Pepper: Add a X-Requested-With header to URL requests done for Pepper plugins.

webkit/plugins/ppapi/url_request_info_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "webkit/plugins/ppapi/url_request_info_util.h"
 
 #include "base/logging.h"
 #include "base/string_util.h"
 #include "googleurl/src/gurl.h"
 #include "googleurl/src/url_util.h"
 #include "net/http/http_util.h"
 #include "ppapi/shared_impl/url_request_info_data.h"
 #include "ppapi/shared_impl/var.h"
 #include "ppapi/thunk/enter.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/platform/WebData.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebDocument.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebFrame.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/platform/WebHTTPBody.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/platform/WebURL.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/platform/WebURLRequest.h"
 #include "webkit/base/file_path_string_conversions.h"
 #include "webkit/glue/weburlrequest_extradata_impl.h"
 #include "webkit/plugins/ppapi/common.h"
+#include "webkit/plugins/ppapi/host_globals.h"
 #include "webkit/plugins/ppapi/plugin_module.h"
+#include "webkit/plugins/ppapi/ppapi_plugin_instance.h"
 #include "webkit/plugins/ppapi/ppb_file_ref_impl.h"
 #include "webkit/plugins/ppapi/ppb_file_system_impl.h"
 #include "webkit/plugins/ppapi/resource_helper.h"
 
 using ppapi::URLRequestInfoData;
 using ppapi::Resource;
 using ppapi::thunk::EnterResourceNoLock;
 using ppapi::thunk::PPB_FileRef_API;
 using WebKit::WebData;
 using WebKit::WebHTTPBody;
@@ skipping 76 matching lines @@
       EnterResourceNoLock<PPB_FileRef_API> enter(
           item.file_ref_host_resource.host_resource(), false);
       if (!enter.succeeded())
         return false;
       item.file_ref = enter.resource();
     }
   }
   return true;
 }
 
+std::string FilterStringForXRequestedWithValue(const std::string& s) {
+  std::string rv;
+  rv.reserve(s.length());
+  for (size_t i = 0; i < s.length(); i++) {
+    char c = s[i];
+    // Allow ASCII digits, letters, periods, commas, and underscores. (Ignore
+    // all other characters.)
+    if ((c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') ||
+        (c >= 'a' && c <= 'z') || (c == '.') || (c == ',') || (c == '_'))
+      rv.push_back(c);
+  }
+  return rv;
+}
+
+// Makes an appropriate value for the X-Requested-With header. We produce a
+// user-agent-like string (eating spaces and other undesired characters) like
+// "ShockwaveFlash/11.5.31.135" from the plugin name and version.
+std::string MakeXRequestedWithValue(const std::string& name,
+                                    const std::string& version) {
+  std::string rv = FilterStringForXRequestedWithValue(name);
+  if (rv.empty())
+    rv = "unknown_plugin";
+
+  std::string filtered_version = FilterStringForXRequestedWithValue(version);
+  if (!filtered_version.empty())
+    rv += "/" + filtered_version;
+
+  return rv;
+}
+
 }  // namespace
 
-bool CreateWebURLRequest(::ppapi::URLRequestInfoData* data,
+bool CreateWebURLRequest(PP_Instance pp_instance,
+                         ::ppapi::URLRequestInfoData* data,
                          WebFrame* frame,
                          WebURLRequest* dest) {
+  std::string name_version;
+
+  // Allow null instances for testing purposes.
+  if (pp_instance) {
+    PluginInstance* instance = HostGlobals::Get()->GetInstance(pp_instance);
+    if (!instance)
+      return false;
+
+    name_version = MakeXRequestedWithValue(instance->module()->name(),
+                                           instance->module()->version());
+  } else {
+    name_version = "internal_testing_only";
+  }
+
   // In the out-of-process case, we've received the URLRequestInfoData
   // from the untrusted plugin and done no validation on it. We need to be
   // sure it's not being malicious by checking everything for consistency.
   if (!ValidateURLRequestData(*data) || !EnsureFileRefObjectsPopulated(data))
     return false;
 
   dest->initialize();
   dest->setTargetType(WebURLRequest::TargetIsObject);
   dest->setURL(frame->document().completeURL(WebString::fromUTF8(
       data->url)));
@@ skipping 42 matching lines @@
   if (data->has_custom_referrer_url && !data->custom_referrer_url.empty())
     frame->setReferrerForRequest(*dest, GURL(data->custom_referrer_url));
 
   if (data->has_custom_content_transfer_encoding &&
       !data->custom_content_transfer_encoding.empty()) {
     dest->addHTTPHeaderField(
         WebString::fromUTF8("Content-Transfer-Encoding"),
         WebString::fromUTF8(data->custom_content_transfer_encoding));
   }
 
-  if (data->has_custom_user_agent) {
-    dest->setExtraData(new webkit_glue::WebURLRequestExtraDataImpl(
-        WebKit::WebReferrerPolicyDefault,  // Ignored.
-        WebString::fromUTF8(data->custom_user_agent)));
-  }
+  dest->setExtraData(new webkit_glue::WebURLRequestExtraDataImpl(
+      WebKit::WebReferrerPolicyDefault,  // Ignored.
+      data->has_custom_user_agent ?
+          WebString::fromUTF8(data->custom_user_agent) : WebString(),
+          WebString::fromUTF8(name_version)));
 
   return true;
 }
 
 bool URLRequestRequiresUniversalAccess(
     const ::ppapi::URLRequestInfoData& data) {
   return
       data.has_custom_referrer_url ||
       data.has_custom_content_transfer_encoding ||
       data.has_custom_user_agent ||
       url_util::FindAndCompareScheme(data.url, "javascript", NULL);
 }
 
 }  // namespace ppapi
 }  // namespace webkit