUserPrompts::NoTraversable);
// 2. If requests client is non-null:
if (request.client()) {
// 1. Let global be requests clients global object.
auto& global = request.client()->global_object();
// 2. If global is a Window object and globals navigable is not null, then set requests traversable for
// user prompts to globals navigables traversable navigable.
if (auto const* window = as_if<HTML::Window>(global)) {
if (window->navigable())
request.set_traversable_for_user_prompts(window->navigable()->traversable_navigable());
}
}
}
// 2. If requests origin is "client":
auto const* origin = request.origin().get_pointer<Infrastructure::Request::Origin>();
if (origin && *origin == Infrastructure::Request::Origin::Client) {
// 1. Assert: requests client is non-null.
VERIFY(request.client());
// 2. Set requests origin to requests clients origin.
request.set_origin(request.client()->origin());
}
// 3. If requests policy container is "client":
auto const* policy_container = request.policy_container().get_pointer<Infrastructure::Request::PolicyContainer>();
if (policy_container && *policy_container == Infrastructure::Request::PolicyContainer::Client) {
// 1. If requests client is non-null, then set requests policy container to a clone of requests clients
// policy container.
if (request.client())
request.set_policy_container(request.client()->policy_container()->clone(heap));
// 2. Otherwise, set requests policy container to a new policy container.
else
request.set_policy_container(heap.allocate<HTML::PolicyContainer>(heap));
}
}
// https://fetch.spec.whatwg.org/#concept-main-fetch
GC::Ptr<PendingResponse> main_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, Recursive recursive)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'main fetch' with: fetch_params @ {}", &fetch_params);
auto& vm = realm.vm();
// 1. Let request be fetchParamss request.
auto request = fetch_params.request();
// 2. Let response be null.
GC::Ptr<Infrastructure::Response> response;
// 3. If requests local-URLs-only flag is set and requests current URL is not local, then set response to a
// network error.
if (request->local_urls_only() && !Infrastructure::is_local_url(request->current_url()))
response = Infrastructure::Response::network_error(vm, "Request with 'local-URLs-only' flag must have a local URL"_string);
// 4. Run report Content Security Policy violations for request.
ContentSecurityPolicy::report_content_security_policy_violations_for_request(realm, request);
// FIXME: 5. Upgrade request to a potentially trustworthy URL, if appropriate.
// 6. Upgrade a mixed content request to a potentially trustworthy URL, if appropriate.
MixedContent::upgrade_a_mixed_content_request_to_a_potentially_trustworthy_url_if_appropriate(request);
// 7. If should request be blocked due to a bad port, should fetching request be blocked as mixed content, should
// request be blocked by Content Security Policy, or should request be blocked by Integrity Policy Policy
// returns blocked, then set response to a network error.
if (Infrastructure::block_bad_port(request) == Infrastructure::RequestOrResponseBlocking::Blocked
|| MixedContent::should_fetching_request_be_blocked_as_mixed_content(request) == Infrastructure::RequestOrResponseBlocking::Blocked
|| ContentSecurityPolicy::should_request_be_blocked_by_content_security_policy(realm, request) == ContentSecurityPolicy::Directives::Directive::Result::Blocked
|| ContentSecurityPolicy::should_request_be_blocked_by_integrity_policy(request) == ContentSecurityPolicy::Directives::Directive::Result::Blocked) {
response = Infrastructure::Response::network_error(vm, "Request was blocked"_string);
}
// 8. If requests referrer policy is the empty string, then set requests referrer policy to requests policy
// containers referrer policy.
if (request->referrer_policy() == ReferrerPolicy::ReferrerPolicy::EmptyString) {
VERIFY(request->policy_container().has<GC::Ref<HTML::PolicyContainer>>());
request->set_referrer_policy(request->policy_container().get<GC::Ref<HTML::PolicyContainer>>()->referrer_policy);
}
// 9. If requests referrer is not "no-referrer", then set requests referrer to the result of invoking determine
// requests referrer.
// NOTE: As stated in Referrer Policy, user agents can provide the end user with options to override requests
// referrer to "no-referrer" or have it expose less sensitive information.
auto const* referrer = request->referrer().get_pointer<Infrastructure::Request::Referrer>();
if (!referrer || *referrer != Infrastructure::Request::Referrer::NoReferrer) {
auto determined_referrer = ReferrerPolicy::determine_requests_referrer(request);
if (determined_referrer.has_value())
request->set_referrer(*determined_referrer);
else
request->set_referrer(Infrastructure::Request::Referrer::NoReferrer);
}
// 10. Set requests current URLs scheme to "https" if all of the following conditions are true:
if (
// - requests current URLs scheme is "http"
request->current_url().scheme() == "http"sv
// - requests current URLs host is a domain
&& request->current_url().host().has_value() && request->current_url().host()->is_domain()
// FIXME: - Matching requests current URLs host per Known HSTS Host Domain Name Matching results in either a
// superdomain match with an asserted includeSubDomains directive or a congruent match (with or without an
// asserted includeSubDomains directive) [HSTS]; or DNS resolution for the request finds a matching HTTPS RR
// per section 9.5 of [SVCB].
&& false) {
request->current_url().set_scheme("https"_string);
}
auto get_response = GC::create_function(vm.heap(), [&realm, &vm, &fetch_params, request]() -> GC::Ref<PendingResponse> {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'main fetch' get_response() function");
auto const* origin = request->origin().get_pointer<URL::Origin>();
// -> fetchParamss preloaded response candidate is not null
if (!fetch_params.preloaded_response_candidate().has<Empty>()) {
// 1. Wait until fetchParamss preloaded response candidate is not "pending".
HTML::main_thread_event_loop().spin_until(GC::create_function(vm.heap(), [&] {
return !fetch_params.preloaded_response_candidate().has<Infrastructure::FetchParams::PreloadedResponseCandidatePendingTag>();
}));
// 2. Assert: fetchParamss preloaded response candidate is a response.
VERIFY(fetch_params.preloaded_response_candidate().has<GC::Ref<Infrastructure::Response>>());
// 3. Return fetchParamss preloaded response candidate.
return PendingResponse::create(vm, request, fetch_params.preloaded_response_candidate().get<GC::Ref<Infrastructure::Response>>());
}
// -> requests current URLs origin is same origin with requests origin, and requests response tainting is "basic"
// -> requests current URLs scheme is "data"
// -> requests mode is "navigate" or "websocket"
// AD-HOC: Treat file:// font loads from file:// pages as same-origin.
// Fonts require CORS mode per spec, but file:// origins are opaque in our implementation,
// so the standard same-origin check always fails. Other browsers (Chromium, WebKit, Firefox)
// all allow loading fonts from file:// URLs on file:// pages.
auto is_file_to_file_font_load = origin && origin->is_opaque_file_origin()
&& request->current_url().scheme() == "file"sv
&& request->destination() == Infrastructure::Request::Destination::Font;
if (
(origin && request->current_url().origin().is_same_origin(*origin) && request->response_tainting() == Infrastructure::Request::ResponseTainting::Basic)
|| is_file_to_file_font_load
|| request->current_url().scheme() == "data"sv
|| (request->mode() == Infrastructure::Request::Mode::Navigate || request->mode() == Infrastructure::Request::Mode::WebSocket)) {
// 1. Set requests response tainting to "basic".
request->set_response_tainting(Infrastructure::Request::ResponseTainting::Basic);
// 2. Return the result of running scheme fetch given fetchParams.
return scheme_fetch(realm, fetch_params);
// NOTE: HTML assigns any documents and workers created from URLs whose scheme is "data" a unique
// opaque origin. Service workers can only be created from URLs whose scheme is an HTTP(S) scheme.
}
// -> requests mode is "same-origin"
if (request->mode() == Infrastructure::Request::Mode::SameOrigin) {
// Return a network error.
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'same-origin' mode must have same URL and request origin"_string));
}
// -> requests mode is "no-cors"
if (request->mode() == Infrastructure::Request::Mode::NoCORS) {
// 1. If requests redirect mode is not "follow", then return a network error.
if (request->redirect_mode() != Infrastructure::Request::RedirectMode::Follow)
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'no-cors' mode must have redirect mode set to 'follow'"_string));
// 2. Set requests response tainting to "opaque".
request->set_response_tainting(Infrastructure::Request::ResponseTainting::Opaque);
// 3. Return the result of running scheme fetch given fetchParams.
return scheme_fetch(realm, fetch_params);
}
// -> requests current URLs scheme is not an HTTP(S) scheme
// AD-HOC: We allow CORS requests for resource:// URLs from opaque origins to enable requesting JS modules from internal pages.
if (!Infrastructure::is_http_or_https_scheme(request->current_url().scheme())
&& !(origin && origin->is_opaque() && request->current_url().scheme() == "resource"sv)) {
// NOTE: At this point all other request modes have been handled. Ensure we're not lying in the error message :^)
VERIFY(request->mode() == Infrastructure::Request::Mode::CORS);
// Return a network error.
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'cors' mode must have URL with HTTP or HTTPS scheme"_string));
}
// -> requests use-CORS-preflight flag is set
// -> requests unsafe-request flag is set and either requests method is not a CORS-safelisted method or
// CORS-unsafe request-header names with requests header list is not empty
if (
request->use_cors_preflight()
|| (request->unsafe_request()
&& (!HTTP::is_cors_safelisted_method(request->method())
|| !Infrastructure::get_cors_unsafe_header_names(request->header_list()).is_empty()))) {
// 1. Set requests response tainting to "cors".
request->set_response_tainting(Infrastructure::Request::ResponseTainting::CORS);
auto returned_pending_response = PendingResponse::create(vm, request);
// 2. Let corsWithPreflightResponse be the result of running HTTP fetch given fetchParams and true.
auto cors_with_preflight_response = http_fetch(realm, fetch_params, MakeCORSPreflight::Yes);
cors_with_preflight_response->when_loaded([returned_pending_response](GC::Ref<Infrastructure::Response> cors_with_preflight_response) {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'main fetch' cors_with_preflight_response load callback");
// 3. If corsWithPreflightResponse is a network error, then clear cache entries using request.
if (cors_with_preflight_response->is_network_error()) {
// FIXME: Clear cache entries
}
// 4. Return corsWithPreflightResponse.
returned_pending_response->resolve(cors_with_preflight_response);
});
return returned_pending_response;
}
// -> Otherwise
// 1. Set requests response tainting to "cors".
request->set_response_tainting(Infrastructure::Request::ResponseTainting::CORS);
// 2. Return the result of running HTTP fetch given fetchParams.
return http_fetch(realm, fetch_params);
});
if (recursive == Recursive::Yes) {
// 12. If response is null, then set response to the result of running the steps corresponding to the first
// matching statement:
auto pending_response = !response
? get_response->function()()
: PendingResponse::create(vm, request, *response);
// 13. If recursive is true, then return response.
return pending_response;
}
// 11. If recursive is false, then run the remaining steps in parallel.
Platform::EventLoopPlugin::the().deferred_invoke(GC::create_function(realm.heap(), [&realm, &vm, &fetch_params, request, response, get_response] {
// 12. If response is null, then set response to the result of running the steps corresponding to the first
// matching statement:
auto pending_response = PendingResponse::create(vm, request, Infrastructure::Response::create(vm));
if (!response) {
pending_response = get_response->function()();
}
pending_response->when_loaded([&realm, &vm, &fetch_params, request, response, response_was_null = !response](GC::Ref<Infrastructure::Response> resolved_response) mutable {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'main fetch' pending_response load callback");
if (response_was_null)
response = resolved_response;
// 14. If response is not a network error and response is not a filtered response, then:
if (!response->is_network_error() && !is<Infrastructure::FilteredResponse>(*response)) {
// 1. If requests response tainting is "cors", then:
if (request->response_tainting() == Infrastructure::Request::ResponseTainting::CORS) {
// 1. Let headerNames be the result of extracting header list values given
// `Access-Control-Expose-Headers` and responses header list.
auto header_names_or_failure = response->header_list()->extract_header_list_values("Access-Control-Expose-Headers"sv);
if (auto* header_names = header_names_or_failure.get_pointer<Vector<ByteString>>()) {
// 2. If requests credentials mode is not "include" and headerNames contains `*`, then set
// responses CORS-exposed header-name list to all unique header names in responses header
// list.
if (request->credentials_mode() != Infrastructure::Request::CredentialsMode::Include && header_names->contains_slow("*"sv)) {
auto unique_header_names = response->header_list()->unique_names();
response->set_cors_exposed_header_name_list(move(unique_header_names));
}
// 3. Otherwise, if headerNames is not null or failure, then set responses CORS-exposed
// header-name list to headerNames.
else if (!header_names->is_empty()) {
response->set_cors_exposed_header_name_list(move(*header_names));
}
}
}
// 2. Set response to the following filtered response with response as its internal response, depending
// on requests response tainting:
response = [&]() -> GC::Ref<Infrastructure::Response> {
switch (request->response_tainting()) {
// -> "basic"
case Infrastructure::Request::ResponseTainting::Basic:
// basic filtered response
return Infrastructure::BasicFilteredResponse::create(vm, *response);
// -> "cors"
case Infrastructure::Request::ResponseTainting::CORS:
// CORS filtered response
return Infrastructure::CORSFilteredResponse::create(vm, *response);
// -> "opaque"
case Infrastructure::Request::ResponseTainting::Opaque:
// opaque filtered response
return Infrastructure::OpaqueFilteredResponse::create(vm, *response);
default:
VERIFY_NOT_REACHED();
}
}();
}
// 15. Let internalResponse be response, if response is a network error, and responses internal response
// otherwise.
auto internal_response = response->is_network_error()
? GC::Ref { *response }
: static_cast<Infrastructure::FilteredResponse&>(*response).internal_response();
// 16. If internalResponses URL list is empty, then set it to a clone of requests URL list.
