Loader: Move FetchContext::CheckResponseNosniff() to ResourceLoader

FetchContext::CheckResponseNosniff() is called only from ResourceLoader. That
should be placed in ResourceLoader for code health.

Bug: 845285
Change-Id: I3174ec08c046d3f95eaf304d23bcb29105c0c67f
Reviewed-on: https://chromium-review.googlesource.com/1131044Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#574086}

third_party/blink/renderer/core/loader/base_fetch_context.cc

@@ -17,7 +17,6 @@
 #include "third_party/blink/renderer/platform/loader/fetch/resource.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_load_priority.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_loading_log.h"
-#include "third_party/blink/renderer/platform/network/mime/mime_type_registry.h"
 #include "third_party/blink/renderer/platform/weborigin/origin_access_entry.h"
 #include "third_party/blink/renderer/platform/weborigin/scheme_registry.h"
 #include "third_party/blink/renderer/platform/weborigin/security_policy.h"
@@ -162,11 +161,17 @@ base::Optional<ResourceRequestBlockedReason> BaseFetchContext::CanRequest(
 
 void BaseFetchContext::AddErrorConsoleMessage(const String& message,
                                               LogSource source) const {
-  // When LogSource is extended, this DCHECK should be replaced with a logic to
-  // convert LogSource to blink::MessageSource.
-  DCHECK_EQ(source, kJSSource);
-  AddConsoleMessage(
-      ConsoleMessage::Create(kJSMessageSource, kErrorMessageLevel, message));
+  switch (source) {
+    case kJSSource:
+      AddConsoleMessage(ConsoleMessage::Create(kJSMessageSource,
+                                               kErrorMessageLevel, message));
+      return;
+    case kSecuritySource:
+      AddConsoleMessage(ConsoleMessage::Create(kSecurityMessageSource,
+                                               kErrorMessageLevel, message));
+      return;
+  }
+  NOTREACHED();
 }
 
 bool BaseFetchContext::IsAdResource(
@@ -395,33 +400,6 @@ BaseFetchContext::CanRequestInternal(
   return base::nullopt;
 }
 
-base::Optional<ResourceRequestBlockedReason>
-BaseFetchContext::CheckResponseNosniff(
-    WebURLRequest::RequestContext request_context,
-    const ResourceResponse& response) const {
-  bool sniffing_allowed =
-      ParseContentTypeOptionsHeader(response.HttpHeaderField(
-          HTTPNames::X_Content_Type_Options)) != kContentTypeOptionsNosniff;
-  if (sniffing_allowed)
-    return base::nullopt;
-
-  String mime_type = response.HttpContentType();
-  if (request_context == WebURLRequest::kRequestContextStyle &&
-      !MIMETypeRegistry::IsSupportedStyleSheetMIMEType(mime_type)) {
-    AddConsoleMessage(ConsoleMessage::Create(
-        kSecurityMessageSource, kErrorMessageLevel,
-        "Refused to apply style from '" + response.Url().ElidedString() +
-            "' because its MIME type ('" + mime_type + "') " +
-            "is not a supported stylesheet MIME type, and strict MIME checking "
-            "is enabled."));
-    return ResourceRequestBlockedReason::kContentType;
-  }
-  // TODO(mkwst): Move the 'nosniff' bit of 'AllowedByNosniff::MimeTypeAsScript'
-  // here alongside the style checks, and put its use counters somewhere else.
-
-  return base::nullopt;
-}
-
 void BaseFetchContext::Trace(blink::Visitor* visitor) {
   FetchContext::Trace(visitor);
 }

third_party/blink/renderer/core/loader/base_fetch_context.h

@@ -45,9 +45,6 @@ class CORE_EXPORT BaseFetchContext : public FetchContext {
       const ResourceLoaderOptions&,
       SecurityViolationReportingPolicy,
       ResourceRequest::RedirectStatus) const override;
-  base::Optional<ResourceRequestBlockedReason> CheckResponseNosniff(
-      WebURLRequest::RequestContext,
-      const ResourceResponse&) const override;
 
   void Trace(blink::Visitor*) override;
 

third_party/blink/renderer/platform/loader/fetch/fetch_context.h

@@ -82,13 +82,14 @@ class PLATFORM_EXPORT FetchContext
   // This enum corresponds to blink::MessageSource. We have this not to
   // introduce any dependency to core/.
   //
-  // Currently only kJSMessageSource is used, but not to impress readers that
-  // AddConsoleMessage() call from FetchContext() should always use it, which is
-  // not true, we ask users of the Add.*ConsoleMessage() methods to explicitly
-  // specify the MessageSource to use.
+  // Currently only kJSMessageSource and kSecurityMessageSource are used, but
+  // not to impress readers that AddConsoleMessage() call from FetchContext()
+  // should always use them, which is not true, we ask users of the
+  // Add.*ConsoleMessage() methods to explicitly specify the MessageSource to
+  // use.
   //
   // Extend this when needed.
-  enum LogSource { kJSSource };
+  enum LogSource { kJSSource, kSecuritySource };
 
   static FetchContext& NullInstance();
 
