Source/core/fetch/CrossOriginAccessControl.cpp - Issue 149643003: Improve handling of CORS redirects for some resource loads.

Side by Side Diff: Source/core/fetch/CrossOriginAccessControl.cpp

Issue 149643003: Improve handling of CORS redirects for some resource loads. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Compile fix (struct/class mismatch on fwd decl) Created 6 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.	2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions	5 * modification, are permitted provided that the following conditions

6 * are met:	6 * are met:

7 * 1. Redistributions of source code must retain the above copyright	7 * 1. Redistributions of source code must retain the above copyright

8 * notice, this list of conditions and the following disclaimer.	8 * notice, this list of conditions and the following disclaimer.

9 * 2. Redistributions in binary form must reproduce the above copyright	9 * 2. Redistributions in binary form must reproduce the above copyright

10 * notice, this list of conditions and the following disclaimer in the	10 * notice, this list of conditions and the following disclaimer in the

11 * documentation and/or other materials provided with the distribution.	11 * documentation and/or other materials provided with the distribution.

12 *	12 *

13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY	13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY

14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE	14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR	15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR	16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR

17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,	17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,	18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR	19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY	20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

24 *	24 *

25 */	25 */

26	26

27 #include "config.h"	27 #include "config.h"

28 #include "core/fetch/CrossOriginAccessControl.h"	28 #include "core/fetch/CrossOriginAccessControl.h"

29	29

	30 #include "core/fetch/Resource.h"

	31 #include "core/fetch/ResourceLoaderOptions.h"

30 #include "platform/network/HTTPParsers.h"	32 #include "platform/network/HTTPParsers.h"

	33 #include "platform/network/ResourceRequest.h"

31 #include "platform/network/ResourceResponse.h"	34 #include "platform/network/ResourceResponse.h"

	35 #include "platform/weborigin/SchemeRegistry.h"

32 #include "platform/weborigin/SecurityOrigin.h"	36 #include "platform/weborigin/SecurityOrigin.h"

33 #include "wtf/Threading.h"	37 #include "wtf/Threading.h"

34 #include "wtf/text/AtomicString.h"	38 #include "wtf/text/AtomicString.h"

35 #include "wtf/text/StringBuilder.h"	39 #include "wtf/text/StringBuilder.h"

36	40

37 namespace WebCore {	41 namespace WebCore {

38	42

39 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)	43 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)

40 {	44 {

41 return method == "GET" \|\| method == "HEAD" \|\| method == "POST";	45 return method == "GET" \|\| method == "HEAD" \|\| method == "POST";

(...skipping 154 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
196 {	200 {

197 Vector<String> headers;	201 Vector<String> headers;

198 headerValue.split(',', false, headers);	202 headerValue.split(',', false, headers);

199 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++) {	203 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++) {

200 String strippedHeader = headers[headerCount].stripWhiteSpace();	204 String strippedHeader = headers[headerCount].stripWhiteSpace();

201 if (!strippedHeader.isEmpty())	205 if (!strippedHeader.isEmpty())

202 headerSet.add(strippedHeader);	206 headerSet.add(strippedHeader);

203 }	207 }

204 }	208 }

205	209

	210 bool CrossOriginAccessControl::isLegalRedirectLocation(const KURL& requestUrl, S tring& errorDescription)

	211 {

	212 // CORS restrictions imposed on Location: URL -- http://www.w3.org/TR/cors/# redirect-steps (steps 2 + 3.)

	213 if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(requestUrl.protocol() )) {

	214 errorDescription = "The request was redirected to a URL ('" + requestUrl .string() + "') which has a disallowed scheme for cross-origin requests.";

	215 return false;

	216 }

	217

	218 if (!(requestUrl.user().isEmpty() && requestUrl.pass().isEmpty())) {

	219 errorDescription = "The request was redirected to a URL ('" + requestUrl .string() + "') containing userinfo, which is disallowed for cross-origin reques ts.";

	220 return false;

	221 }

	222

	223 return true;

	224 }

	225

	226 bool CrossOriginAccessControl::handleRedirect(Resource* resource, SecurityOrigin * securityOrigin, ResourceRequest& request, const ResourceResponse& redirectResp onse, ResourceLoaderOptions& options, String& errorMessage)

	227 {

	228 // http://www.w3.org/TR/cors/#redirect-steps terminology:

	229 const KURL& originalUrl = redirectResponse.url();
	abarth-chromium 2014/02/05 08:20:44 s/Url/URL/ s/Url/URL/ sof 2014/02/05 10:05:42 Alright, I'll follow that convention -- done. Show quoted text On 2014/02/05 08:20:44, abarth wrote: > s/Url/URL/ Alright, I'll follow that convention -- done.
	230 const KURL& requestUrl = request.url();

	231

	232 bool redirectCrossOrigin = !securityOrigin->canRequest(requestUrl);

	233

	234 // Same-origin request URLs that redirect are allowed without checking acces s.

	235 if (!securityOrigin->canRequest(originalUrl)) {

	236 // Follow http://www.w3.org/TR/cors/#redirect-steps

	237 String errorDescription;

	238

	239 // Steps 3 & 4 - check if scheme and other URL restrictions hold.

	240 bool allowRedirect = isLegalRedirectLocation(requestUrl, errorDescriptio n);

	241 if (allowRedirect) {

	242 // Step 5: perform resource sharing access check.

	243 StoredCredentials withCredentials = resource->resourceRequest().allo wCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials;

	244 allowRedirect = passesAccessControlCheck(redirectResponse, withCrede ntials, securityOrigin, errorDescription);

	245 if (allowRedirect) {

	246 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o riginalUrl);

	247 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(re questUrl);

	248 // Step 6: if the request URL origin is not same origin as the o riginal URL's,

	249 // set the source origin to a globally unique identifier.

	250 if (!originalOrigin->isSameSchemeHostPort(requestOrigin.get())) {
	abarth-chromium 2014/02/05 08:20:44 we should probably use: originalOrigin->canReques we should probably use: originalOrigin->canRequest(requestUrl) In spec-land, this check is symmetric, but in implementation-land, we need to deal with privileged origins that can request URLs from a whitelist of origins. sof 2014/02/05 10:05:42 I see; we do want to avoid "degenerating" to uniqu Show quoted text On 2014/02/05 08:20:44, abarth wrote: > we should probably use: > > originalOrigin->canRequest(requestUrl) > > In spec-land, this check is symmetric, but in implementation-land, we need to > deal with privileged origins that can request URLs from a whitelist of origins. I see; we do want to avoid "degenerating" to unique origin for those, so switched to using that predicate.
	251 options.securityOrigin = SecurityOrigin::createUnique();

	252 securityOrigin = options.securityOrigin.get();

	253 }

	254 }

	255 }

	256 if (!allowRedirect) {

	257 const String& originalOrigin = SecurityOrigin::create(originalUrl)-> toString();

	258 errorMessage = "Redirect at origin '" + originalOrigin + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescript ion;

	259 return false;

	260 }

	261 }

	262 if (redirectCrossOrigin) {

	263 // If now to a different origin, update/set Origin:.

	264 request.clearHTTPOrigin();

	265 request.setHTTPOrigin(securityOrigin->toAtomicString());

	266 // If the user didn't request credentials in the first place, update our

	267 // state so we neither request them nor expect they must be allowed.

	268 if (options.credentialsRequested == ClientDidNotRequestCredentials)

	269 options.allowCredentials = DoNotAllowStoredCredentials;

	270 }

	271 return true;

	272 }

	273

206 } // namespace WebCore	274 } // namespace WebCore

OLD	NEW