// NOTE: A responses URL list can be empty (for example, when the response represents an about URL).
if (internal_response->url_list().is_empty())
internal_response->set_url_list(request->url_list());
// 17. Set internalResponses redirect taint to requests redirect-taint.
internal_response->set_redirect_taint(request->redirect_taint());
// 18. If requests timing allow failed flag is unset, then set internalResponses timing allow passed flag.
if (!request->timing_allow_failed())
internal_response->set_timing_allow_passed(true);
// 19. If response is not a network error and any of the following returns blocked
if (!response->is_network_error() && (
// - should internalResponse to request be blocked as mixed content
MixedContent::should_response_to_request_be_blocked_as_mixed_content(request, internal_response) == Infrastructure::RequestOrResponseBlocking::Blocked
// - should internalResponse to request be blocked by Content Security Policy
|| ContentSecurityPolicy::should_response_to_request_be_blocked_by_content_security_policy(realm, internal_response, request) == ContentSecurityPolicy::Directives::Directive::Result::Blocked
// - should internalResponse to request be blocked due to its MIME type
|| Infrastructure::should_response_to_request_be_blocked_due_to_its_mime_type(internal_response, request) == Infrastructure::RequestOrResponseBlocking::Blocked
// - should internalResponse to request be blocked due to nosniff
|| Infrastructure::should_response_to_request_be_blocked_due_to_nosniff(internal_response, request) == Infrastructure::RequestOrResponseBlocking::Blocked)) {
// then set response and internalResponse to a network error.
response = internal_response = Infrastructure::Response::network_error(vm, "Response was blocked"_string);
}
// 20. If responses type is "opaque", internalResponses status is 206, internalResponses range-requested
// flag is set, and requests header list does not contain `Range`, then set response and
// internalResponse to a network error.
// NOTE: Traditionally, APIs accept a ranged response even if a range was not requested. This prevents a
// partial response from an earlier ranged request being provided to an API that did not make a range
// request.
if (response->type() == Infrastructure::Response::Type::Opaque
&& internal_response->status() == 206
&& internal_response->range_requested()
&& !request->header_list()->contains("Range"sv)) {
response = internal_response = Infrastructure::Response::network_error(vm, "Response has status 206 and 'range-requested' flag set, but request has no 'Range' header"_string);
}
// 21. If response is not a network error and either requests method is `HEAD` or `CONNECT`, or
// internalResponses status is a null body status, set internalResponses body to null and disregard
// any enqueuing toward it (if any).
// NOTE: This standardizes the error handling for servers that violate HTTP.
if (!response->is_network_error() && (request->method().is_one_of("HEAD"sv, "CONNECT"sv) || Infrastructure::is_null_body_status(internal_response->status())))
internal_response->set_body({});
// 22. If requests integrity metadata is not the empty string, then:
if (!request->integrity_metadata().is_empty()) {
// 1. Let processBodyError be this step: run fetch response handover given fetchParams and a network
// error.
auto process_body_error = GC::create_function(vm.heap(), [&realm, &vm, &fetch_params](JS::Value) {
fetch_response_handover(realm, fetch_params, Infrastructure::Response::network_error(vm, "Response body could not be processed"_string));
});
// 2. If responses body is null, then run processBodyError and abort these steps.
if (!response->body()) {
process_body_error->function()({});
return;
}
// 3. Let processBody given bytes be these steps:
auto process_body = GC::create_function(vm.heap(), [&realm, request, response, &fetch_params, process_body_error](ByteBuffer bytes) {
// 1. If bytes do not match requests integrity metadata, then run processBodyError and abort these steps.
if (!TRY_OR_IGNORE(SRI::do_bytes_match_metadata_list(bytes, request->integrity_metadata()))) {
process_body_error->function()({});
return;
}
// 2. Set responses body to bytes as a body.
response->set_body(Infrastructure::byte_sequence_as_body(realm, bytes));
// 3. Run fetch response handover given fetchParams and response.
fetch_response_handover(realm, fetch_params, *response);
});
// 4. Fully read responses body given processBody and processBodyError.
response->body()->fully_read(realm, process_body, process_body_error, fetch_params.task_destination());
}
// 23. Otherwise, run fetch response handover given fetchParams and response.
else {
fetch_response_handover(realm, fetch_params, *response);
}
});
}));
return GC::Ptr<PendingResponse> {};
}
// https://fetch.spec.whatwg.org/#request-determine-the-environment
static GC::Ptr<HTML::Environment> determine_the_environment(GC::Ref<Infrastructure::Request> request)
{
// 1. If requests reserved client is non-null, then return requests reserved client.
if (request->reserved_client())
return request->reserved_client();
// 2. If requests client is non-null, then return requests client.
if (request->client())
return request->client();
// 3. Return null.
return {};
}
// https://fetch.spec.whatwg.org/#fetch-finale
void fetch_response_handover(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, Infrastructure::Response& response)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'fetch response handover' with: fetch_params @ {}, response @ {}", &fetch_params, &response);
auto& vm = realm.vm();
// 1. Let timingInfo be fetchParamss timing info.
auto timing_info = fetch_params.timing_info();
// 2. If response is not a network error and fetchParamss requests client is a secure context, then set
// timingInfos server-timing headers to the result of getting, decoding, and splitting `Server-Timing` from
// responses header list.
// The user agent may decide to expose `Server-Timing` headers to non-secure contexts requests as well.
auto client = fetch_params.request()->client();
if (!response.is_network_error() && client != nullptr && HTML::is_secure_context(*client)) {
if (auto server_timing_headers = response.header_list()->get_decode_and_split("Server-Timing"sv); server_timing_headers.has_value())
timing_info->set_server_timing_headers(server_timing_headers.release_value());
}
// AD-HOC: We extract steps 1-3 of processResponseEndOfBody into a separate lambda so we can also call it from
// the error path. The fetch spec only runs processResponseEndOfBody on successful body read (via the
// transform stream's flush algorithm). However, processResponseConsumeBody is called for both success
// and failure, and specs like HTML's preload algorithm expect to be able to call reportTiming from
// within processResponseConsumeBody. So we ensure report_timing_steps is set on error too, which allows
// reportTiming to work without asserting, and still produces useful timing data for failed fetches.
auto setup_report_timing_steps = [&vm, &response, &fetch_params, timing_info] {
// 1. Let unsafeEndTime be the unsafe shared current time.
auto unsafe_end_time = HighResolutionTime::unsafe_shared_current_time();
// 2. If fetchParamss requests destination is "document", then set fetchParamss controllers full timing
// info to fetchParamss timing info.
if (fetch_params.request()->destination() == Infrastructure::Request::Destination::Document)
fetch_params.controller()->set_full_timing_info(fetch_params.timing_info());
// 3. Set fetchParamss controllers report timing steps to the following steps given a global object global:
fetch_params.controller()->set_report_timing_steps([&vm, &response, &fetch_params, timing_info, unsafe_end_time](JS::Object& global) mutable {
// 1. If fetchParamss requests URLs scheme is not an HTTP(S) scheme, then return.
if (!Infrastructure::is_http_or_https_scheme(fetch_params.request()->url().scheme()))
return;
// 2. Set timingInfos end time to the relative high resolution time given unsafeEndTime and global.
// Spec Issue: Using relative time here is incorrect, as end time is converted to relative time by Resource Timing,
// causing it to take a relative time of an already relative time, effectively make it always a negative
// value approximately the value of the time origin.
timing_info->set_end_time(unsafe_end_time);
// 3. Let cacheState be responses cache state.
auto cache_state = response.cache_state();
// 4. Let bodyInfo be responses body info.
auto body_info = response.body_info();
// 5. If responses timing allow passed flag is not set, then set timingInfo to the result of creating an
// opaque timing info for timingInfo, set bodyInfo to a new response body info, and set cacheState to
// the empty string.
// NOTE: This covers the case of response being a network error.
if (!response.timing_allow_passed()) {
timing_info = Infrastructure::create_opaque_timing_info(vm, timing_info);
body_info = Infrastructure::Response::BodyInfo {};
cache_state = {};
}
// 6. Let responseStatus be 0.
auto response_status = 0;
// 7. If fetchParamss requests mode is not "navigate" or responses redirect taint is "same-origin":
if (fetch_params.request()->mode() != Infrastructure::Request::Mode::Navigate || response.redirect_taint() == Infrastructure::RedirectTaint::SameOrigin) {
// 1. Set responseStatus to responses status.
response_status = response.status();
// 2. Let mimeType be the result of extracting a MIME type from responses header list.
auto mime_type = Infrastructure::extract_mime_type(response.header_list());
// 3. If mimeType is non-null, then set bodyInfos content type to the result of minimizing a supported MIME type given mimeType.
if (mime_type.has_value())
body_info.content_type = MimeSniff::minimise_a_supported_mime_type(mime_type.value());
}
// 8. If fetchParamss requests initiator type is not null, then mark resource timing given timingInfo,
// requests URL, requests initiator type, global, cacheState, bodyInfo, and responseStatus.
if (fetch_params.request()->initiator_type().has_value()) {
ResourceTiming::PerformanceResourceTiming::mark_resource_timing(timing_info, fetch_params.request()->url().to_string(), Infrastructure::initiator_type_to_string(fetch_params.request()->initiator_type().value()), global, cache_state, body_info, response_status);
}
});
};
// 3. Let processResponseEndOfBody be the following steps:
auto process_response_end_of_body = [&vm, &fetch_params, &response, setup_report_timing_steps] {
// 1-3. (See setup_report_timing_steps above)
setup_report_timing_steps();
// 4. Let processResponseEndOfBodyTask be the following steps:
auto process_response_end_of_body_task = GC::create_function(vm.heap(), [&fetch_params, &response] {
// 1. Set fetchParamss requests done flag.
fetch_params.request()->set_done(true);
// 2. If fetchParamss process response end-of-body is non-null, then run fetchParamss process response
// end-of-body given response.
if (fetch_params.algorithms()->process_response_end_of_body())
(fetch_params.algorithms()->process_response_end_of_body())(response);
// 3. If fetchParamss requests initiator type is non-null and fetchParamss requests clients global
// object is fetchParamss task destination, then run fetchParamss controllers report timing steps
// given fetchParamss requests clients global object.
auto client = fetch_params.request()->client();
auto const* task_destination_global_object = fetch_params.task_destination().get_pointer<GC::Ref<JS::Object>>();
if (client != nullptr && task_destination_global_object != nullptr) {
if (fetch_params.request()->initiator_type().has_value() && &client->global_object() == task_destination_global_object->ptr())
fetch_params.controller()->report_timing(client->global_object());
}
});
// 5. Queue a fetch task to run processResponseEndOfBodyTask with fetchParamss task destination.
