| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved. | 2 * Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved. |
| 3 * Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org> | 3 * Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org> |
| 4 * Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org> | 4 * Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org> |
| 5 * Copyright (C) 2008, 2011 Google Inc. All rights reserved. | 5 * Copyright (C) 2008, 2011 Google Inc. All rights reserved. |
| 6 * Copyright (C) 2012 Intel Corporation | 6 * Copyright (C) 2012 Intel Corporation |
| 7 * | 7 * |
| 8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
| 9 * modify it under the terms of the GNU Lesser General Public | 9 * modify it under the terms of the GNU Lesser General Public |
| 10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 93 ~ScopedEventDispatchProtect() | 93 ~ScopedEventDispatchProtect() |
| 94 { | 94 { |
| 95 ASSERT(*m_level > 0); | 95 ASSERT(*m_level > 0); |
| 96 --*m_level; | 96 --*m_level; |
| 97 } | 97 } |
| 98 | 98 |
| 99 private: | 99 private: |
| 100 int* const m_level; | 100 int* const m_level; |
| 101 }; | 101 }; |
| 102 | 102 |
| 103 bool isSetCookieHeader(const AtomicString& name) | |
| 104 { | |
| 105 return equalIgnoringCase(name, "set-cookie") || equalIgnoringCase(name, "set
-cookie2"); | |
| 106 } | |
| 107 | |
| 108 void replaceCharsetInMediaType(String& mediaType, const String& charsetValue) | 103 void replaceCharsetInMediaType(String& mediaType, const String& charsetValue) |
| 109 { | 104 { |
| 110 unsigned pos = 0, len = 0; | 105 unsigned pos = 0, len = 0; |
| 111 | 106 |
| 112 findCharsetInMediaType(mediaType, pos, len); | 107 findCharsetInMediaType(mediaType, pos, len); |
| 113 | 108 |
| 114 if (!len) { | 109 if (!len) { |
| 115 // When no charset found, do nothing. | 110 // When no charset found, do nothing. |
| 116 return; | 111 return; |
| 117 } | 112 } |
| (...skipping 1105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1223 { | 1218 { |
| 1224 if (m_state < HEADERS_RECEIVED || m_error) | 1219 if (m_state < HEADERS_RECEIVED || m_error) |
| 1225 return ""; | 1220 return ""; |
| 1226 | 1221 |
| 1227 StringBuilder stringBuilder; | 1222 StringBuilder stringBuilder; |
| 1228 | 1223 |
| 1229 HTTPHeaderSet accessControlExposeHeaderSet; | 1224 HTTPHeaderSet accessControlExposeHeaderSet; |
| 1230 parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField("Access-
Control-Expose-Headers"), accessControlExposeHeaderSet); | 1225 parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField("Access-
Control-Expose-Headers"), accessControlExposeHeaderSet); |
| 1231 HTTPHeaderMap::const_iterator end = m_response.httpHeaderFields().end(); | 1226 HTTPHeaderMap::const_iterator end = m_response.httpHeaderFields().end(); |
| 1232 for (HTTPHeaderMap::const_iterator it = m_response.httpHeaderFields().begin(
); it!= end; ++it) { | 1227 for (HTTPHeaderMap::const_iterator it = m_response.httpHeaderFields().begin(
); it!= end; ++it) { |
| 1233 // Hide Set-Cookie header fields from the XMLHttpRequest client for thes
e reasons: | 1228 // Hide any headers whose name is a forbidden response-header name. |
| 1234 // 1) If the client did have access to the fields, then it could rea
d HTTP-only | 1229 // This is required for all kinds of filtered responses. |
| 1235 // cookies; those cookies are supposed to be hidden from scripts. | 1230 // |
| 1236 // 2) There's no known harm in hiding Set-Cookie header fields entir
ely; we don't | 1231 // TODO: Consider removing canLoadLocalResources() call. |
| 1237 // know any widely used technique that requires access to them. | 1232 // crbug.com/567527 |
| 1238 // 3) Firefox has implemented this policy. | 1233 if (FetchUtils::isForbiddenResponseHeaderName(it->key) && !securityOrigi
n()->canLoadLocalResources()) |
