Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(128)

Side by Side Diff: third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp

Issue 1745083002: CORS-RFC1918: Force preflights for external requests in DocumentThreadableLoader. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Test. Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after
74 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& reque st, SecurityOrigin* securityOrigin) 74 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& reque st, SecurityOrigin* securityOrigin)
75 { 75 {
76 ResourceRequest preflightRequest(request.url()); 76 ResourceRequest preflightRequest(request.url());
77 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt oredCredentials); 77 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt oredCredentials);
78 preflightRequest.setHTTPMethod(HTTPNames::OPTIONS); 78 preflightRequest.setHTTPMethod(HTTPNames::OPTIONS);
79 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Method , AtomicString(request.httpMethod())); 79 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Method , AtomicString(request.httpMethod()));
80 preflightRequest.setPriority(request.priority()); 80 preflightRequest.setPriority(request.priority());
81 preflightRequest.setRequestContext(request.requestContext()); 81 preflightRequest.setRequestContext(request.requestContext());
82 preflightRequest.setSkipServiceWorker(true); 82 preflightRequest.setSkipServiceWorker(true);
83 83
84 if (request.isExternalRequest())
85 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Ex ternal, "true");
86
84 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); 87 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
85 88
86 if (requestHeaderFields.size() > 0) { 89 if (requestHeaderFields.size() > 0) {
87 // Fetch API Spec: 90 // Fetch API Spec:
88 // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 91 // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0
89 Vector<String> headers; 92 Vector<String> headers;
90 for (const auto& header : requestHeaderFields) { 93 for (const auto& header : requestHeaderFields) {
91 if (FetchUtils::isSimpleHeader(header.key, header.value)) { 94 if (FetchUtils::isSimpleHeader(header.key, header.value)) {
92 // Exclude simple headers. 95 // Exclude simple headers.
93 continue; 96 continue;
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after
220 // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 223 // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
221 // https://crbug.com/452394 224 // https://crbug.com/452394
222 if (response.httpStatusCode() < 200 || response.httpStatusCode() >= 300) { 225 if (response.httpStatusCode() < 200 || response.httpStatusCode() >= 300) {
223 errorDescription = "Response for preflight has invalid HTTP status code " + String::number(response.httpStatusCode()); 226 errorDescription = "Response for preflight has invalid HTTP status code " + String::number(response.httpStatusCode());
224 return false; 227 return false;
225 } 228 }
226 229
227 return true; 230 return true;
228 } 231 }
229 232
233 bool passesExternalPreflightCheck(const ResourceResponse& response, String& erro rDescription)
234 {
235 AtomicString result = response.httpHeaderField(HTTPNames::Access_Control_All ow_External);
236 if (result.isNull()) {
237 errorDescription = "No 'Access-Control-Allow-External' header was presen t in the preflight response for this external request (This is an experimental h eader which is defined in 'https://mikewest.github.io/cors-rfc1918/').";
238 return false;
239 }
240 if (!equalIgnoringCase(result, "true")) {
241 errorDescription = "The 'Access-Control-Allow-External' header in the pr eflight response for this external request had a value of '" + result + "', not 'true' (This is an experimental header which is defined in 'https://mikewest.gi thub.io/cors-rfc1918/').";
242 return false;
243 }
244 return true;
245 }
246
230 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHea derSet& headerSet) 247 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHea derSet& headerSet)
231 { 248 {
232 Vector<String> headers; 249 Vector<String> headers;
233 headerValue.split(',', false, headers); 250 headerValue.split(',', false, headers);
234 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++) { 251 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++) {
235 String strippedHeader = headers[headerCount].stripWhiteSpace(); 252 String strippedHeader = headers[headerCount].stripWhiteSpace();
236 if (!strippedHeader.isEmpty()) 253 if (!strippedHeader.isEmpty())
237 headerSet.add(strippedHeader); 254 headerSet.add(strippedHeader);
238 } 255 }
239 } 256 }
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after
294 newRequest.setHTTPOrigin(securityOrigin); 311 newRequest.setHTTPOrigin(securityOrigin);
295 // If the user didn't request credentials in the first place, update our 312 // If the user didn't request credentials in the first place, update our
296 // state so we neither request them nor expect they must be allowed. 313 // state so we neither request them nor expect they must be allowed.
297 if (options.credentialsRequested == ClientDidNotRequestCredentials) 314 if (options.credentialsRequested == ClientDidNotRequestCredentials)
298 options.allowCredentials = DoNotAllowStoredCredentials; 315 options.allowCredentials = DoNotAllowStoredCredentials;
299 } 316 }
300 return true; 317 return true;
301 } 318 }
302 319
303 } // namespace blink 320 } // namespace blink
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698