Infrastructure::queue_fetch_task(fetch_params.controller(), fetch_params.task_destination(), move(process_response_end_of_body_task));
};
// 4. If fetchParamss process response is non-null, then queue a fetch task to run fetchParamss process response
// given response, with fetchParamss task destination.
if (fetch_params.algorithms()->process_response()) {
Infrastructure::queue_fetch_task(fetch_params.controller(), fetch_params.task_destination(), GC::create_function(vm.heap(), [&fetch_params, &response]() {
fetch_params.algorithms()->process_response()(response);
}));
}
// 5. Let internalResponse be response, if response is a network error; otherwise responses internal response.
auto internal_response = response.is_network_error() ? GC::Ref { response } : response.unsafe_response();
// 6. If internalResponses body is null, then run processResponseEndOfBody.
if (!internal_response->body()) {
process_response_end_of_body();
}
// 7. Otherwise:
else {
HTML::TemporaryExecutionContext const execution_context { realm, HTML::TemporaryExecutionContext::CallbacksEnabled::Yes };
// 1. Let transformStream be a new TransformStream.
auto transform_stream = realm.create<Streams::TransformStream>(realm);
// 2. Let identityTransformAlgorithm be an algorithm which, given chunk, enqueues chunk in transformStream.
auto identity_transform_algorithm = GC::create_function(realm.heap(), [&realm, transform_stream](JS::Value chunk) -> GC::Ref<WebIDL::Promise> {
MUST(Streams::transform_stream_default_controller_enqueue(*transform_stream->controller(), chunk));
return WebIDL::create_resolved_promise(realm, JS::js_undefined());
});
// 3. Set up transformStream with transformAlgorithm set to identityTransformAlgorithm and flushAlgorithm set
// to processResponseEndOfBody.
auto flush_algorithm = GC::create_function(realm.heap(), [&realm, process_response_end_of_body]() -> GC::Ref<WebIDL::Promise> {
process_response_end_of_body();
return WebIDL::create_resolved_promise(realm, JS::js_undefined());
});
transform_stream->set_up(identity_transform_algorithm, flush_algorithm);
// 4. Set internalResponses bodys stream to the result of internalResponses bodys stream piped through transformStream.
internal_response->body()->set_stream(internal_response->body()->stream()->piped_through(transform_stream));
}
// 8. If fetchParamss process response consume body is non-null, then:
if (fetch_params.algorithms()->process_response_consume_body()) {
// 1. Let processBody given nullOrBytes be this step: run fetchParamss process response consume body given
// response and nullOrBytes.
auto process_body = GC::create_function(vm.heap(), [&fetch_params, &response](ByteBuffer bytes) {
(fetch_params.algorithms()->process_response_consume_body())(response, move(bytes));
});
// 2. Let processBodyError be this step: run fetchParamss process response consume body given response and
// failure.
auto process_body_error = GC::create_function(vm.heap(), [&fetch_params, &response, setup_report_timing_steps](JS::Value) {
// AD-HOC: See comment on setup_report_timing_steps above.
setup_report_timing_steps();
(fetch_params.algorithms()->process_response_consume_body())(response, Infrastructure::FetchAlgorithms::ConsumeBodyFailureTag {});
});
// 3. If internalResponse's body is null, then queue a fetch task to run processBody given null, with
// fetchParamss task destination.
if (!internal_response->body()) {
Infrastructure::queue_fetch_task(fetch_params.controller(), fetch_params.task_destination(), GC::create_function(vm.heap(), [&fetch_params, &response]() {
// NOTE: We have to provide `fully_read` a callback which accepts a ByteBuffer. Since that is not
// nullable, we just invoke `process_response_consume_body` with a null value manually here.
(fetch_params.algorithms()->process_response_consume_body())(response, Empty {});
}));
}
// 4. Otherwise, fully read internalResponse body given processBody, processBodyError, and fetchParamss task
// destination.
else {
internal_response->body()->fully_read(realm, process_body, process_body_error, fetch_params.task_destination());
}
}
}
// https://fetch.spec.whatwg.org/#concept-scheme-fetch
GC::Ref<PendingResponse> scheme_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'scheme fetch' with: fetch_params @ {}", &fetch_params);
auto& vm = realm.vm();
// 1. If fetchParams is canceled, then return the appropriate network error for fetchParams.
if (fetch_params.is_canceled())
return PendingResponse::create(vm, fetch_params.request(), Infrastructure::Response::appropriate_network_error(vm, fetch_params));
// 2. Let request be fetchParamss request.
auto request = fetch_params.request();
// 3. Switch on requests current URLs scheme and run the associated steps:
// -> "about"
if (request->current_url().scheme() == "about"sv) {
// If requests current URLs path is the string "blank", then return a new response whose status message is
// `OK`, header list is « (`Content-Type`, `text/html;charset=utf-8`) », and body is the empty byte sequence as
// a body.
// NOTE: URLs such as "about:config" are handled during navigation and result in a network error in the context
// of fetching.
if (request->current_url().paths().size() == 1 && request->current_url().paths()[0] == "blank"sv) {
auto response = Infrastructure::Response::create(vm);
response->set_status_message("OK"sv);
response->header_list()->append({ "Content-Type"sv, "text/html;charset=utf-8"sv });
response->set_body(Infrastructure::byte_sequence_as_body(realm, ""sv.bytes()));
return PendingResponse::create(vm, request, response);
}
// FIXME: This is actually wrong, see note above.
return nonstandard_resource_loader_file_or_http_network_fetch(realm, fetch_params);
}
// -> "blob"
else if (request->current_url().scheme() == "blob"sv) {
// 1. Let blobURLEntry be requests current URLs blob URL entry.
auto const& blob_url_entry = request->current_url().blob_url_entry();
// 2. If requests method is not `GET` or blobURLEntry is null, then return a network error. [FILEAPI]
if (request->method() != "GET"sv || !blob_url_entry.has_value())
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has an invalid 'blob:' URL"_string));
// 3. Let requestEnvironment be the result of determining the environment given request.
auto request_environment = determine_the_environment(request);
// 4. Let isTopLevelSelfFetch be false.
bool is_top_level_self_fetch = false;
// 5. If requests client is non-null:
if (request->client() != nullptr) {
// 1. Let global be requests clients global object.
auto const* global_window = as_if<HTML::Window>(request->client()->global_object());
// 2. If all of the following conditions are true:
if (
// global is a Window object;
global_window != nullptr &&
// globals navigable is not null;
global_window->navigable() != nullptr &&
// globals navigables parent is null; and
global_window->navigable()->parent() == nullptr &&
// requestEnvironments creation URL equals requests current URL,
request_environment->creation_url == request->current_url())
// then set isTopLevelSelfFetch to true.
is_top_level_self_fetch = true;
}
// 6. Let stringOrEnvironment be the result of these steps:
auto string_or_environment = [&]() -> Variant<GC::Ref<HTML::Environment>, FileAPI::TopLevelNavigation, FileAPI::TopLevelSelfFetch> {
// 1. If requests destination is "document", then return "top-level-navigation".
if (request->destination() == Infrastructure::Request::Destination::Document)
return FileAPI::TopLevelNavigation();
// 2. If isTopLevelSelfFetch is true, then return "top-level-self-fetch".
if (is_top_level_self_fetch)
return FileAPI::TopLevelSelfFetch();
// 3. Return requestEnvironment.
return GC::Ref(*request_environment);
}();
// 7. Let blob be the result of obtaining a blob object given blobURLEntry and navigationOrEnvironment.
auto maybe_blob_object = FileAPI::obtain_a_blob_object(blob_url_entry.value(), string_or_environment);
// 8. If blob is not a Blob object, then return a network error.
if (!maybe_blob_object.has_value())
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Failed to obtain a Blob object from 'blob:' URL"_string));
URL::BlobURLEntry::Blob* blob_object;
if (blob_object = maybe_blob_object.value().get_pointer<URL::BlobURLEntry::Blob>(); !blob_object)
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Failed to obtain a Blob object from 'blob:' URL"_string));
auto const blob = FileAPI::Blob::create(realm, blob_object->data, blob_object->type);
// 9. Let response be a new response.
auto response = Infrastructure::Response::create(vm);
// 10. Let fullLength be blobs size.
auto full_length = blob->size();
// 11. Let serializedFullLength be fullLength, serialized and isomorphic encoded.
auto serialized_full_length = String::number(full_length);
// 12. Let type be blobs type.
auto const& type = blob->type();
// 13. If requests header list does not contain `Range`:
if (!request->header_list()->contains("Range"sv)) {
// 1. Let bodyWithType be the result of safely extracting blob.
auto body_with_type = safely_extract_body(realm, blob->raw_bytes());
// 2. Set responses status message to `OK`.
response->set_status_message("OK"sv);
// 3. Set responses body to bodyWithTypes body.
response->set_body(body_with_type.body);
// 4. Set responses header list to « (`Content-Length`, serializedFullLength), (`Content-Type`, type) ».
auto content_length_header = HTTP::Header::isomorphic_encode("Content-Length"sv, serialized_full_length);
response->header_list()->append(move(content_length_header));
auto content_type_header = HTTP::Header::isomorphic_encode("Content-Type"sv, type);
response->header_list()->append(move(content_type_header));
}
// 14. Otherwise:
else {
// 1. Set responses range-requested flag.
response->set_range_requested(true);
// 2. Let rangeHeader be the result of getting `Range` from requests header list.
auto const range_header = request->header_list()->get("Range"sv).value_or({});
// 3. Let rangeValue be the result of parsing a single range header value given rangeHeader and true.
auto maybe_range_value = HTTP::parse_single_range_header_value(range_header, true);
// 4. If rangeValue is failure, then return a network error.
if (!maybe_range_value.has_value())
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Failed to parse single range header value"_string));
// 5. Let (rangeStart, rangeEnd) be rangeValue.
auto& [range_start, range_end] = maybe_range_value.value();
// 6. If rangeStart is null:
if (!range_start.has_value()) {
VERIFY(range_end.has_value());
// 1. Set rangeStart to fullLength rangeEnd.
range_start = full_length - *range_end;
// 2. Set rangeEnd to rangeStart + rangeEnd 1.
range_end = *range_start + *range_end - 1;
}
// 7. Otherwise:
else {
// 1. If rangeStart is greater than or equal to fullLength, then return a network error.
if (*range_start >= full_length)
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "rangeStart is greater than or equal to fullLength"_string));
// 2. If rangeEnd is null or rangeEnd is greater than or equal to fullLength, then set rangeEnd to fullLength 1.
if (!range_end.has_value() || *range_end >= full_length)
range_end = full_length - 1;
}
// 8. Let slicedBlob be the result of invoking slice blob given blob, rangeStart, rangeEnd + 1, and type.
auto sliced_blob = MUST(blob->slice(*range_start, *range_end + 1, type));
// 9. Let slicedBodyWithType be the result of safely extracting slicedBlob.
auto sliced_body_with_type = safely_extract_body(realm, sliced_blob->raw_bytes());
// 10. Set responses body to slicedBodyWithTypes body.
response->set_body(sliced_body_with_type.body);
// 11. Let serializedSlicedLength be slicedBlobs size, serialized and isomorphic encoded.
auto serialized_sliced_length = String::number(sliced_blob->size());
// 12. Let contentRange be the result of invoking build a content range given rangeStart, rangeEnd, and fullLength.
auto content_range = HTTP::build_content_range(*range_start, *range_end, full_length);
// 13. Set responses status to 206.
response->set_status(206);
// 14. Set responses status message to `Partial Content`.
response->set_status_message("Partial Content"sv);
// 15. Set responses header list to «
// (`Content-Length`, serializedSlicedLength),
auto content_length_header = HTTP::Header::isomorphic_encode("Content-Length"sv, serialized_sliced_length);
response->header_list()->append(move(content_length_header));
// (`Content-Type`, type),
auto content_type_header = HTTP::Header::isomorphic_encode("Content-Type"sv, type);
response->header_list()->append(move(content_type_header));
// (`Content-Range`, contentRange) ».
auto content_range_header = HTTP::Header::isomorphic_encode("Content-Range"sv, content_range);
response->header_list()->append(move(content_range_header));
}
// 15. Return response.
return PendingResponse::create(vm, request, response);
}
// -> "data"
else if (request->current_url().scheme() == "data"sv) {
// 1. Let dataURLStruct be the result of running the data: URL processor on requests current URL.
auto data_url_struct = Infrastructure::process_data_url(request->current_url());
// 2. If dataURLStruct is failure, then return a network error.
if (data_url_struct.is_error())
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Failed to process 'data:' URL"_string));
// 3. Let mimeType be dataURLStructs MIME type, serialized.
auto const& mime_type = data_url_struct.value().mime_type.serialized();
// 4. Return a new response whose status message is `OK`, header list is « (`Content-Type`, mimeType) », and
// body is dataURLStructs body as a body.
auto response = Infrastructure::Response::create(vm);
response->set_status_message("OK"sv);
auto header = HTTP::Header::isomorphic_encode("Content-Type"sv, mime_type);
response->header_list()->append(move(header));
response->set_body(Infrastructure::byte_sequence_as_body(realm, data_url_struct.value().body));
return PendingResponse::create(vm, request, response);
}
// -> "file"
// AD-HOC: "resource"
else if (request->current_url().scheme() == "file"sv || request->current_url().scheme() == "resource"sv) {
// For now, unfortunate as it is, file: URLs are left as an exercise for the reader.
