| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved. | 2 * Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved. |
| 3 * Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org> | 3 * Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org> |
| 4 * Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org> | 4 * Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org> |
| 5 * Copyright (C) 2008, 2011 Google Inc. All rights reserved. | 5 * Copyright (C) 2008, 2011 Google Inc. All rights reserved. |
| 6 * Copyright (C) 2012 Intel Corporation | 6 * Copyright (C) 2012 Intel Corporation |
| 7 * | 7 * |
| 8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
| 9 * modify it under the terms of the GNU Lesser General Public | 9 * modify it under the terms of the GNU Lesser General Public |
| 10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
| (...skipping 903 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 914 if (m_state != OPENED || m_loader) { | 914 if (m_state != OPENED || m_loader) { |
| 915 ec = INVALID_STATE_ERR; | 915 ec = INVALID_STATE_ERR; |
| 916 return; | 916 return; |
| 917 } | 917 } |
| 918 | 918 |
| 919 if (!isValidHTTPToken(name) || !isValidHTTPHeaderValue(value)) { | 919 if (!isValidHTTPToken(name) || !isValidHTTPHeaderValue(value)) { |
| 920 ec = SYNTAX_ERR; | 920 ec = SYNTAX_ERR; |
| 921 return; | 921 return; |
| 922 } | 922 } |
| 923 | 923 |
| 924 // A privileged script can set any headers. | 924 // No script (privileged or not) can set unsafe headers. |
| 925 if (!securityOrigin()->canLoadLocalResources() && !isAllowedHTTPHeader(name)
) { | 925 if (!isAllowedHTTPHeader(name)) { |
| 926 logConsoleError(scriptExecutionContext(), "Refused to set unsafe header
\"" + name + "\""); | 926 logConsoleError(scriptExecutionContext(), "Refused to set unsafe header
\"" + name + "\""); |
| 927 return; | 927 return; |
| 928 } | 928 } |
| 929 | 929 |
| 930 setRequestHeaderInternal(name, value); | 930 setRequestHeaderInternal(name, value); |
| 931 } | 931 } |
| 932 | 932 |
| 933 void XMLHttpRequest::setRequestHeaderInternal(const AtomicString& name, const St
ring& value) | 933 void XMLHttpRequest::setRequestHeaderInternal(const AtomicString& name, const St
ring& value) |
| 934 { | 934 { |
| 935 HTTPHeaderMap::AddResult result = m_requestHeaders.add(name, value); | 935 HTTPHeaderMap::AddResult result = m_requestHeaders.add(name, value); |
| (...skipping 354 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1290 info.addMember(m_responseDocument, "responseDocument"); | 1290 info.addMember(m_responseDocument, "responseDocument"); |
| 1291 info.addMember(m_binaryResponseBuilder, "binaryResponseBuilder"); | 1291 info.addMember(m_binaryResponseBuilder, "binaryResponseBuilder"); |
| 1292 info.addMember(m_responseArrayBuffer, "responseArrayBuffer"); | 1292 info.addMember(m_responseArrayBuffer, "responseArrayBuffer"); |
| 1293 info.addMember(m_lastSendURL, "lastSendURL"); | 1293 info.addMember(m_lastSendURL, "lastSendURL"); |
| 1294 info.addMember(m_eventTargetData, "eventTargetData"); | 1294 info.addMember(m_eventTargetData, "eventTargetData"); |
| 1295 info.addMember(m_progressEventThrottle, "progressEventThrottle"); | 1295 info.addMember(m_progressEventThrottle, "progressEventThrottle"); |
| 1296 info.addMember(m_securityOrigin, "securityOrigin"); | 1296 info.addMember(m_securityOrigin, "securityOrigin"); |
| 1297 } | 1297 } |
| 1298 | 1298 |
| 1299 } // namespace WebCore | 1299 } // namespace WebCore |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 13979011:
Block all scripts from setting unsafe headers in XMLHttpRequest (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master