| 1239 if (isSetCookieHeader(it->key) && !securityOrigin()->canLoadLocalResourc
es()) | |
| 1240 continue; | 1234 continue; |
| 1241 | 1235 |
| 1242 if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(it
->key) && !accessControlExposeHeaderSet.contains(it->key)) | 1236 if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(it
->key) && !accessControlExposeHeaderSet.contains(it->key)) |
| 1243 continue; | 1237 continue; |
| 1244 | 1238 |
| 1245 stringBuilder.append(it->key); | 1239 stringBuilder.append(it->key); |
| 1246 stringBuilder.append(':'); | 1240 stringBuilder.append(':'); |
| 1247 stringBuilder.append(' '); | 1241 stringBuilder.append(' '); |
| 1248 stringBuilder.append(it->value); | 1242 stringBuilder.append(it->value); |
| 1249 stringBuilder.append('\r'); | 1243 stringBuilder.append('\r'); |
| 1250 stringBuilder.append('\n'); | 1244 stringBuilder.append('\n'); |
| 1251 } | 1245 } |
| 1252 | 1246 |
| 1253 return stringBuilder.toString(); | 1247 return stringBuilder.toString(); |
| 1254 } | 1248 } |
| 1255 | 1249 |
| 1256 const AtomicString& XMLHttpRequest::getResponseHeader(const AtomicString& name)
const | 1250 const AtomicString& XMLHttpRequest::getResponseHeader(const AtomicString& name)
const |
| 1257 { | 1251 { |
| 1258 if (m_state < HEADERS_RECEIVED || m_error) | 1252 if (m_state < HEADERS_RECEIVED || m_error) |
| 1259 return nullAtom; | 1253 return nullAtom; |
| 1260 | 1254 |
| 1261 // See comment in getAllResponseHeaders above. | 1255 // See comment in getAllResponseHeaders above. |
| 1262 if (isSetCookieHeader(name) && !securityOrigin()->canLoadLocalResources()) { | 1256 if (FetchUtils::isForbiddenResponseHeaderName(name) && !securityOrigin()->ca
nLoadLocalResources()) { |
| 1263 logConsoleError(executionContext(), "Refused to get unsafe header \"" +
name + "\""); | 1257 logConsoleError(executionContext(), "Refused to get unsafe header \"" +
name + "\""); |
| 1264 return nullAtom; | 1258 return nullAtom; |
| 1265 } | 1259 } |
| 1266 | 1260 |
| 1267 HTTPHeaderSet accessControlExposeHeaderSet; | 1261 HTTPHeaderSet accessControlExposeHeaderSet; |
| 1268 parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField("Access-
Control-Expose-Headers"), accessControlExposeHeaderSet); | 1262 parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField("Access-
Control-Expose-Headers"), accessControlExposeHeaderSet); |
| 1269 | 1263 |
| 1270 if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name)
&& !accessControlExposeHeaderSet.contains(name)) { | 1264 if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name)
&& !accessControlExposeHeaderSet.contains(name)) { |
| 1271 logConsoleError(executionContext(), "Refused to get unsafe header \"" +
name + "\""); | 1265 logConsoleError(executionContext(), "Refused to get unsafe header \"" +
name + "\""); |
| 1272 return nullAtom; | 1266 return nullAtom; |
| (...skipping 436 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1709 visitor->trace(m_responseDocumentParser); | 1703 visitor->trace(m_responseDocumentParser); |
| 1710 visitor->trace(m_progressEventThrottle); | 1704 visitor->trace(m_progressEventThrottle); |
| 1711 visitor->trace(m_upload); | 1705 visitor->trace(m_upload); |
| 1712 visitor->trace(m_blobLoader); | 1706 visitor->trace(m_blobLoader); |
| 1713 XMLHttpRequestEventTarget::trace(visitor); | 1707 XMLHttpRequestEventTarget::trace(visitor); |
| 1714 DocumentParserClient::trace(visitor); | 1708 DocumentParserClient::trace(visitor); |
| 1715 ActiveDOMObject::trace(visitor); | 1709 ActiveDOMObject::trace(visitor); |
| 1716 } | 1710 } |
| 1717 | 1711 |
| 1718 } // namespace blink | 1712 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1506803002:
[XHR] Replace isSetCookieHeader() with isForbiddenResponseHeaderName() (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master