// When in doubt, return a network error.
auto error = PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'file:' or 'resource:' URL blocked"_string));
auto const* origin = request->origin().get_pointer<URL::Origin>();
if (!origin)
return error;
if (!(origin->is_opaque() || origin->scheme() == "file"sv || origin->scheme() == "resource"sv))
return error;
// Allow file:// pages to load subresources (scripts, styles, fonts, etc.) from other file:// URLs,
// but block the fetch() API and other requests without a destination from reading arbitrary files.
// Requests made via fetch() have an empty destination, so we use that to distinguish between
// subresource loads initiated by the browser (which have a destination) and programmatic fetches
// (which do not). This prevents data exfiltration via fetch() from file:// pages.
if (!request->destination().has_value())
return error;
return nonstandard_resource_loader_file_or_http_network_fetch(realm, fetch_params);
}
// -> HTTP(S) scheme
else if (Infrastructure::is_http_or_https_scheme(request->current_url().scheme())) {
// Return the result of running HTTP fetch given fetchParams.
return http_fetch(realm, fetch_params);
}
// 4. Return a network error.
auto message = request->current_url().scheme() == "about"sv
? "Request has invalid 'about:' URL, only 'about:blank' can be fetched"_string
: "Request URL has invalid scheme, must be one of 'about', 'blob', 'data', 'file', 'http', or 'https'"_string;
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, move(message)));
}
// https://fetch.spec.whatwg.org/#concept-http-fetch
GC::Ref<PendingResponse> http_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, MakeCORSPreflight make_cors_preflight)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' with: fetch_params @ {}, make_cors_preflight = {}",
&fetch_params, make_cors_preflight == MakeCORSPreflight::Yes ? "Yes"sv : "No"sv);
auto& vm = realm.vm();
// 1. Let request be fetchParamss request.
auto request = fetch_params.request();
// 2. Let response and internalResponse be null.
GC::Ptr<Infrastructure::Response> response;
GC::Ptr<Infrastructure::Response> internal_response;
// 3. If requests service-workers mode is "all", then:
if (request->service_workers_mode() == Infrastructure::Request::ServiceWorkersMode::All) {
// 1. Let requestForServiceWorker be a clone of request.
auto request_for_service_worker = request->clone(realm);
// 2. If requestForServiceWorkers body is non-null, then:
if (!request_for_service_worker->body().has<Empty>()) {
// FIXME: 1. Let transformStream be a new TransformStream.
// FIXME: 2. Let transformAlgorithm given chunk be these steps:
// FIXME: 3. Set up transformStream with transformAlgorithm set to transformAlgorithm.
// FIXME: 4. Set requestForServiceWorkers bodys stream to the result of requestForServiceWorkers bodys stream
// piped through transformStream.
}
// 3. Let serviceWorkerStartTime be the coarsened shared current time given fetchParamss cross-origin isolated
// capability.
auto service_worker_start_time = HighResolutionTime::coarsened_shared_current_time(fetch_params.cross_origin_isolated_capability());
// FIXME: 4. Set response to the result of invoking handle fetch for requestForServiceWorker, with fetchParamss
// controller and fetchParamss cross-origin isolated capability.
// 5. If response is non-null, then:
if (response) {
// 1. Set fetchParamss timing infos final service worker start time to serviceWorkerStartTime.
fetch_params.timing_info()->set_final_service_worker_start_time(service_worker_start_time);
// 2. If requests body is non-null, then cancel requests body with undefined.
if (!request->body().has<Empty>()) {
// FIXME: Implement cancelling streams
}
// 3. Set internalResponse to response, if response is not a filtered response; otherwise to responses
// internal response.
internal_response = !is<Infrastructure::FilteredResponse>(*response)
? GC::Ref { *response }
: static_cast<Infrastructure::FilteredResponse const&>(*response).internal_response();
// 4. If one of the following is true
if (
// - responses type is "error"
response->type() == Infrastructure::Response::Type::Error
// - requests mode is "same-origin" and responses type is "cors"
|| (request->mode() == Infrastructure::Request::Mode::SameOrigin && response->type() == Infrastructure::Response::Type::CORS)
// - requests mode is not "no-cors" and responses type is "opaque"
|| (request->mode() != Infrastructure::Request::Mode::NoCORS && response->type() == Infrastructure::Response::Type::Opaque)
// - requests redirect mode is not "manual" and responses type is "opaqueredirect"
|| (request->redirect_mode() != Infrastructure::Request::RedirectMode::Manual && response->type() == Infrastructure::Response::Type::OpaqueRedirect)
// - requests redirect mode is not "follow" and responses URL list has more than one item.
|| (request->redirect_mode() != Infrastructure::Request::RedirectMode::Follow && response->url_list().size() > 1)) {
// then return a network error.
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Invalid request/response state combination"_string));
}
}
}
GC::Ptr<PendingResponse> pending_actual_response;
auto returned_pending_response = PendingResponse::create(vm, request);
// 4. If response is null, then:
if (!response) {
// 1. If makeCORSPreflight is true and one of these conditions is true:
// NOTE: This step checks the CORS-preflight cache and if there is no suitable entry it performs a
// CORS-preflight fetch which, if successful, populates the cache. The purpose of the CORS-preflight
// fetch is to ensure the fetched resource is familiar with the CORS protocol. The cache is there to
// minimize the number of CORS-preflight fetches.
GC::Ptr<PendingResponse> pending_preflight_response;
if (make_cors_preflight == MakeCORSPreflight::Yes && (
// - There is no method cache entry match for requests method using request, and either requests
// method is not a CORS-safelisted method or requests use-CORS-preflight flag is set.
// FIXME: We currently have no cache, so there will always be no method cache entry.
(!HTTP::is_cors_safelisted_method(request->method()) || request->use_cors_preflight())
// - There is at least one item in the CORS-unsafe request-header names with requests header list for
// which there is no header-name cache entry match using request.
// FIXME: We currently have no cache, so there will always be no header-name cache entry.
|| !Infrastructure::get_cors_unsafe_header_names(request->header_list()).is_empty())) {
// 1. Let preflightResponse be the result of running CORS-preflight fetch given request.
pending_preflight_response = cors_preflight_fetch(realm, request);
// NOTE: Step 2 is performed in pending_preflight_response's load callback below.
}
auto fetch_main_content = GC::create_function(realm.heap(), [request, realm = GC::Ref { realm }, fetch_params = GC::Ref { fetch_params }]() -> GC::Ref<PendingResponse> {
// 2. If requests redirect mode is "follow", then set requests service-workers mode to "none".
// NOTE: Redirects coming from the network (as opposed to from a service worker) are not to be exposed to a
// service worker.
if (request->redirect_mode() == Infrastructure::Request::RedirectMode::Follow)
request->set_service_workers_mode(Infrastructure::Request::ServiceWorkersMode::None);
// 3. Set response and internalResponse to the result of running HTTP-network-or-cache fetch given fetchParams.
return http_network_or_cache_fetch(*realm, *fetch_params);
});
if (pending_preflight_response) {
pending_actual_response = PendingResponse::create(vm, request);
pending_preflight_response->when_loaded([returned_pending_response, pending_actual_response, fetch_main_content](GC::Ref<Infrastructure::Response> preflight_response) {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' pending_preflight_response load callback");
// 2. If preflightResponse is a network error, then return preflightResponse.
if (preflight_response->is_network_error()) {
returned_pending_response->resolve(preflight_response);
return;
}
auto pending_main_content_response = fetch_main_content->function()();
pending_main_content_response->when_loaded([pending_actual_response](GC::Ref<Infrastructure::Response> main_content_response) {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' pending_main_content_response load callback");
pending_actual_response->resolve(main_content_response);
});
});
} else {
pending_actual_response = fetch_main_content->function()();
}
} else {
pending_actual_response = PendingResponse::create(vm, request, Infrastructure::Response::create(vm));
}
pending_actual_response->when_loaded([&realm, &vm, &fetch_params, request, response, internal_response, returned_pending_response, response_was_null = !response](GC::Ref<Infrastructure::Response> resolved_actual_response) mutable {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' pending_actual_response load callback");
if (response_was_null) {
response = internal_response = resolved_actual_response;
// 4. If requests response tainting is "cors" and a CORS check for request and response returns failure,
// then return a network error.
// NOTE: As the CORS check is not to be applied to responses whose status is 304 or 407, or responses from
// a service worker for that matter, it is applied here.
if (request->response_tainting() == Infrastructure::Request::ResponseTainting::CORS
&& !cors_check(request, *response)) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, "Request with 'cors' response tainting failed CORS check"_string));
return;
}
// 5. If the TAO check for request and response returns failure, then set requests timing allow failed flag.
if (!tao_check(request, *response))
request->set_timing_allow_failed(true);
}
// 5. If either requests response tainting or responses type is "opaque", and the cross-origin resource
// policy check with requests origin, requests client, requests destination, and internalResponse returns
// blocked, then return a network error.
// NOTE: The cross-origin resource policy check runs for responses coming from the network and responses coming
// from the service worker. This is different from the CORS check, as requests client and the service
// worker can have different embedder policies.
if ((request->response_tainting() == Infrastructure::Request::ResponseTainting::Opaque || response->type() == Infrastructure::Response::Type::Opaque)
&& false // FIXME: "and the cross-origin resource policy check with requests origin, requests client, requests destination, and actualResponse returns blocked"
) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, "Response was blocked by cross-origin resource policy check"_string));
return;
}
GC::Ptr<PendingResponse> inner_pending_response;
// 6. If internalResponses status is a redirect status:
if (Infrastructure::is_redirect_status(internal_response->status())) {
// FIXME: 1. If internalResponses status is not 303, requests body is non-null, and the connection uses HTTP/2,
// then user agents may, and are even encouraged to, transmit an RST_STREAM frame.
// NOTE: 303 is excluded as certain communities ascribe special status to it.
// 2. Switch on requests redirect mode:
switch (request->redirect_mode()) {
// -> "error"
case Infrastructure::Request::RedirectMode::Error:
// 1. Set response to a network error.
response = Infrastructure::Response::network_error(vm, "Request with 'error' redirect mode received redirect response"_string);
break;
// -> "manual"
case Infrastructure::Request::RedirectMode::Manual:
// 1. If requests mode is "navigate", then set fetchParamss controllers next manual redirect steps
// to run HTTP-redirect fetch given fetchParams and response.
if (request->mode() == Infrastructure::Request::Mode::Navigate) {
fetch_params.controller()->set_next_manual_redirect_steps([&realm, &fetch_params, response] {
(void)http_redirect_fetch(realm, fetch_params, *response);
});
}
// 2. Otherwise, set response to an opaque-redirect filtered response whose internal response is
// internalResponse.
else {
response = Infrastructure::OpaqueRedirectFilteredResponse::create(vm, *internal_response);
}
break;
// -> "follow"
case Infrastructure::Request::RedirectMode::Follow:
// 1. Set response to the result of running HTTP-redirect fetch given fetchParams and response.
inner_pending_response = http_redirect_fetch(realm, fetch_params, *response);
break;
default:
VERIFY_NOT_REACHED();
}
}
if (inner_pending_response) {
inner_pending_response->when_loaded([returned_pending_response](GC::Ref<Infrastructure::Response> response) {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP fetch' inner_pending_response load callback");
returned_pending_response->resolve(response);
});
} else {
returned_pending_response->resolve(*response);
}
});
// 7. Return response.
// NOTE: Typically internalResponses bodys stream is still being enqueued to after returning.
return returned_pending_response;
}
// https://fetch.spec.whatwg.org/#concept-http-redirect-fetch
GC::Ptr<PendingResponse> http_redirect_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, Infrastructure::Response& response)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP-redirect fetch' with: fetch_params @ {}, response = {}", &fetch_params, &response);
auto& vm = realm.vm();
// 1. Let request be fetchParamss request.
auto request = fetch_params.request();
// 2. Let internalResponse be response, if response is not a filtered response; otherwise responses internal
// response.
auto internal_response = !is<Infrastructure::FilteredResponse>(response)
? GC::Ref { response }
: static_cast<Infrastructure::FilteredResponse const&>(response).internal_response();
// 3. Let locationURL be internalResponses location URL given requests current URLs fragment.
auto location_url_or_error = internal_response->location_url(request->current_url().fragment());
// 4. If locationURL is null, then return response.
if (!location_url_or_error.is_error() && !location_url_or_error.value().has_value())
return PendingResponse::create(vm, request, response);
// 5. If locationURL is failure, then return a network error.
if (location_url_or_error.is_error())
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request redirect URL is invalid"_string));
auto location_url = location_url_or_error.release_value().release_value();
// 6. If locationURLs scheme is not an HTTP(S) scheme, then return a network error.
if (!Infrastructure::is_http_or_https_scheme(location_url.scheme()))
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request redirect URL must have HTTP or HTTPS scheme"_string));
// 7. If requests redirect count is 20, then return a network error.
if (request->redirect_count() == 20)
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has reached maximum redirect count of 20"_string));
// 8. Increase requests redirect count by 1.
request->set_redirect_count(request->redirect_count() + 1);
// 9. If requests mode is "cors", locationURL includes credentials, and requests origin is not same origin with
// locationURLs origin, then return a network error.
if (request->mode() == Infrastructure::Request::Mode::CORS
&& location_url.includes_credentials()
&& request->origin().has<URL::Origin>()
&& !request->origin().get<URL::Origin>().is_same_origin(location_url.origin())) {
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'cors' mode and different URL and request origin must not include credentials in redirect URL"_string));
}
// 10. If requests response tainting is "cors" and locationURL includes credentials, then return a network error.
