Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(195)

Unified Diff: net/http/http_response_headers.cc

Issue 18533: Merge r5767 - Protect cookie headers from XHR... (Closed) Base URL: svn://chrome-svn/chrome/branches/release_154.next/src/
Patch Set: Created 11 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/http_response_headers.h ('k') | net/http/http_response_headers_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_response_headers.cc
===================================================================
--- net/http/http_response_headers.cc (revision 8522)
+++ net/http/http_response_headers.cc (working copy)
@@ -24,22 +24,32 @@
namespace {
-// These response headers are not persisted in a cached representation of the
-// response headers. (This list comes from Mozilla's nsHttpResponseHead.cpp)
-const char* const kTransientHeaders[] = {
+// These headers are RFC 2616 hop-by-hop headers;
+// not to be stored by caches.
+const char* const kHopByHopResponseHeaders[] = {
"connection",
"proxy-connection",
"keep-alive",
- "www-authenticate",
- "proxy-authenticate",
"trailer",
"transfer-encoding",
- "upgrade",
+ "upgrade"
+};
+
+// These headers are challenge response headers;
+// not to be stored by caches.
+const char* const kChallengeResponseHeaders[] = {
+ "www-authenticate",
+ "proxy-authenticate"
+};
+
+// These headers are cookie setting headers;
+// not to be stored by caches or disclosed otherwise.
+const char* const kCookieResponseHeaders[] = {
"set-cookie",
"set-cookie2"
};
-// These respones headers are not copied from a 304/206 response to the cached
+// These response headers are not copied from a 304/206 response to the cached
// response headers. This list is based on Mozilla's nsHttpResponseHead.cpp.
const char* const kNonUpdatedHeaders[] = {
"connection",
@@ -87,41 +97,56 @@
Parse(raw_input);
}
-void HttpResponseHeaders::Persist(Pickle* pickle, bool for_cache) {
- if (for_cache) {
- HeaderSet transient_headers;
- GetTransientHeaders(&transient_headers);
+void HttpResponseHeaders::Persist(Pickle* pickle, PersistOptions options) {
+ if (options == PERSIST_RAW) {
+ pickle->WriteString(raw_headers_);
+ return; // Done.
+ }
- std::string blob;
- blob.reserve(raw_headers_.size());
+ HeaderSet filter_headers;
- // this just copies the status line w/ terminator
- blob.assign(raw_headers_.c_str(), strlen(raw_headers_.c_str()) + 1);
+ // Construct set of headers to filter out based on options.
+ if ((options & PERSIST_SANS_NON_CACHEABLE) == PERSIST_SANS_NON_CACHEABLE)
+ AddNonCacheableHeaders(&filter_headers);
- for (size_t i = 0; i < parsed_.size(); ++i) {
- DCHECK(!parsed_[i].is_continuation());
+ if ((options & PERSIST_SANS_COOKIES) == PERSIST_SANS_COOKIES)
+ AddCookieHeaders(&filter_headers);
- // locate the start of the next header
- size_t k = i;
- while (++k < parsed_.size() && parsed_[k].is_continuation());
- --k;
+ if ((options & PERSIST_SANS_CHALLENGES) == PERSIST_SANS_CHALLENGES)
+ AddChallengeHeaders(&filter_headers);
- std::string header_name(parsed_[i].name_begin, parsed_[i].name_end);
- StringToLowerASCII(&header_name);
+ if ((options & PERSIST_SANS_HOP_BY_HOP) == PERSIST_SANS_HOP_BY_HOP)
+ AddHopByHopHeaders(&filter_headers);
- if (transient_headers.find(header_name) == transient_headers.end()) {
- // includes terminator
- blob.append(parsed_[i].name_begin, parsed_[k].value_end + 1);
- }
+ std::string blob;
+ blob.reserve(raw_headers_.size());
- i = k;
+ // This copies the status line w/ terminator null.
+ // Note raw_headers_ has embedded nulls instead of \n,
+ // so this just copies the first header line.
+ blob.assign(raw_headers_.c_str(), strlen(raw_headers_.c_str()) + 1);
+
+ for (size_t i = 0; i < parsed_.size(); ++i) {
+ DCHECK(!parsed_[i].is_continuation());
+
+ // Locate the start of the next header.
+ size_t k = i;
+ while (++k < parsed_.size() && parsed_[k].is_continuation());
+ --k;
+
+ std::string header_name(parsed_[i].name_begin, parsed_[i].name_end);
+ StringToLowerASCII(&header_name);
+
+ if (filter_headers.find(header_name) == filter_headers.end()) {
+ // Includes terminator null due to the + 1.
+ blob.append(parsed_[i].name_begin, parsed_[k].value_end + 1);
}
- blob.push_back('\0');
- pickle->WriteString(blob);
- } else {
- pickle->WriteString(raw_headers_);
+ i = k;
}
+ blob.push_back('\0');
+
+ pickle->WriteString(blob);
}
void HttpResponseHeaders::Update(const HttpResponseHeaders& new_headers) {
@@ -554,7 +579,7 @@
parsed_.push_back(header);
}
-void HttpResponseHeaders::GetTransientHeaders(HeaderSet* result) const {
+void HttpResponseHeaders::AddNonCacheableHeaders(HeaderSet* result) const {
// Add server specified transients. Any 'cache-control: no-cache="foo,bar"'
// headers present in the response specify additional headers that we should
// not store in the cache.
@@ -599,13 +624,23 @@
}
}
}
+}
- // Add standard transient headers. Perhaps we should move this to a
- // statically cached hash_set to avoid duplicated work?
- for (size_t i = 0; i < arraysize(kTransientHeaders); ++i)
- result->insert(std::string(kTransientHeaders[i]));
+void HttpResponseHeaders::AddHopByHopHeaders(HeaderSet* result) {
+ for (size_t i = 0; i < arraysize(kHopByHopResponseHeaders); ++i)
+ result->insert(std::string(kHopByHopResponseHeaders[i]));
}
+void HttpResponseHeaders::AddCookieHeaders(HeaderSet* result) {
+ for (size_t i = 0; i < arraysize(kCookieResponseHeaders); ++i)
+ result->insert(std::string(kCookieResponseHeaders[i]));
+}
+
+void HttpResponseHeaders::AddChallengeHeaders(HeaderSet* result) {
+ for (size_t i = 0; i < arraysize(kChallengeResponseHeaders); ++i)
+ result->insert(std::string(kChallengeResponseHeaders[i]));
+}
+
void HttpResponseHeaders::GetMimeTypeAndCharset(std::string* mime_type,
std::string* charset) const {
mime_type->clear();
« no previous file with comments | « net/http/http_response_headers.h ('k') | net/http/http_response_headers_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698