| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 95 | 95 |
| 96 return allowedCrossOriginResponseHeaders->contains(name); | 96 return allowedCrossOriginResponseHeaders->contains(name); |
| 97 } | 97 } |
| 98 | 98 |
| 99 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* sec
urityOrigin, StoredCredentials allowCredentials) | 99 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* sec
urityOrigin, StoredCredentials allowCredentials) |
| 100 { | 100 { |
| 101 request.removeCredentials(); | 101 request.removeCredentials(); |
| 102 request.setAllowCookies(allowCredentials == AllowStoredCredentials); | 102 request.setAllowCookies(allowCredentials == AllowStoredCredentials); |
| 103 | 103 |
| 104 if (securityOrigin) | 104 if (securityOrigin) |
| 105 request.setHTTPOrigin(securityOrigin->toString()); | 105 request.setHTTPOrigin(securityOrigin->toAtomicString()); |
| 106 } | 106 } |
| 107 | 107 |
| 108 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& reque
st, SecurityOrigin* securityOrigin) | 108 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& reque
st, SecurityOrigin* securityOrigin) |
| 109 { | 109 { |
| 110 ResourceRequest preflightRequest(request.url()); | 110 ResourceRequest preflightRequest(request.url()); |
| 111 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt
oredCredentials); | 111 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt
oredCredentials); |
| 112 preflightRequest.setHTTPMethod("OPTIONS"); | 112 preflightRequest.setHTTPMethod("OPTIONS"); |
| 113 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request
.httpMethod()); | 113 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request
.httpMethod()); |
| 114 preflightRequest.setPriority(request.priority()); | 114 preflightRequest.setPriority(request.priority()); |
| 115 | 115 |
| 116 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); | 116 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); |
| 117 | 117 |
| 118 if (requestHeaderFields.size() > 0) { | 118 if (requestHeaderFields.size() > 0) { |
| 119 StringBuilder headerBuffer; | 119 StringBuilder headerBuffer; |
| 120 HTTPHeaderMap::const_iterator it = requestHeaderFields.begin(); | 120 HTTPHeaderMap::const_iterator it = requestHeaderFields.begin(); |
| 121 headerBuffer.append(it->key); | 121 headerBuffer.append(it->key); |
| 122 ++it; | 122 ++it; |
| 123 | 123 |
| 124 HTTPHeaderMap::const_iterator end = requestHeaderFields.end(); | 124 HTTPHeaderMap::const_iterator end = requestHeaderFields.end(); |
| 125 for (; it != end; ++it) { | 125 for (; it != end; ++it) { |
| 126 headerBuffer.appendLiteral(", "); | 126 headerBuffer.appendLiteral(", "); |
| 127 headerBuffer.append(it->key); | 127 headerBuffer.append(it->key); |
| 128 } | 128 } |
| 129 | 129 |
| 130 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", he
aderBuffer.toString().lower()); | 130 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", At
omicString(headerBuffer.toString().lower())); |
| 131 } | 131 } |
| 132 | 132 |
| 133 return preflightRequest; | 133 return preflightRequest; |
| 134 } | 134 } |
| 135 | 135 |
| 136 static bool isOriginSeparator(UChar ch) | 136 static bool isOriginSeparator(UChar ch) |
| 137 { | 137 { |
| 138 return isASCIISpace(ch) || ch == ','; | 138 return isASCIISpace(ch) || ch == ','; |
| 139 } | 139 } |
| 140 | 140 |
| 141 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential
s includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription) | 141 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential
s includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription) |
| 142 { | 142 { |
| 143 AtomicallyInitializedStatic(AtomicString&, accessControlAllowOrigin = *new A
tomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral)); | 143 AtomicallyInitializedStatic(AtomicString&, accessControlAllowOrigin = *new A
tomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral)); |
| 144 AtomicallyInitializedStatic(AtomicString&, accessControlAllowCredentials = *
new AtomicString("access-control-allow-credentials", AtomicString::ConstructFrom
Literal)); | 144 AtomicallyInitializedStatic(AtomicString&, accessControlAllowCredentials = *
new AtomicString("access-control-allow-credentials", AtomicString::ConstructFrom
