Drop Set-Cookie from XHR response headers

net/http/http_response_headers.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // The rules for header parsing were borrowed from Firefox:
 // http://lxr.mozilla.org/seamonkey/source/netwerk/protocol/http/src/nsHttpResponseHead.cpp
 // The rules for parsing content-types were also borrowed from Firefox:
 // http://lxr.mozilla.org/mozilla/source/netwerk/base/src/nsURLHelper.cpp#834
 
 #include "net/http/http_response_headers.h"
 
 #include <algorithm>
 
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "base/string_util.h"
 #include "base/time.h"
 #include "net/base/escape.h"
 #include "net/http/http_util.h"
 
 using base::Time;
 using base::TimeDelta;
 
 namespace net {
 
 //-----------------------------------------------------------------------------
 
 namespace {
 
-// These response headers are not persisted in a cached representation of the
-// response headers.  (This list comes from Mozilla's nsHttpResponseHead.cpp)
-const char* const kTransientHeaders[] = {
+// These headers are RFC 2616 hop-by-hop headers;
+// not to be stored by caches.
+const char* const kHopByHopResponseHeaders[] = {
   "connection",
   "proxy-connection",
   "keep-alive",
-  "www-authenticate",
-  "proxy-authenticate",
   "trailer",
   "transfer-encoding",
-  "upgrade",
+  "upgrade"
+};
+
+// These headers are challenge response headers;
+// not to be stored by caches.
+const char* const kChallengeResponseHeaders[] = {
+  "www-authenticate",
+  "proxy-authenticate"
+};
+
+// These headers are cookie setting headers;
+// not to be stored by caches or disclosed otherwise.
+const char* const kCookieResponseHeaders[] = {
   "set-cookie",
   "set-cookie2"
 };
 
-// These respones headers are not copied from a 304/206 response to the cached
+// These response headers are not copied from a 304/206 response to the cached
 // response headers.  This list is based on Mozilla's nsHttpResponseHead.cpp.
 const char* const kNonUpdatedHeaders[] = {
   "connection",
   "proxy-connection",
   "keep-alive",
   "www-authenticate",
   "proxy-authenticate",
   "trailer",
   "transfer-encoding",
   "upgrade",
@@ skipping 27 matching lines @@
   Parse(raw_input);
 }
 
 HttpResponseHeaders::HttpResponseHeaders(const Pickle& pickle, void** iter)
     : response_code_(-1) {
   std::string raw_input;
   if (pickle.ReadString(iter, &raw_input))
     Parse(raw_input);
 }
 
-void HttpResponseHeaders::Persist(Pickle* pickle, bool for_cache) {
-  if (for_cache) {
-    HeaderSet transient_headers;
-    GetTransientHeaders(&transient_headers);
+void HttpResponseHeaders::Persist(Pickle* pickle, PersistOptions options) {
+  if (options == PERSIST_RAW) {
+    pickle->WriteString(raw_headers_);
+    return;  // Done.
+  }
 
-    std::string blob;
-    blob.reserve(raw_headers_.size());
+  HeaderSet filter_headers;
 
-    // this just copies the status line w/ terminator
-    blob.assign(raw_headers_.c_str(), strlen(raw_headers_.c_str()) + 1);
+  // Construct set of headers to filter out based on options.
+  if ((options & PERSIST_SANS_NON_CACHEABLE) == PERSIST_SANS_NON_CACHEABLE)
+    AddNonCacheableHeaders(&filter_headers);
 
-    for (size_t i = 0; i < parsed_.size(); ++i) {
-      DCHECK(!parsed_[i].is_continuation());
+  if ((options & PERSIST_SANS_COOKIES) == PERSIST_SANS_COOKIES)
+    AddCookieHeaders(&filter_headers);
 
-      // locate the start of the next header
-      size_t k = i;
-      while (++k < parsed_.size() && parsed_[k].is_continuation());
-      --k;
+  if ((options & PERSIST_SANS_CHALLENGES) == PERSIST_SANS_CHALLENGES)
+    AddChallengeHeaders(&filter_headers);
 
-      std::string header_name(parsed_[i].name_begin, parsed_[i].name_end);
-      StringToLowerASCII(&header_name);
+  if ((options & PERSIST_SANS_HOP_BY_HOP) == PERSIST_SANS_HOP_BY_HOP)
+    AddHopByHopHeaders(&filter_headers);
 