// NOTE: This catches a cross-origin resource redirecting to a same-origin URL.
if (request->response_tainting() == Infrastructure::Request::ResponseTainting::CORS && location_url.includes_credentials())
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request with 'cors' response tainting must not include credentials in redirect URL"_string));
// 11. If internalResponses status is not 303, requests body is non-null, and requests bodys source is null, then
// return a network error.
if (internal_response->status() != 303
&& !request->body().has<Empty>()
&& request->body().get<GC::Ref<Infrastructure::Body>>()->source().has<Empty>()) {
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Request has body but no body source"_string));
}
// 12. If one of the following is true
if (
// - internalResponses status is 301 or 302 and requests method is `POST`
((internal_response->status() == 301 || internal_response->status() == 302) && request->method() == "POST"sv)
// - internalResponses status is 303 and requests method is not `GET` or `HEAD`
|| (internal_response->status() == 303 && !(request->method() == "GET"sv || request->method() == "HEAD"sv))
// then:
) {
// 1. Set requests method to `GET` and requests body to null.
request->set_method("GET"sv);
request->set_body({});
static constexpr Array request_body_header_names {
"Content-Encoding"sv,
"Content-Language"sv,
"Content-Location"sv,
"Content-Type"sv
};
// 2. For each headerName of request-body-header name, delete headerName from requests header list.
for (auto header_name : request_body_header_names.span())
request->header_list()->delete_(header_name);
}
// 13. If requests current URLs origin is not same origin with locationURLs origin, then for each headerName of
// CORS non-wildcard request-header name, delete headerName from requests header list.
// NOTE: I.e., the moment another origin is seen after the initial request, the `Authorization` header is removed.
if (!request->current_url().origin().is_same_origin(location_url.origin())) {
static constexpr Array cors_non_wildcard_request_header_names {
"Authorization"sv
};
for (auto header_name : cors_non_wildcard_request_header_names)
request->header_list()->delete_(header_name);
}
// 14. If requests body is non-null, then set requests body to the body of the result of safely extracting
// requests bodys source.
// NOTE: requests bodys sources nullity has already been checked.
if (!request->body().has<Empty>()) {
auto const& source = request->body().get<GC::Ref<Infrastructure::Body>>()->source();
// NOTE: BodyInitOrReadableBytes is a superset of Body::SourceType
auto converted_source = source.has<ByteBuffer>()
? BodyInitOrReadableBytes { source.get<ByteBuffer>() }
: BodyInitOrReadableBytes { source.get<GC::Ref<FileAPI::Blob>>() };
auto [body, _] = safely_extract_body(realm, converted_source);
request->set_body(body);
}
// 15. Let timingInfo be fetchParamss timing info.
auto timing_info = fetch_params.timing_info();
// 16. Set timingInfos redirect end time and post-redirect start time to the coarsened shared current time given
// fetchParamss cross-origin isolated capability.
auto now = HighResolutionTime::coarsened_shared_current_time(fetch_params.cross_origin_isolated_capability());
timing_info->set_redirect_end_time(now);
timing_info->set_post_redirect_start_time(now);
// 17. If timingInfos redirect start time is 0, then set timingInfos redirect start time to timingInfos start
// time.
if (timing_info->redirect_start_time() == 0)
timing_info->set_redirect_start_time(timing_info->start_time());
// 18. Append locationURL to requests URL list.
request->url_list().append(location_url);
// 19. Invoke set requests referrer policy on redirect on request and internalResponse.
ReferrerPolicy::set_request_referrer_policy_on_redirect(request, internal_response);
// 20. Let recursive be true.
auto recursive = Recursive::Yes;
// 21. If requests redirect mode is "manual", then:
if (request->redirect_mode() == Infrastructure::Request::RedirectMode::Manual) {
// 1. Assert: requests mode is "navigate".
VERIFY(request->mode() == Infrastructure::Request::Mode::Navigate);
// 2. Set recursive to false.
recursive = Recursive::No;
}
// 22. Return the result of running main fetch given fetchParams and recursive.
return main_fetch(realm, fetch_params, recursive);
}
// https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch
GC::Ref<PendingResponse> http_network_or_cache_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, IsAuthenticationFetch is_authentication_fetch, IsNewConnectionFetch is_new_connection_fetch)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP-network-or-cache fetch' with: fetch_params @ {}, is_authentication_fetch = {}, is_new_connection_fetch = {}",
&fetch_params, is_authentication_fetch == IsAuthenticationFetch::Yes ? "Yes"sv : "No"sv, is_new_connection_fetch == IsNewConnectionFetch::Yes ? "Yes"sv : "No"sv);
auto& vm = realm.vm();
// 1. Let request be fetchParamss request.
auto request = fetch_params.request();
// 2. Let httpFetchParams be null.
GC::Ptr<Infrastructure::FetchParams const> http_fetch_params;
// 3. Let httpRequest be null.
GC::Ptr<Infrastructure::Request> http_request;
// 4. Let response be null.
GC::Ptr<Infrastructure::Response> response;
// 5. Let storedResponse be null.
GC::Ptr<Infrastructure::Response> stored_response;
// 6. Let httpCache be null.
RefPtr<HTTP::MemoryCache> http_cache;
// 7. Let the revalidatingFlag be unset.
auto include_credentials = HTTP::Cookie::IncludeCredentials::No;
// 8. Run these steps, but abort when fetchParams is canceled:
// NOTE: There's an 'if aborted' check after this anyway, so not doing this is fine and only incurs a small delay.
// For now, support for aborting fetch requests is limited anyway as ResourceLoader doesn't support it.
auto aborted = false;
{
ScopeGuard set_aborted = [&] {
if (fetch_params.is_canceled())
aborted = true;
};
// 1. If requests traversable for user prompts is "no-traversable" and requests redirect mode is "error",
// then set httpFetchParams to fetchParams and httpRequest to request.
if (request->traversable_for_user_prompts().has<Infrastructure::Request::TraversableForUserPrompts>()
&& request->traversable_for_user_prompts().get<Infrastructure::Request::TraversableForUserPrompts>() == Infrastructure::Request::TraversableForUserPrompts::NoTraversable
&& request->redirect_mode() == Infrastructure::Request::RedirectMode::Error) {
http_fetch_params = fetch_params;
http_request = request;
}
// 2. Otherwise:
else {
// 1. Set httpRequest to a clone of request.
// NOTE: Implementations are encouraged to avoid teeing requests bodys stream when requests bodys
// source is null as only a single body is needed in that case. E.g., when requests bodys source
// is null, redirects and authentication will end up failing the fetch.
http_request = request->clone(realm);
// 2. Set httpFetchParams to a copy of fetchParams.
auto new_http_fetch_params = Infrastructure::FetchParams::copy(fetch_params);
// 3. Set httpFetchParamss request to httpRequest.
new_http_fetch_params->set_request(*http_request);
http_fetch_params = new_http_fetch_params;
}
// 3. Let includeCredentials be true if one of
if (
// - requests credentials mode is "include"
request->credentials_mode() == Infrastructure::Request::CredentialsMode::Include
// - requests credentials mode is "same-origin" and requests response tainting is "basic"
|| (request->credentials_mode() == Infrastructure::Request::CredentialsMode::SameOrigin
&& request->response_tainting() == Infrastructure::Request::ResponseTainting::Basic)
// is true; otherwise false.
) {
include_credentials = HTTP::Cookie::IncludeCredentials::Yes;
} else {
include_credentials = HTTP::Cookie::IncludeCredentials::No;
}
// 4. If Cross-Origin-Embedder-Policy allows credentials with request returns false, then set
// includeCredentials to false.
if (!request->cross_origin_embedder_policy_allows_credentials())
include_credentials = HTTP::Cookie::IncludeCredentials::No;
// 5. Let contentLength be httpRequests bodys length, if httpRequests body is non-null; otherwise null.
auto content_length = http_request->body().has<GC::Ref<Infrastructure::Body>>()
? http_request->body().get<GC::Ref<Infrastructure::Body>>()->length()
: Optional<u64> {};
// 6. Let contentLengthHeaderValue be null.
Optional<ByteString> content_length_header_value;
// 7. If httpRequests body is null and httpRequests method is `POST` or `PUT`, then set
// contentLengthHeaderValue to `0`.
if (http_request->body().has<Empty>() && http_request->method().is_one_of("POST"sv, "PUT"sv))
content_length_header_value = "0"sv;
// 8. If contentLength is non-null, then set contentLengthHeaderValue to contentLength, serialized and
// isomorphic encoded.
if (content_length.has_value())
content_length_header_value = ByteString::number(*content_length);
// 9. If contentLengthHeaderValue is non-null, then append (`Content-Length`, contentLengthHeaderValue) to
// httpRequests header list.
if (content_length_header_value.has_value())
http_request->header_list()->append({ "Content-Length"sv, content_length_header_value.release_value() });
// 10. If contentLength is non-null and httpRequests keepalive is true, then:
if (content_length.has_value() && http_request->keepalive()) {
// 1. Let inflightKeepaliveBytes be 0.
u64 inflight_keep_alive_bytes = 0;
// 2. Let group be httpRequests clients fetch group.
auto& group = http_request->client()->fetch_group();
// 3. Let inflightRecords be the set of fetch records in group whose requests keepalive is true and done flag is unset.
GC::RootVector<GC::Ref<Infrastructure::FetchRecord>> in_flight_records(vm.heap());
for (auto& fetch_record : group) {
if (fetch_record.request()->keepalive() && !fetch_record.request()->done())
in_flight_records.append(fetch_record);
}
// 4. For each fetchRecord of inflightRecords:
for (auto const& fetch_record : in_flight_records) {
// 1. Let inflightRequest be fetchRecords request.
auto const& in_flight_request = fetch_record->request();
// 2. Increment inflightKeepaliveBytes by inflightRequests bodys length.
inflight_keep_alive_bytes += in_flight_request->body().visit(
[](Empty) -> u64 { return 0; },
[](ByteBuffer const& buffer) -> u64 { return buffer.size(); },
[](GC::Ref<Infrastructure::Body> body) -> u64 {
return body->length().has_value() ? body->length().value() : 0;
});
}
// 5. If the sum of contentLength and inflightKeepaliveBytes is greater than 64 kibibytes, then return a network error.
if ((content_length.value() + inflight_keep_alive_bytes) > keepalive_maximum_size)
return PendingResponse::create(vm, request, Infrastructure::Response::network_error(vm, "Keepalive request exceeded maximum allowed size of 64 KiB"_string));
// NOTE: The above limit ensures that requests that are allowed to outlive the environment settings object
// and contain a body, have a bounded size and are not allowed to stay alive indefinitely.
}
// 11. If httpRequests referrer is a URL, then:
if (auto const* referrer_url = http_request->referrer().get_pointer<URL::URL>()) {
// 1. Let referrerValue be httpRequests referrer, serialized and isomorphic encoded.
auto referrer_value = TextCodec::isomorphic_encode(referrer_url->serialize());
// 2. Append (`Referer`, referrerValue) to httpRequests header list.
http_request->header_list()->append({ "Referer"sv, move(referrer_value) });
}
// 12. Append a request `Origin` header for httpRequest.
http_request->add_origin_header();
// 13. Append the Fetch metadata headers for httpRequest.
append_fetch_metadata_headers_for_request(*http_request);
// 14. FIXME: If httpRequests initiator is "prefetch", then set a structured field value
// given (`Sec-Purpose`, the token prefetch) in httpRequests header list.