@@ -192,11 +193,6 @@ class PLATFORM_EXPORT FetchContext
       ResourceRequest::RedirectStatus) const {
     return ResourceRequestBlockedReason::kOther;
   }
-  virtual base::Optional<ResourceRequestBlockedReason> CheckResponseNosniff(
-      WebURLRequest::RequestContext,
-      const ResourceResponse&) const {
-    return ResourceRequestBlockedReason::kOther;
-  }
 
   virtual blink::mojom::ControllerServiceWorkerMode
   IsControlledByServiceWorker() const {

third_party/blink/renderer/platform/loader/fetch/resource_loader.cc

@@ -46,6 +46,9 @@
 #include "third_party/blink/renderer/platform/loader/fetch/resource.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_error.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h"
+#include "third_party/blink/renderer/platform/network/http_names.h"
+#include "third_party/blink/renderer/platform/network/http_parsers.h"
+#include "third_party/blink/renderer/platform/network/mime/mime_type_registry.h"
 #include "third_party/blink/renderer/platform/network/network_instrumentation.h"
 #include "third_party/blink/renderer/platform/scheduler/public/thread_scheduler.h"
 #include "third_party/blink/renderer/platform/shared_buffer.h"
@@ -551,7 +554,7 @@ void ResourceLoader::DidReceiveResponse(
           ? resource_->GetResponse()
           : response;
   base::Optional<ResourceRequestBlockedReason> blocked_reason =
-      Context().CheckResponseNosniff(request_context, nosniffed_response);
+      CheckResponseNosniff(request_context, nosniffed_response);
   if (blocked_reason) {
     HandleError(ResourceError::CancelledDueToAccessCheckError(
         response.Url(), blocked_reason.value()));
@@ -875,4 +878,31 @@ void ResourceLoader::FinishedCreatingBlob(
   }
 }
 
+base::Optional<ResourceRequestBlockedReason>
+ResourceLoader::CheckResponseNosniff(
+    WebURLRequest::RequestContext request_context,
+    const ResourceResponse& response) const {
+  bool sniffing_allowed =
+      ParseContentTypeOptionsHeader(response.HttpHeaderField(
+          HTTPNames::X_Content_Type_Options)) != kContentTypeOptionsNosniff;
+  if (sniffing_allowed)
+    return base::nullopt;
+
+  String mime_type = response.HttpContentType();
+  if (request_context == WebURLRequest::kRequestContextStyle &&
+      !MIMETypeRegistry::IsSupportedStyleSheetMIMEType(mime_type)) {
+    Context().AddErrorConsoleMessage(
+        "Refused to apply style from '" + response.Url().ElidedString() +
+            "' because its MIME type ('" + mime_type + "') " +
+            "is not a supported stylesheet MIME type, and strict MIME checking "
+            "is enabled.",
+        FetchContext::kSecuritySource);
+    return ResourceRequestBlockedReason::kContentType;
+  }
+  // TODO(mkwst): Move the 'nosniff' bit of 'AllowedByNosniff::MimeTypeAsScript'
+  // here alongside the style checks, and put its use counters somewhere else.
+
+  return base::nullopt;
+}
+
 }  // namespace blink

third_party/blink/renderer/platform/loader/fetch/resource_loader.h

@@ -174,6 +174,10 @@ class PLATFORM_EXPORT ResourceLoader final
   void OnProgress(uint64_t delta) override;
   void FinishedCreatingBlob(const scoped_refptr<BlobDataHandle>&);
 
+  base::Optional<ResourceRequestBlockedReason> CheckResponseNosniff(
+      WebURLRequest::RequestContext,
+      const ResourceResponse&) const;
+
   std::unique_ptr<WebURLLoader> loader_;
   ResourceLoadScheduler::ClientId scheduler_client_id_;
   Member<ResourceFetcher> fetcher_;

third_party/blink/renderer/platform/loader/testing/mock_fetch_context.h

@@ -86,11 +86,6 @@ class MockFetchContext : public FetchContext {
       ResourceRequest::RedirectStatus redirect_status) const override {
     return base::nullopt;
   }
-  base::Optional<ResourceRequestBlockedReason> CheckResponseNosniff(
-      WebURLRequest::RequestContext,
-      const ResourceResponse&) const override {
-    return base::nullopt;
-  }
   bool ShouldLoadNewResource(Resource::Type) const override {
     return load_policy_ == kShouldLoadNewResource;
   }