content/public/browser/url_data_source.h

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
   6 #define CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_
   7
   8 #include <string>
   9
  10 #include "base/callback.h"
  11 #include "content/common/content_export.h"
  12
  13 namespace base {
  14 class MessageLoop;
  15 class RefCountedMemory;
  16 }
  17
  18 namespace net {
  19 class URLRequest;
  20 }
  21
  22 namespace content {
  23 class BrowserContext;
  24
  25 // A URLDataSource is an object that can answer requests for WebUI data
  26 // asynchronously. An implementation of URLDataSource should handle calls to
  27 // StartDataRequest() by starting its (implementation-specific) asynchronous
  28 // request for the data, then running the callback given in that method to
  29 // notify.
  30 class CONTENT_EXPORT URLDataSource {
  31  public:
  32   // Adds a URL data source to |browser_context|.
  33   static void Add(BrowserContext* browser_context, URLDataSource* source);
  34
  35   virtual ~URLDataSource() {}
  36
  37   // The name of this source.
  38   // E.g., for favicons, this could be "favicon", which results in paths for
  39   // specific resources like "favicon/34" getting sent to this source. For
  40   // sources where a scheme is used instead of the hostname as the unique
  41   // identifier, the suffix "://" must be added to the return value, eg. for a
  42   // URLDataSource which would display resources with URLs on the form
  43   // your-scheme://anything , GetSource() must return "your-scheme://".
  44   virtual std::string GetSource() const = 0;
  45
  46   // Used by StartDataRequest so that the child class can return the data when
  47   // it's available.
  48   typedef base::Callback<void(base::RefCountedMemory*)> GotDataCallback;
  49
  50   // Called by URLDataSource to request data at |path|. The string parameter is
  51   // the path of the request. The child class should run |callback| when the
  52   // data is available or if the request could not be satisfied. This can be
  53   // called either in this callback or asynchronously with the response.
  54   virtual void StartDataRequest(const std::string& path,
  55                                 int render_process_id,
  56                                 int render_frame_id,
  57                                 const GotDataCallback& callback) = 0;
  58
  59   // Return the mimetype that should be sent with this response, or empty
  60   // string to specify no mime type.
  61   virtual std::string GetMimeType(const std::string& path) const = 0;
  62
  63   // The following methods are all called on the IO thread.
  64
  65   // Returns the MessageLoop on which the delegate wishes to have
  66   // StartDataRequest called to handle the request for |path|. The default
  67   // implementation returns BrowserThread::UI. If the delegate does not care
  68   // which thread StartDataRequest is called on, this should return nullptr.
  69   // It may be beneficial to return nullptr for requests that are safe to handle
  70   // directly on the IO thread.  This can improve performance by satisfying such
  71   // requests more rapidly when there is a large amount of UI thread contention.
  72   // Or the delegate can return a specific thread's Messageloop if they wish.
  73   virtual base::MessageLoop* MessageLoopForRequestPath(
  74       const std::string& path) const;
  75
  76   // Returns true if the URLDataSource should replace an existing URLDataSource
  77   // with the same name that has already been registered. The default is true.
  78   //
  79   // WARNING: this is invoked on the IO thread.
  80   //
  81   // TODO: nuke this and convert all callers to not replace.
  82   virtual bool ShouldReplaceExistingSource() const;
  83
  84   // Returns true if responses from this URLDataSource can be cached.
  85   virtual bool AllowCaching() const;
  86
  87   // If you are overriding this, then you have a bug.
  88   // It is not acceptable to disable content-security-policy on chrome:// pages
  89   // to permit functionality excluded by CSP, such as inline script.
  90   // Instead, you must go back and change your WebUI page so that it is
  91   // compliant with the policy. This typically involves ensuring that all script
  92   // is delivered through the data manager backend. Talk to tsepez for more
  93   // info.
  94   virtual bool ShouldAddContentSecurityPolicy() const;
  95
  96   // It is OK to override the following two methods to a custom CSP directive
  97   // thereby slightly reducing the protection applied to the page.
  98
  99   // By default, "object-src 'none';" is added to CSP. Override to change this.
 100   virtual std::string GetContentSecurityPolicyObjectSrc() const;
 101   // By default, "frame-src 'none';" is added to CSP. Override to change this.
 102   virtual std::string GetContentSecurityPolicyFrameSrc() const;
 103
 104   // By default, the "X-Frame-Options: DENY" header is sent. To stop this from
 105   // happening, return false. It is OK to return false as needed.
 106   virtual bool ShouldDenyXFrameOptions() const;
 107
 108   // By default, only chrome: and chrome-devtools: requests are allowed.
 109   // Override in specific WebUI data sources to enable for additional schemes or
 110   // to implement fancier access control.  Typically used in concert with
 111   // ContentBrowserClient::GetAdditionalWebUISchemes() to permit additional
 112   // WebUI scheme support for an embedder.
 113   virtual bool ShouldServiceRequest(const net::URLRequest* request) const;
 114
 115   // By default, Content-Type: header is not sent along with the response.
 116   // To start sending mime type returned by GetMimeType in HTTP headers,
 117   // return true. It is useful when tunneling response served from this data
 118   // source programmatically. Or when AppCache is enabled for this source as it
 119   // is for chrome-devtools.
 120   virtual bool ShouldServeMimeTypeAsContentTypeHeader() const;
 121
 122   // This method is called when the request contains "Origin:" header. The value
 123   // of the header is passed in |origin| parameter. If the returned value is not
 124   // empty, it is used as a value for "Access-Control-Allow-Origin:" response
 125   // header, otherwise the header is not set. This method should return either
 126   // |origin|, or "*", or "none", or empty string.
 127   // Default implementation returns an empty string.
 128   virtual std::string GetAccessControlAllowOriginForOrigin(
 129       const std::string& origin) const;
 130
 131   // Called to inform the source that StartDataRequest() will be called soon.
 132   // Gives the source an opportunity to rewrite |path| to incorporate extra
 133   // information from the URLRequest prior to serving.
 134   virtual void WillServiceRequest(
 135       const net::URLRequest* request,
 136       std::string* path) const {}
 137 };
 138
 139 }  // namespace content
 140
 141 #endif  // CONTENT_PUBLIC_BROWSER_URL_DATA_SOURCE_H_