// 15. If httpRequests header list does not contain `User-Agent`, then user agents should append
// (`User-Agent`, default `User-Agent` value) to httpRequests header list.
if (!http_request->header_list()->contains("User-Agent"sv))
http_request->header_list()->append({ "User-Agent"sv, Infrastructure::default_user_agent_value() });
// 16. If httpRequests cache mode is "default" and httpRequests header list contains `If-Modified-Since`,
// `If-None-Match`, `If-Unmodified-Since`, `If-Match`, or `If-Range`, then set httpRequests cache mode to
// "no-store".
if (http_request->cache_mode() == HTTP::CacheMode::Default
&& (http_request->header_list()->contains("If-Modified-Since"sv)
|| http_request->header_list()->contains("If-None-Match"sv)
|| http_request->header_list()->contains("If-Unmodified-Since"sv)
|| http_request->header_list()->contains("If-Match"sv)
|| http_request->header_list()->contains("If-Range"sv))) {
http_request->set_cache_mode(HTTP::CacheMode::NoStore);
}
// 17. If httpRequests cache mode is "no-cache", httpRequests prevent no-cache cache-control header
// modification flag is unset, and httpRequests header list does not contain `Cache-Control`, then append
// (`Cache-Control`, `max-age=0`) to httpRequests header list.
if (http_request->cache_mode() == HTTP::CacheMode::NoCache
&& !http_request->prevent_no_cache_cache_control_header_modification()
&& !http_request->header_list()->contains("Cache-Control"sv)) {
http_request->header_list()->append({ "Cache-Control"sv, "max-age=0"sv });
}
// 18. If httpRequests cache mode is "no-store" or "reload", then:
if (http_request->cache_mode() == HTTP::CacheMode::NoStore
|| http_request->cache_mode() == HTTP::CacheMode::Reload) {
// 1. If httpRequests header list does not contain `Pragma`, then append (`Pragma`, `no-cache`) to
// httpRequests header list.
if (!http_request->header_list()->contains("Pragma"sv))
http_request->header_list()->append({ "Pragma"sv, "no-cache"sv });
// 2. If httpRequests header list does not contain `Cache-Control`, then append
// (`Cache-Control`, `no-cache`) to httpRequests header list.
if (!http_request->header_list()->contains("Cache-Control"sv))
http_request->header_list()->append({ "Cache-Control"sv, "no-cache"sv });
}
// 19. If httpRequests header list contains `Range`, then append (`Accept-Encoding`, `identity`) to
// httpRequests header list.
// NOTE: This avoids a failure when handling content codings with a part of an encoded response.
// Additionally, many servers mistakenly ignore `Range` headers if a non-identity encoding is accepted.
if (http_request->header_list()->contains("Range"sv))
http_request->header_list()->append({ "Accept-Encoding"sv, "identity"sv });
// 20. Modify httpRequests header list per HTTP. Do not append a given header if httpRequests header list
// contains that headers name.
// NOTE: It would be great if we could make this more normative somehow. At this point headers such as
// `Accept-Encoding`, `Connection`, `DNT`, and `Host`, are to be appended if necessary.
// `Accept`, `Accept-Charset`, and `Accept-Language` must not be included at this point.
// NOTE: `Accept` and `Accept-Language` are already included (unless fetch() is used, which does not include
// the latter by default), and `Accept-Charset` is a waste of bytes. See HTTP header layer division for
// more details.
//
// https://w3c.github.io/gpc/#the-sec-gpc-header-field-for-http-requests
if (ResourceLoader::the().enable_global_privacy_control() && !http_request->header_list()->contains("Sec-GPC"sv))
http_request->header_list()->append({ "Sec-GPC"sv, "1"sv });
// 21. If includeCredentials is true, then:
if (include_credentials == HTTP::Cookie::IncludeCredentials::Yes) {
// 1. If the user agent is not configured to block cookies for httpRequest (see section 7 of [COOKIES]),
// then:
// 1. Let cookies be the result of running the "cookie-string" algorithm (see section 5.4 of [COOKIES])
// with the user agents cookie store and httpRequests current URL.
// 2. If cookies is not the empty string, then append (`Cookie`, cookies) to httpRequests header list.
// NB: HTTP cookies are attached by RequestServer.
// 2. If httpRequests header list does not contain `Authorization`, then:
if (!http_request->header_list()->contains("Authorization"sv)) {
// 1. Let authorizationValue be null.
auto authorization_value = Optional<String> {};
// 2. If theres an authentication entry for httpRequest and either httpRequests use-URL-credentials
// flag is unset or httpRequests current URL does not include credentials, then set
// authorizationValue to authentication entry.
if (false // FIXME: "If theres an authentication entry for httpRequest"
&& (!http_request->use_url_credentials() || !http_request->current_url().includes_credentials())) {
// FIXME: "set authorizationValue to authentication entry."
}
// 3. Otherwise, if httpRequests current URL does include credentials and isAuthenticationFetch is
// true, set authorizationValue to httpRequests current URL, converted to an `Authorization` value.
else if (http_request->current_url().includes_credentials() && is_authentication_fetch == IsAuthenticationFetch::Yes) {
auto const& url = http_request->current_url();
auto payload = MUST(String::formatted("{}:{}", URL::percent_decode(url.username()), URL::percent_decode(url.password())));
authorization_value = MUST(encode_base64(payload.bytes()));
}
// 4. If authorizationValue is non-null, then append (`Authorization`, authorizationValue) to
// httpRequests header list.
if (authorization_value.has_value()) {
auto header = HTTP::Header::isomorphic_encode("Authorization"sv, *authorization_value);
http_request->header_list()->append(move(header));
}
}
}
// FIXME: 22. If theres a proxy-authentication entry, use it as appropriate.
// NOTE: This intentionally does not depend on httpRequests credentials mode.
// 23. Set httpCache to the result of determining the HTTP cache partition, given httpRequest.
http_cache = determine_the_http_cache_partition(*http_request);
// 24. If httpCache is null, then set httpRequests cache mode to "no-store".
if (!http_cache)
http_request->set_cache_mode(HTTP::CacheMode::NoStore);
// 25. If httpRequests cache mode is neither "no-store" nor "reload", then:
if (http_request->cache_mode() != HTTP::CacheMode::NoStore
&& http_request->cache_mode() != HTTP::CacheMode::Reload) {
// 1. Set storedResponse to the result of selecting a response from the httpCache, possibly needing
// validation, as per the "Constructing Responses from Caches" chapter of HTTP Caching [HTTP-CACHING],
// if any.
// NOTE: As mandated by HTTP, this still takes the `Vary` header into account.
stored_response = select_response_from_cache(realm, *http_cache, *http_request);
// 2. If storedResponse is non-null, then:
if (stored_response) {
// 1. If cache mode is "default", storedResponse is a stale-while-revalidate response, and httpRequests
// client is non-null, then:
// 2. Otherwise:
// 1. If storedResponse is a stale response, then set the revalidatingFlag.
// 2. If the revalidatingFlag is set and httpRequests cache mode is neither "force-cache" nor
// "only-if-cached", then:
// 1. If storedResponses header list contains `ETag`, then append (`If-None-Match`, `ETag`'s value)
// to httpRequests header list.
// 2. If storedResponses header list contains `Last-Modified`, then append (`If-Modified-Since`,
// `Last-Modified`'s value) to httpRequests header list.
// 3. Otherwise, set response to storedResponse and set responses cache state to "local".
// NB: We only cache fresh responses in WebContent. Revalidation is handled by RequestServer.
response = stored_response;
response->set_cache_state(Infrastructure::Response::CacheState::Local);
}
}
}
// 9. If aborted, then return the appropriate network error for fetchParams.
if (aborted)
return PendingResponse::create(vm, request, Infrastructure::Response::appropriate_network_error(vm, fetch_params));
GC::Ptr<PendingResponse> pending_forward_response;
// 10. If response is null, then:
if (!response) {
// 1. If httpRequests cache mode is "only-if-cached", then return a network error.
// NB: We skip this step in order to allow the disk cache in RequestServer to handle this request. If a disk
// cache entry does not exist, it will return a network error itself.
// 2. Let forwardResponse be the result of running HTTP-network fetch given httpFetchParams, includeCredentials,
// and isNewConnectionFetch.
pending_forward_response = nonstandard_resource_loader_file_or_http_network_fetch(realm, *http_fetch_params, include_credentials, is_new_connection_fetch, http_cache);
} else {
pending_forward_response = PendingResponse::create(vm, request, Infrastructure::Response::create(vm));
}
// AD-HOC: If the controller is already in the non-spec Stopped state, we should cancel the network request immediately.
if (http_fetch_params->controller()->state() == Infrastructure::FetchController::State::Stopped)
http_fetch_params->controller()->stop_fetch();
auto returned_pending_response = PendingResponse::create(vm, request);
pending_forward_response->when_loaded([&realm, &vm, &fetch_params, request, response, stored_response, http_request, returned_pending_response, is_authentication_fetch, is_new_connection_fetch, include_credentials, response_was_null = !response, http_cache](GC::Ref<Infrastructure::Response> resolved_forward_response) mutable {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP-network-or-cache fetch' pending_forward_response load callback");
if (response_was_null) {
auto forward_response = resolved_forward_response;
// NOTE: TRACE is omitted as it is a forbidden method in Fetch.
auto method_is_unsafe = !http_request->method().is_one_of("GET"sv, "HEAD"sv, "OPTIONS"sv);
// 3. If httpRequests method is unsafe and forwardResponses status is in the range 200 to 399, inclusive,
// invalidate appropriate stored responses in httpCache, as per the "Invalidation" chapter of HTTP
// Caching, and set storedResponse to null.
if (method_is_unsafe && forward_response->status() >= 200 && forward_response->status() <= 399) {
// FIXME: "invalidate appropriate stored responses in httpCache, as per the "Invalidation" chapter of HTTP Caching"
stored_response = nullptr;
}
// 4. If the revalidatingFlag is set and forwardResponses status is 304, then:
// 1. Update storedResponses header list using forwardResponses header list, as per the "Freshening
// Stored Responses upon Validation" chapter of HTTP Caching.
// 2. Set response to storedResponse.
// 3. Set responses cache state to "validated".
// NB: We only cache fresh responses in WebContent. Revalidation is handled by RequestServer.
// 5. If response is null, then:
if (!response) {
// 1. Set response to forwardResponse.
response = forward_response;
// 2. Store httpRequest and forwardResponse in httpCache, as per the "Storing Responses in Caches" chapter of HTTP Caching.
// NOTE: If forwardResponse is a network error, this effectively caches the network error, which is
// sometimes known as "negative caching".
// NOTE: The associated body info is stored in the cache alongside the response.
if (http_cache)
store_response_in_cache(*http_cache, *http_request, *forward_response);
}
}
// 11. Set responses URL list to a clone of httpRequests URL list.
response->set_url_list(http_request->url_list());
// 12. If httpRequests header list contains `Range`, then set responses range-requested flag.
if (http_request->header_list()->contains("Range"sv))
response->set_range_requested(true);
// 13. Set responses request-includes-credentials to includeCredentials.
response->set_request_includes_credentials(include_credentials == HTTP::Cookie::IncludeCredentials::Yes);
auto inner_pending_response = PendingResponse::create(vm, request, *response);
// 14. If responses status is 401, httpRequests response tainting is not "cors", includeCredentials is true,
// and requests traversable for user prompts is a traversable navigable:
// AD-HOC: Only enter the 401 handling path if the server is requesting an authentication
// scheme we can handle with a username/password prompt (Basic or Digest).
// Other schemes like PrivateToken (RFC 9577) are not user-prompt-based and should
// not trigger credential prompting or request retries.
auto www_authenticate_has_credential_based_scheme = [&] {
auto www_authenticate = response->header_list()->get("WWW-Authenticate"sv);
if (!www_authenticate.has_value())
return false;
// The value is a comma-separated list of challenges. Each challenge starts with a scheme name.
// We check if any of the schemes are ones we can handle with a username/password prompt.
auto value = *www_authenticate;
for (auto challenge : value.view().split_view(',')) {
auto trimmed = challenge.trim_whitespace();
auto space_index = trimmed.find(' ');
auto scheme = space_index.has_value() ? trimmed.substring_view(0, *space_index) : trimmed;
if (scheme.equals_ignoring_ascii_case("Basic"sv) || scheme.equals_ignoring_ascii_case("Digest"sv))
return true;
}
return false;
};
if (response->status() == 401
&& http_request->response_tainting() != Infrastructure::Request::ResponseTainting::CORS
&& include_credentials == HTTP::Cookie::IncludeCredentials::Yes
&& request->traversable_for_user_prompts().has<GC::Ptr<HTML::TraversableNavigable>>()
&& www_authenticate_has_credential_based_scheme()) {
// 1. Needs testing: multiple `WWW-Authenticate` headers, missing, parsing issues.