-      if (transient_headers.find(header_name) == transient_headers.end()) {
-        // includes terminator
-        blob.append(parsed_[i].name_begin, parsed_[k].value_end + 1);
-      }
+  std::string blob;
+  blob.reserve(raw_headers_.size());
 
-      i = k;
+  // This copies the status line w/ terminator null.
+  // Note raw_headers_ has embedded nulls instead of \n,
+  // so this just copies the first header line.
+  blob.assign(raw_headers_.c_str(), strlen(raw_headers_.c_str()) + 1);
+
+  for (size_t i = 0; i < parsed_.size(); ++i) {
+    DCHECK(!parsed_[i].is_continuation());
+
+    // Locate the start of the next header.
+    size_t k = i;
+    while (++k < parsed_.size() && parsed_[k].is_continuation());
+    --k;
+
+    std::string header_name(parsed_[i].name_begin, parsed_[i].name_end);
+    StringToLowerASCII(&header_name);
+
+    if (filter_headers.find(header_name) == filter_headers.end()) {
+      // Includes terminator null due to the + 1.
+      blob.append(parsed_[i].name_begin, parsed_[k].value_end + 1);
     }
-    blob.push_back('\0');
 
-    pickle->WriteString(blob);
-  } else {
-    pickle->WriteString(raw_headers_);
+    i = k;
   }
+  blob.push_back('\0');
+
+  pickle->WriteString(blob);
 }
 
 void HttpResponseHeaders::Update(const HttpResponseHeaders& new_headers) {
   DCHECK(new_headers.response_code() == 304 ||
          new_headers.response_code() == 206);
 
   // copy up to the null byte.  this just copies the status line.
   std::string new_raw_headers(raw_headers_.c_str());
   new_raw_headers.push_back('\0');
 
@@ skipping 412 matching lines @@
                                       std::string::const_iterator value_begin,
                                       std::string::const_iterator value_end) {
   ParsedHeader header;
   header.name_begin = name_begin;
   header.name_end = name_end;
   header.value_begin = value_begin;
   header.value_end = value_end;
   parsed_.push_back(header);
 }
 
-void HttpResponseHeaders::GetTransientHeaders(HeaderSet* result) const {
+void HttpResponseHeaders::AddNonCacheableHeaders(HeaderSet* result) const {
   // Add server specified transients.  Any 'cache-control: no-cache="foo,bar"'
   // headers present in the response specify additional headers that we should
   // not store in the cache.
   const std::string kCacheControl = "cache-control";
   const std::string kPrefix = "no-cache=\"";
   std::string value;
   void* iter = NULL;
   while (EnumerateHeader(&iter, kCacheControl, &value)) {
     if (value.size() > kPrefix.size() &&
         value.compare(0, kPrefix.size(), kPrefix) == 0) {
@@ skipping 24 matching lines @@
 
         // repeat
         begin_pos = comma_pos + 1;
         while (begin_pos < value.size() && strchr(HTTP_LWS, value[begin_pos]))
           begin_pos++;
         if (begin_pos >= value.size())
           break;
       }
     }
   }
+}
 
-  // Add standard transient headers.  Perhaps we should move this to a
-  // statically cached hash_set to avoid duplicated work?
-  for (size_t i = 0; i < arraysize(kTransientHeaders); ++i)
-    result->insert(std::string(kTransientHeaders[i]));
+void HttpResponseHeaders::AddHopByHopHeaders(HeaderSet* result) {
+  for (size_t i = 0; i < arraysize(kHopByHopResponseHeaders); ++i)
+    result->insert(std::string(kHopByHopResponseHeaders[i]));
+}
+
+void HttpResponseHeaders::AddCookieHeaders(HeaderSet* result) {
+  for (size_t i = 0; i < arraysize(kCookieResponseHeaders); ++i)
+    result->insert(std::string(kCookieResponseHeaders[i]));
+}
+
+void HttpResponseHeaders::AddChallengeHeaders(HeaderSet* result) {
+  for (size_t i = 0; i < arraysize(kChallengeResponseHeaders); ++i)
+    result->insert(std::string(kChallengeResponseHeaders[i]));
 }
 
 void HttpResponseHeaders::GetMimeTypeAndCharset(std::string* mime_type,
                                                 std::string* charset) const {
   mime_type->clear();
   charset->clear();
 
   std::string name = "content-type";
   std::string value;
 
@@ skipping 313 matching lines @@
   int64 result;
   bool ok = StringToInt64(content_length_val, &result);
   if (!ok || result < 0) 
     return -1;
 
   return result;
 }
 
 }  // namespace net