OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
74 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& reque
st, SecurityOrigin* securityOrigin) | 74 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& reque
st, SecurityOrigin* securityOrigin) |
75 { | 75 { |
76 ResourceRequest preflightRequest(request.url()); | 76 ResourceRequest preflightRequest(request.url()); |
77 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt
oredCredentials); | 77 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt
oredCredentials); |
78 preflightRequest.setHTTPMethod(HTTPNames::OPTIONS); | 78 preflightRequest.setHTTPMethod(HTTPNames::OPTIONS); |
79 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Method
, AtomicString(request.httpMethod())); | 79 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Method
, AtomicString(request.httpMethod())); |
80 preflightRequest.setPriority(request.priority()); | 80 preflightRequest.setPriority(request.priority()); |
81 preflightRequest.setRequestContext(request.requestContext()); | 81 preflightRequest.setRequestContext(request.requestContext()); |
82 preflightRequest.setSkipServiceWorker(true); | 82 preflightRequest.setSkipServiceWorker(true); |
83 | 83 |
| 84 if (request.isExternalRequest()) |
| 85 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Ex
ternal, "true"); |
| 86 |
84 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); | 87 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); |
85 | 88 |
86 if (requestHeaderFields.size() > 0) { | 89 if (requestHeaderFields.size() > 0) { |
87 // Fetch API Spec: | 90 // Fetch API Spec: |
88 // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 | 91 // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 |
89 Vector<String> headers; | 92 Vector<String> headers; |
90 for (const auto& header : requestHeaderFields) { | 93 for (const auto& header : requestHeaderFields) { |
91 if (FetchUtils::isSimpleHeader(header.key, header.value)) { | 94 if (FetchUtils::isSimpleHeader(header.key, header.value)) { |
92 // Exclude simple headers. | 95 // Exclude simple headers. |
93 continue; | 96 continue; |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
220 // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 | 223 // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 |
221 // https://crbug.com/452394 | 224 // https://crbug.com/452394 |
222 if (response.httpStatusCode() < 200 || response.httpStatusCode() >= 300) { | 225 if (response.httpStatusCode() < 200 || response.httpStatusCode() >= 300) { |
223 errorDescription = "Response for preflight has invalid HTTP status code
" + String::number(response.httpStatusCode()); | 226 errorDescription = "Response for preflight has invalid HTTP status code
" + String::number(response.httpStatusCode()); |
224 return false; | 227 return false; |
225 } | 228 } |
226 | 229 |
227 return true; | 230 return true; |
228 } | 231 } |
229 | 232 |
| 233 bool passesExternalPreflightCheck(const ResourceResponse& response, String& erro
rDescription) |
| 234 { |
| 235 AtomicString result = response.httpHeaderField(HTTPNames::Access_Control_All
ow_External); |
| 236 if (result.isNull()) { |
| 237 errorDescription = "No 'Access-Control-Allow-External' header was presen
t in the preflight response for this external request (This is an experimental h
eader which is defined in 'https://mikewest.github.io/cors-rfc1918/')."; |
| 238 return false; |
| 239 } |
| 240 if (!equalIgnoringCase(result, "true")) { |
| 241 errorDescription = "The 'Access-Control-Allow-External' header in the pr
eflight response for this external request had a value of '" + result + "', not
'true' (This is an experimental header which is defined in 'https://mikewest.gi
thub.io/cors-rfc1918/')."; |
| 242 return false; |
| 243 } |
| 244 return true; |
| 245 } |
| 246 |
230 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHea
derSet& headerSet) | 247 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHea
derSet& headerSet) |
231 { | 248 { |
232 Vector<String> headers; | 249 Vector<String> headers; |
233 headerValue.split(',', false, headers); | 250 headerValue.split(',', false, headers); |
234 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++)
{ | 251 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++)
{ |
235 String strippedHeader = headers[headerCount].stripWhiteSpace(); | 252 String strippedHeader = headers[headerCount].stripWhiteSpace(); |
236 if (!strippedHeader.isEmpty()) | 253 if (!strippedHeader.isEmpty()) |
237 headerSet.add(strippedHeader); | 254 headerSet.add(strippedHeader); |
238 } | 255 } |
239 } | 256 } |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
294 newRequest.setHTTPOrigin(securityOrigin); | 311 newRequest.setHTTPOrigin(securityOrigin); |
295 // If the user didn't request credentials in the first place, update our | 312 // If the user didn't request credentials in the first place, update our |
296 // state so we neither request them nor expect they must be allowed. | 313 // state so we neither request them nor expect they must be allowed. |
297 if (options.credentialsRequested == ClientDidNotRequestCredentials) | 314 if (options.credentialsRequested == ClientDidNotRequestCredentials) |
298 options.allowCredentials = DoNotAllowStoredCredentials; | 315 options.allowCredentials = DoNotAllowStoredCredentials; |
299 } | 316 } |
300 return true; | 317 return true; |
301 } | 318 } |
302 | 319 |
303 } // namespace blink | 320 } // namespace blink |
OLD | NEW |