// (Red box in the spec, no-op)
// 2. If requests body is non-null, then:
if (!request->body().has<Empty>()) {
// 1. If requests bodys source is null, then return a network error.
if (request->body().get<GC::Ref<Infrastructure::Body>>()->source().has<Empty>()) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, "Request has body but no body source"_string));
return;
}
// 2. Set requests body to the body of the result of safely extracting requests bodys source.
auto const& source = request->body().get<GC::Ref<Infrastructure::Body>>()->source();
// NOTE: BodyInitOrReadableBytes is a superset of Body::SourceType
auto converted_source = source.has<ByteBuffer>()
? BodyInitOrReadableBytes { source.get<ByteBuffer>() }
: BodyInitOrReadableBytes { source.get<GC::Ref<FileAPI::Blob>>() };
auto [body, _] = safely_extract_body(realm, converted_source);
request->set_body(body);
}
// 3. If requests use-URL-credentials flag is unset or isAuthenticationFetch is true, then:
if (!request->use_url_credentials() || is_authentication_fetch == IsAuthenticationFetch::Yes) {
// 1. If fetchParams is canceled, then return the appropriate network error for fetchParams.
if (fetch_params.is_canceled()) {
returned_pending_response->resolve(Infrastructure::Response::appropriate_network_error(vm, fetch_params));
return;
}
// FIXME: 2. Let username and password be the result of prompting the end user for a username and password,
// respectively, in requests window.
dbgln("Fetch: Username/password prompt is not implemented, using empty strings. This request will probably fail.");
auto username = ByteString::empty();
auto password = ByteString::empty();
// 3. Set the username given requests current URL and username.
request->current_url().set_username(username);
// 4. Set the password given requests current URL and password.
request->current_url().set_password(password);
}
// 4. Set response to the result of running HTTP-network-or-cache fetch given fetchParams and true.
inner_pending_response = http_network_or_cache_fetch(realm, fetch_params, IsAuthenticationFetch::Yes);
}
inner_pending_response->when_loaded([&realm, &vm, &fetch_params, request, returned_pending_response, is_authentication_fetch, is_new_connection_fetch](GC::Ref<Infrastructure::Response> response) {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'HTTP network-or-cache fetch' inner_pending_response load callback");
// 15. If responses status is 407, then:
if (response->status() == 407) {
// 1. If requests traversable for user prompts is "no-traversable", then return a network error.
if (request->traversable_for_user_prompts().has<Infrastructure::Request::TraversableForUserPrompts>()
&& request->traversable_for_user_prompts().get<Infrastructure::Request::TraversableForUserPrompts>() == Infrastructure::Request::TraversableForUserPrompts::NoTraversable) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, "Request requires proxy authentication but has 'no-window' set"_string));
return;
}
// 2. Needs testing: multiple `Proxy-Authenticate` headers, missing, parsing issues.
// (Red box in the spec, no-op)
// 3. If fetchParams is canceled, then return the appropriate network error for fetchParams.
if (fetch_params.is_canceled()) {
returned_pending_response->resolve(Infrastructure::Response::appropriate_network_error(vm, fetch_params));
return;
}
// FIXME: 4. Prompt the end user as appropriate in requests window and store the result as a
// proxy-authentication entry.
// NOTE: Remaining details surrounding proxy authentication are defined by HTTP.
// FIXME: 5. Set response to the result of running HTTP-network-or-cache fetch given fetchParams.
// (Doing this without step 4 would potentially lead to an infinite request cycle.)
}
auto inner_pending_response = PendingResponse::create(vm, request, *response);
// 16. If all of the following are true
if (
// - responses status is 421
response->status() == 421
// - isNewConnectionFetch is false
&& is_new_connection_fetch == IsNewConnectionFetch::No
// - requests body is null, or requests body is non-null and requests bodys source is non-null
&& (request->body().has<Empty>() || !request->body().get<GC::Ref<Infrastructure::Body>>()->source().has<Empty>())
// then:
) {
// 1. If fetchParams is canceled, then return the appropriate network error for fetchParams.
if (fetch_params.is_canceled()) {
returned_pending_response->resolve(Infrastructure::Response::appropriate_network_error(vm, fetch_params));
return;
}
// 2. Set response to the result of running HTTP-network-or-cache fetch given fetchParams,
// isAuthenticationFetch, and true.
inner_pending_response = http_network_or_cache_fetch(realm, fetch_params, is_authentication_fetch, IsNewConnectionFetch::Yes);
}
inner_pending_response->when_loaded([returned_pending_response, is_authentication_fetch](GC::Ref<Infrastructure::Response> response) {
// 17. If isAuthenticationFetch is true, then create an authentication entry for request and the given
// realm.
if (is_authentication_fetch == IsAuthenticationFetch::Yes) {
// FIXME: "create an authentication entry for request and the given realm"
}
returned_pending_response->resolve(response);
});
});
});
// 18. Return response.
// NOTE: Typically responses bodys stream is still being enqueued to after returning.
return returned_pending_response;
}
#if defined(WEB_FETCH_DEBUG)
static void log_load_request(auto const& load_request)
{
dbgln("Fetch: Invoking ResourceLoader");
dbgln("> {} {} HTTP/1.1", load_request.method(), load_request.url());
for (auto const& [name, value] : load_request.headers())
dbgln("> {}: {}", name, value);
dbgln(">");
for (auto line : StringView { load_request.body() }.split_view('\n', SplitBehavior::KeepEmpty))
dbgln("> {}", line);
}
static void log_response(auto const& status_code, auto const& headers, auto const& data)
{
dbgln("< HTTP/1.1 {}", status_code.value_or(0));
for (auto const& [name, value] : headers.headers())
dbgln("< {}: {}", name, value);
dbgln("<");
for (auto line : StringView { data }.split_view('\n', SplitBehavior::KeepEmpty))
dbgln("< {}", line);
}
#endif
// https://fetch.spec.whatwg.org/#concept-http-network-fetch
// Drop-in replacement for 'HTTP-network fetch', but obviously non-standard :^)
// It also handles file:// URLs since those can also go through ResourceLoader.
GC::Ref<PendingResponse> nonstandard_resource_loader_file_or_http_network_fetch(JS::Realm& realm, Infrastructure::FetchParams const& fetch_params, HTTP::Cookie::IncludeCredentials include_credentials, IsNewConnectionFetch is_new_connection_fetch, RefPtr<HTTP::MemoryCache> http_cache)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'non-standard HTTP-network fetch' with: fetch_params @ {}", &fetch_params);
auto fetch_timing_info = fetch_params.timing_info();
auto cross_origin_isolated_capability = fetch_params.cross_origin_isolated_capability();
auto& vm = realm.vm();
(void)include_credentials;
(void)is_new_connection_fetch;
(void)fetch_timing_info;
(void)cross_origin_isolated_capability;
auto request = fetch_params.request();
auto& page = Bindings::principal_host_defined_page(realm);
LoadRequest load_request { request->header_list() };
load_request.set_url(request->current_url());
load_request.set_page(page);
load_request.set_method(request->method());
load_request.set_cache_mode(request->cache_mode());
load_request.set_include_credentials(include_credentials);
load_request.set_initiator_type(request->initiator_type());
if (auto const* body = request->body().get_pointer<GC::Ref<Infrastructure::Body>>()) {
(*body)->source().visit(
[&](ByteBuffer const& byte_buffer) {
load_request.set_body(MUST(ByteBuffer::copy(byte_buffer)));
},
[&](GC::Root<FileAPI::Blob> const& blob_handle) {
load_request.set_body(MUST(ByteBuffer::copy(blob_handle->raw_bytes())));
},
[](Empty) {
});
}
auto pending_response = PendingResponse::create(vm, request);
if constexpr (WEB_FETCH_DEBUG) {
dbgln("Fetch: Invoking ResourceLoader");
log_load_request(load_request);
}
HTML::TemporaryExecutionContext execution_context { realm, HTML::TemporaryExecutionContext::CallbacksEnabled::Yes };
// 10. Let stream be a new ReadableStream.
auto stream = realm.create<Streams::ReadableStream>(realm);
// 9. Let buffer be an empty byte sequence.
auto fetched_data_receiver = realm.create<FetchedDataReceiver>(fetch_params, stream, move(http_cache));
// 11. Let pullAlgorithm be the following steps:
auto pull_algorithm = GC::create_function(realm.heap(), [&realm, fetched_data_receiver]() {
// 1. Let promise be a new promise.
auto promise = WebIDL::create_promise(realm);
// 2. Run the following steps in parallel:
// NOTE: This is handled by FetchedDataReceiver.
fetched_data_receiver->set_pending_promise(promise);
// 3. Return promise.
return promise;
});
// 12. Let cancelAlgorithm be an algorithm that aborts fetchParamss controller with reason, given reason.
auto cancel_algorithm = GC::create_function(realm.heap(), [&realm, &fetch_params](JS::Value reason) {
fetch_params.controller()->abort(realm, reason);
return WebIDL::create_resolved_promise(realm, JS::js_undefined());
});
// 13. Set up stream with byte reading support with pullAlgorithm set to pullAlgorithm, cancelAlgorithm set to cancelAlgorithm.
stream->set_up_with_byte_reading_support(pull_algorithm, cancel_algorithm);
auto on_headers_received = GC::create_function(vm.heap(), [&vm, pending_response, stream, request, fetched_data_receiver](HTTP::HeaderList const& response_headers, Optional<u32> status_code, Optional<String> const& reason_phrase) {
if (pending_response->is_resolved()) {
// RequestServer will send us the response headers twice, the second time being for HTTP trailers. This
// fetch algorithm is not interested in trailers, so just drop them here.
return;
}
auto response = Infrastructure::Response::create(vm);
response->set_status(status_code.value_or(200));
if (reason_phrase.has_value())
response->set_status_message(reason_phrase->to_byte_string());
(void)request;
if constexpr (WEB_FETCH_DEBUG) {
dbgln("Fetch: ResourceLoader load for '{}' {}: (status {})",
request->url(),
Infrastructure::is_ok_status(response->status()) ? "complete"sv : "failed"sv,
response->status());
log_response(status_code, response_headers, ReadonlyBytes {});
}
for (auto const& [name, value] : response_headers.headers())
response->header_list()->append({ name, value });
fetched_data_receiver->set_response(response);
// 14. Set responses body to a new body whose stream is stream.
auto body = Infrastructure::Body::create(vm, stream);
response->set_body(body);
fetched_data_receiver->set_body(body);
// 17. Return response.
// NOTE: Typically responses bodys stream is still being enqueued to after returning.
pending_response->resolve(response);
});
// 16. Run these steps in parallel:
// FIXME: 1. Run these steps, but abort when fetchParams is canceled:
auto on_data_received = GC::create_function(vm.heap(), [fetched_data_receiver](ReadonlyBytes bytes) {
fetched_data_receiver->handle_network_bytes(bytes, FetchedDataReceiver::NetworkState::Ongoing);
});
auto on_complete = GC::create_function(vm.heap(), [&vm, &realm, pending_response, stream, fetched_data_receiver](bool success, Requests::RequestTimingInfo const&, Optional<StringView> error_message) {
// FIXME: Implement on_complete timing info for unbuffered requests
HTML::TemporaryExecutionContext execution_context { realm, HTML::TemporaryExecutionContext::CallbacksEnabled::Yes };
if (success) {
fetched_data_receiver->handle_network_bytes({}, FetchedDataReceiver::NetworkState::Complete);
} else {
// 16.1.2.2. Otherwise, if stream is readable, error stream with a TypeError.
auto error = MUST(String::formatted("Load failed: {}", error_message.value_or("Unknown error"sv)));
if (stream->is_readable())
stream->error(JS::TypeError::create(realm, error));
if (!pending_response->is_resolved())
pending_response->resolve(Infrastructure::Response::network_error(vm, error));
}
});
auto network_request = ResourceLoader::the().load(load_request, on_headers_received, on_data_received, on_complete);
fetch_params.controller()->set_pending_request(network_request);
return pending_response;
}
// https://fetch.spec.whatwg.org/#cors-preflight-fetch-0
GC::Ref<PendingResponse> cors_preflight_fetch(JS::Realm& realm, Infrastructure::Request& request)
{
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'CORS-preflight fetch' with request @ {}", &request);
auto& vm = realm.vm();
// 1. Let preflight be a new request whose method is `OPTIONS`, URL list is a clone of requests URL list, initiator is
// requests initiator, destination is requests destination, origin is requests origin, referrer is requests referrer,
// referrer policy is requests referrer policy, mode is "cors", and response tainting is "cors".
auto preflight = Fetch::Infrastructure::Request::create(vm);
preflight->set_method("OPTIONS"sv);
preflight->set_url_list(request.url_list());
preflight->set_initiator(request.initiator());
preflight->set_destination(request.destination());
preflight->set_origin(request.origin());
preflight->set_referrer(request.referrer());
preflight->set_referrer_policy(request.referrer_policy());
preflight->set_mode(Infrastructure::Request::Mode::CORS);
preflight->set_response_tainting(Infrastructure::Request::ResponseTainting::CORS);
// 2. Append (`Accept`, `*/*`) to preflights header list.
preflight->header_list()->append({ "Accept"sv, "*/*"sv });
// 3. Append (`Access-Control-Request-Method`, requests method) to preflights header list.
auto temp_header = HTTP::Header::isomorphic_encode("Access-Control-Request-Method"sv, request.method());
preflight->header_list()->append(move(temp_header));
// 4. Let headers be the CORS-unsafe request-header names with requests header list.
auto headers = Infrastructure::get_cors_unsafe_header_names(request.header_list());
// 5. If headers is not empty, then:
if (!headers.is_empty()) {
// 1. Let value be the items in headers separated from each other by `,`.