Literal)); |
| 145 | 145 |
| 146 // A wildcard Access-Control-Allow-Origin can not be used if credentials are
to be sent, | 146 // A wildcard Access-Control-Allow-Origin can not be used if credentials are
to be sent, |
| 147 // even with Access-Control-Allow-Credentials set to true. | 147 // even with Access-Control-Allow-Credentials set to true. |
| 148 const AtomicString& accessControlOriginString = response.httpHeaderField(acc
essControlAllowOrigin); | 148 const AtomicString& accessControlOriginString = response.httpHeaderField(acc
essControlAllowOrigin); |
| 149 if (accessControlOriginString == starAtom && includeCredentials == DoNotAllo
wStoredCredentials) | 149 if (accessControlOriginString == starAtom && includeCredentials == DoNotAllo
wStoredCredentials) |
| 150 return true; | 150 return true; |
| 151 | 151 |
| 152 if (accessControlOriginString != securityOrigin->toString()) { | 152 if (accessControlOriginString != securityOrigin->toAtomicString()) { |
| 153 if (accessControlOriginString == starAtom) { | 153 if (accessControlOriginString == starAtom) { |
| 154 errorDescription = "A wildcard '*' cannot be used in the 'Access-Con
trol-Allow-Origin' header when the credentials flag is true. Origin '" + securit
yOrigin->toString() + "' is therefore not allowed access."; | 154 errorDescription = "A wildcard '*' cannot be used in the 'Access-Con
trol-Allow-Origin' header when the credentials flag is true. Origin '" + securit
yOrigin->toString() + "' is therefore not allowed access."; |
| 155 } else if (accessControlOriginString.isEmpty()) { | 155 } else if (accessControlOriginString.isEmpty()) { |
| 156 errorDescription = "No 'Access-Control-Allow-Origin' header is prese
nt on the requested resource. Origin '" + securityOrigin->toString() + "' is the
refore not allowed access."; | 156 errorDescription = "No 'Access-Control-Allow-Origin' header is prese
nt on the requested resource. Origin '" + securityOrigin->toString() + "' is the
refore not allowed access."; |
| 157 } else if (accessControlOriginString.string().find(isOriginSeparator, 0)
!= kNotFound) { | 157 } else if (accessControlOriginString.string().find(isOriginSeparator, 0)
!= kNotFound) { |
| 158 errorDescription = "The 'Access-Control-Allow-Origin' header contain
s multiple values '" + accessControlOriginString + "', but only one is allowed.
Origin '" + securityOrigin->toString() + "' is therefore not allowed access."; | 158 errorDescription = "The 'Access-Control-Allow-Origin' header contain
s multiple values '" + accessControlOriginString + "', but only one is allowed.
Origin '" + securityOrigin->toString() + "' is therefore not allowed access."; |
| 159 } else { | 159 } else { |
| 160 KURL headerOrigin(KURL(), accessControlOriginString); | 160 KURL headerOrigin(KURL(), accessControlOriginString); |
| 161 if (!headerOrigin.isValid()) | 161 if (!headerOrigin.isValid()) |
| 162 errorDescription = "The 'Access-Control-Allow-Origin' header con
tains the invalid value '" + accessControlOriginString + "'. Origin '" + securit
yOrigin->toString() + "' is therefore not allowed access."; | 162 errorDescription = "The 'Access-Control-Allow-Origin' header con
tains the invalid value '" + accessControlOriginString + "'. Origin '" + securit
yOrigin->toString() + "' is therefore not allowed access."; |
| (...skipping 29 matching lines...) Expand all Loading... |
| 192 Vector<String> headers; | 192 Vector<String> headers; |
| 193 headerValue.split(',', false, headers); | 193 headerValue.split(',', false, headers); |
| 194 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++)
{ | 194 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++)
{ |
| 195 String strippedHeader = headers[headerCount].stripWhiteSpace(); | 195 String strippedHeader = headers[headerCount].stripWhiteSpace(); |
| 196 if (!strippedHeader.isEmpty()) | 196 if (!strippedHeader.isEmpty()) |
| 197 headerSet.add(strippedHeader); | 197 headerSet.add(strippedHeader); |
| 198 } | 198 } |
| 199 } | 199 } |
| 200 | 200 |
| 201 } // namespace WebCore | 201 } // namespace WebCore |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 123003002:
Make calls to AtomicString(const String&) explicit in loader/ and fetch/ (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master