// NOTE: This intentionally does not use combine, as 0x20 following 0x2C is not the way this was implemented,
// for better or worse.
auto value = ByteString::join(',', headers);
// 2. Append (`Access-Control-Request-Headers`, value) to preflights header list.
preflight->header_list()->append({ "Access-Control-Request-Headers"sv, move(value) });
}
// 6. Let response be the result of running HTTP-network-or-cache fetch given a new fetch params whose request is preflight.
// FIXME: The spec doesn't say anything about timing_info here, but FetchParams requires a non-null FetchTimingInfo object.
auto timing_info = Infrastructure::FetchTimingInfo::create(vm);
auto fetch_params = Infrastructure::FetchParams::create(vm, preflight, timing_info);
auto returned_pending_response = PendingResponse::create(vm, request);
auto preflight_response = http_network_or_cache_fetch(realm, fetch_params);
preflight_response->when_loaded([&vm, &request, returned_pending_response](GC::Ref<Infrastructure::Response> response) {
dbgln_if(WEB_FETCH_DEBUG, "Fetch: Running 'CORS-preflight fetch' preflight_response load callback");
// 7. If a CORS check for request and response returns success and responses status is an ok status, then:
// NOTE: The CORS check is done on request rather than preflight to ensure the correct credentials mode is used.
if (cors_check(request, response) && Infrastructure::is_ok_status(response->status())) {
// 1. Let methods be the result of extracting header list values given `Access-Control-Allow-Methods` and responses header list.
auto methods_or_failure = response->header_list()->extract_header_list_values("Access-Control-Allow-Methods"sv);
// 2. Let headerNames be the result of extracting header list values given `Access-Control-Allow-Headers` and
// responses header list.
auto header_names_or_failure = response->header_list()->extract_header_list_values("Access-Control-Allow-Headers"sv);
// 3. If either methods or headerNames is failure, return a network error.
if (methods_or_failure.has<HTTP::HeaderList::ExtractHeaderParseFailure>()) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, "The Access-Control-Allow-Methods in the CORS-preflight response is syntactically invalid"_string));
return;
}
if (header_names_or_failure.has<HTTP::HeaderList::ExtractHeaderParseFailure>()) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, "The Access-Control-Allow-Headers in the CORS-preflight response is syntactically invalid"_string));
return;
}
// NOTE: We treat "methods_or_failure" being `Empty` as empty Vector here.
auto methods = methods_or_failure.visit(
[](Vector<ByteString>& methods) { return move(methods); },
[](auto) -> Vector<ByteString> { return {}; });
// NOTE: We treat "header_names_or_failure" being `Empty` as empty Vector here.
auto header_names = header_names_or_failure.visit(
[](Vector<ByteString>& header_names) { return move(header_names); },
[](auto) -> Vector<ByteString> { return {}; });
// 4. If methods is null and requests use-CORS-preflight flag is set, then set methods to a new list containing requests method.
// NOTE: This ensures that a CORS-preflight fetch that happened due to requests use-CORS-preflight flag being set is cached.
if (methods.is_empty() && request.use_cors_preflight())
methods = { request.method() };
// 5. If requests method is not in methods, requests method is not a CORS-safelisted method, and requests credentials mode
// is "include" or methods does not contain `*`, then return a network error.
if (!methods.contains_slow(request.method()) && !HTTP::is_cors_safelisted_method(request.method())) {
if (request.credentials_mode() == Infrastructure::Request::CredentialsMode::Include) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("Non-CORS-safelisted method '{}' not found in the CORS-preflight response's Access-Control-Allow-Methods header (the header may be missing). '*' is not allowed as the main request includes credentials.", request.method()))));
return;
}
if (!methods.contains_slow("*"sv)) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("Non-CORS-safelisted method '{}' not found in the CORS-preflight response's Access-Control-Allow-Methods header and there was no '*' entry. The header may be missing.", request.method()))));
return;
}
}
// 6. If one of requests header lists names is a CORS non-wildcard request-header name and is not a byte-case-insensitive match
// for an item in headerNames, then return a network error.
for (auto const& header : *request.header_list()) {
if (Infrastructure::is_cors_non_wildcard_request_header_name(header.name)) {
bool is_in_header_names = false;
for (auto const& allowed_header_name : header_names) {
if (allowed_header_name.equals_ignoring_ascii_case(header.name)) {
is_in_header_names = true;
break;
}
}
if (!is_in_header_names) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("Main request contains the header '{}' that is not specified in the CORS-preflight response's Access-Control-Allow-Headers header (the header may be missing). '*' does not capture this header.", header.name))));
return;
}
}
}
// 7. For each unsafeName of the CORS-unsafe request-header names with requests header list, if unsafeName is not a
// byte-case-insensitive match for an item in headerNames and requests credentials mode is "include" or headerNames
// does not contain `*`, return a network error.
auto unsafe_names = Infrastructure::get_cors_unsafe_header_names(request.header_list());
for (auto const& unsafe_name : unsafe_names) {
bool is_in_header_names = false;
for (auto const& header_name : header_names) {
if (unsafe_name.equals_ignoring_ascii_case(header_name)) {
is_in_header_names = true;
break;
}
}
if (!is_in_header_names) {
if (request.credentials_mode() == Infrastructure::Request::CredentialsMode::Include) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("CORS-unsafe request-header '{}' not found in the CORS-preflight response's Access-Control-Allow-Headers header (the header may be missing). '*' is not allowed as the main request includes credentials.", unsafe_name))));
return;
}
if (!header_names.contains_slow("*"sv)) {
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, TRY_OR_IGNORE(String::formatted("CORS-unsafe request-header '{}' not found in the CORS-preflight response's Access-Control-Allow-Headers header and there was no '*' entry. The header may be missing.", unsafe_name))));
return;
}
}
}
// FIXME: 8. Let max-age be the result of extracting header list values given `Access-Control-Max-Age` and responses header list.
// FIXME: 9. If max-age is failure or null, then set max-age to 5.
// FIXME: 10. If max-age is greater than an imposed limit on max-age, then set max-age to the imposed limit.
// 11. If the user agent does not provide for a cache, then return response.
// NOTE: Since we don't currently have a cache, this is always true.
returned_pending_response->resolve(response);
return;
// FIXME: 12. For each method in methods for which there is a method cache entry match using request, set matching entrys max-age
// to max-age.
// FIXME: 13. For each method in methods for which there is no method cache entry match using request, create a new cache entry
// with request, max-age, method, and null.
// FIXME: 14. For each headerName in headerNames for which there is a header-name cache entry match using request, set matching
// entrys max-age to max-age.
// FIXME: 15. For each headerName in headerNames for which there is no header-name cache entry match using request, create a
// new cache entry with request, max-age, null, and headerName.
// FIXME: 16. Return response.
}
// 8. Otherwise, return a network error.
returned_pending_response->resolve(Infrastructure::Response::network_error(vm, "CORS-preflight check failed"_string));
});
return returned_pending_response;
}
// https://w3c.github.io/webappsec-fetch-metadata/#abstract-opdef-set-dest
void set_sec_fetch_dest_header(Infrastructure::Request& request)
{
// 1. Assert: rs url is a potentially trustworthy URL.
VERIFY(SecureContexts::is_url_potentially_trustworthy(request.url()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy);
// 2. Let header be a Structured Header whose value is a token.
// FIXME: This is handled below, as Serenity doesn't have APIs for RFC 8941.
// 3. If rs destination is the empty string, set headers value to the string "empty". Otherwise, set headers value to rs destination.
auto value = request.destination().has_value()
? Infrastructure::request_destination_to_string(*request.destination())
: "empty"sv;
// 4. Set a structured field value `Sec-Fetch-Dest`/header in rs header list.
request.header_list()->append({ "Sec-Fetch-Dest"sv, value });
}
// https://w3c.github.io/webappsec-fetch-metadata/#abstract-opdef-set-dest
void set_sec_fetch_mode_header(Infrastructure::Request& request)
{
// 1. Assert: rs url is a potentially trustworthy URL.
VERIFY(SecureContexts::is_url_potentially_trustworthy(request.url()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy);
// 2. Let header be a Structured Header whose value is a token.
// FIXME: This is handled below, as Serenity doesn't have APIs for RFC 8941.
// 3. Set headers value to rs mode.
auto value = Infrastructure::request_mode_to_string(request.mode());
// 4. Set a structured field value `Sec-Fetch-Mode`/header in rs header list.
request.header_list()->append({ "Sec-Fetch-Mode"sv, value });
}
// https://w3c.github.io/webappsec-fetch-metadata/#abstract-opdef-set-site
void set_sec_fetch_site_header(Infrastructure::Request& request)
{
// 1. Assert: rs url is a potentially trustworthy URL.
VERIFY(SecureContexts::is_url_potentially_trustworthy(request.url()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy);
// 2. Let header be a Structured Header whose value is a token.
// FIXME: This is handled below, as Serenity doesn't have APIs for RFC 8941.
// 3. Set headers value to same-origin.
auto value = "same-origin"sv;
// FIXME: 4. If r is a navigation request that was explicitly caused by a users interaction with the user agent (by typing an address
// into the user agent directly, for example, or by clicking a bookmark, etc.), then set headers value to none.
// 5. If headers value is not none, then for each url in rs url list:
if (!value.equals_ignoring_ascii_case("none"sv)) {
VERIFY(request.origin().has<URL::Origin>());
auto const& request_origin = request.origin().get<URL::Origin>();
for (auto const& url : request.url_list()) {
// 1. If url is same origin with rs origin, continue.
if (url.origin().is_same_origin(request_origin))
continue;
// 2. Set headers value to cross-site.
value = "cross-site"sv;
// 3. If rs origin is not same site with urls origin, then break.
if (!request_origin.is_same_site(url.origin()))
break;
// 4. Set headers value to same-site.
value = "same-site"sv;
}
}
// 6. Set a structured field value `Sec-Fetch-Site`/header in rs header list.
request.header_list()->append({ "Sec-Fetch-Site"sv, value });
}
// https://w3c.github.io/webappsec-fetch-metadata/#abstract-opdef-set-user
void set_sec_fetch_user_header(Infrastructure::Request& request)
{
// 1. Assert: rs url is a potentially trustworthy URL.
VERIFY(SecureContexts::is_url_potentially_trustworthy(request.url()) == SecureContexts::Trustworthiness::PotentiallyTrustworthy);
// 2. If r is not a navigation request, or if rs user-activation is false, return.
if (!request.is_navigation_request() || !request.user_activation())
return;
// 3. Let header be a Structured Header whose value is a token.
// FIXME: This is handled below, as Serenity doesn't have APIs for RFC 8941.
// 4. Set headers value to true.
// NOTE: See https://datatracker.ietf.org/doc/html/rfc8941#name-booleans for boolean format in RFC 8941.
static ByteString value = "?1"sv;
// 5. Set a structured field value `Sec-Fetch-User`/header in rs header list.
request.header_list()->append({ "Sec-Fetch-User"sv, value });
}
// https://w3c.github.io/webappsec-fetch-metadata/#abstract-opdef-append-the-fetch-metadata-headers-for-a-request
void append_fetch_metadata_headers_for_request(Infrastructure::Request& request)
{
// 1. If rs url is not an potentially trustworthy URL, return.
if (SecureContexts::is_url_potentially_trustworthy(request.url()) != SecureContexts::Trustworthiness::PotentiallyTrustworthy)
return;
// 2. Set the Sec-Fetch-Dest header for r.
set_sec_fetch_dest_header(request);
// 3. Set the Sec-Fetch-Mode header for r.
set_sec_fetch_mode_header(request);
// 4. Set the Sec-Fetch-Site header for r.
set_sec_fetch_site_header(request);
// 5. Set the Sec-Fetch-User header for r.
set_sec_fetch_user_header(request);
}
void set_http_memory_cache_enabled(bool const enabled)
{
g_http_memory_cache_enabled = enabled;
}
bool http_memory_cache_enabled()
{
return g_http_memory_cache_enabled;
}
void clear_http_memory_cache()
{
HTTPCache::the().clear_cache();
}
}
Reference in a new issue View git blame Copy permalink