| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| 11 * documentation and/or other materials provided with the distribution. | 11 * documentation and/or other materials provided with the distribution. |
| 12 * | 12 * |
| 13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY | 13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY |
| 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR | 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR |
| 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
| 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
| 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
| 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY | 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
| 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 24 * | 24 * |
| 25 */ | 25 */ |
| 26 | 26 |
| 27 #include "core/fetch/CrossOriginAccessControl.h" | 27 #include "core/fetch/CrossOriginAccessControl.h" |
| 28 | 28 |
| 29 #include "core/fetch/FetchUtils.h" |
| 29 #include "core/fetch/Resource.h" | 30 #include "core/fetch/Resource.h" |
| 30 #include "core/fetch/ResourceLoaderOptions.h" | 31 #include "core/fetch/ResourceLoaderOptions.h" |
| 31 #include "platform/network/HTTPParsers.h" | 32 #include "platform/network/HTTPParsers.h" |
| 32 #include "platform/network/ResourceRequest.h" | 33 #include "platform/network/ResourceRequest.h" |
| 33 #include "platform/network/ResourceResponse.h" | 34 #include "platform/network/ResourceResponse.h" |
| 34 #include "platform/weborigin/SchemeRegistry.h" | 35 #include "platform/weborigin/SchemeRegistry.h" |
| 35 #include "platform/weborigin/SecurityOrigin.h" | 36 #include "platform/weborigin/SecurityOrigin.h" |
| 36 #include "wtf/Threading.h" | 37 #include "wtf/Threading.h" |
| 37 #include "wtf/text/AtomicString.h" | 38 #include "wtf/text/AtomicString.h" |
| 38 #include "wtf/text/StringBuilder.h" | 39 #include "wtf/text/StringBuilder.h" |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 76 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt
oredCredentials); | 77 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt
oredCredentials); |
| 77 preflightRequest.setHTTPMethod(HTTPNames::OPTIONS); | 78 preflightRequest.setHTTPMethod(HTTPNames::OPTIONS); |
| 78 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Method
, AtomicString(request.httpMethod())); | 79 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Method
, AtomicString(request.httpMethod())); |
| 79 preflightRequest.setPriority(request.priority()); | 80 preflightRequest.setPriority(request.priority()); |
| 80 preflightRequest.setRequestContext(request.requestContext()); | 81 preflightRequest.setRequestContext(request.requestContext()); |
| 81 preflightRequest.setSkipServiceWorker(true); | 82 preflightRequest.setSkipServiceWorker(true); |
| 82 | 83 |
| 83 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); | 84 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); |
| 84 | 85 |
| 85 if (requestHeaderFields.size() > 0) { | 86 if (requestHeaderFields.size() > 0) { |
| 86 // Sort header names lexicographically: https://crbug.com/452391 | |
| 87 // Fetch API Spec: | 87 // Fetch API Spec: |
| 88 // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 | 88 // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 |
| 89 Vector<String> headers; | 89 Vector<String> headers; |
| 90 for (const auto& header : requestHeaderFields) { | 90 for (const auto& header : requestHeaderFields) { |
| 91 if (FetchUtils::isSimpleHeader(header.key, header.value)) { |
| 92 // Exclude simple headers. |
| 93 continue; |
| 94 } |
| 91 if (equalIgnoringCase(header.key, "referer")) { | 95 if (equalIgnoringCase(header.key, "referer")) { |
| 92 // When the request is from a Worker, referrer header was added | 96 // When the request is from a Worker, referrer header was added |
| 93 // by WorkerThreadableLoader. But it should not be added to | 97 // by WorkerThreadableLoader. But it should not be added to |
| 94 // Access-Control-Request-Headers header. | 98 // Access-Control-Request-Headers header. |
| 95 continue; | 99 continue; |
| 96 } | 100 } |
| 97 if (equalIgnoringCase(header.key, "save-data")) { | |
| 98 // As a short-term fix, exclude Save-Data from | |
| 99 // Access-Control-Request-Headers header. | |
| 100 // TODO(rajendrant): crbug.com/601092 Longer-term all simple | |
| 101 // headers should be excluded as well. | |
| 102 continue; | |
| 103 } | |
| 104 headers.append(header.key.lower()); | 101 headers.append(header.key.lower()); |
| 105 } | 102 } |
| 103 // Sort header names lexicographically. |
| 106 std::sort(headers.begin(), headers.end(), WTF::codePointCompareLessThan)
; | 104 std::sort(headers.begin(), headers.end(), WTF::codePointCompareLessThan)
; |
| 107 StringBuilder headerBuffer; | 105 StringBuilder headerBuffer; |
| 108 for (const String& header : headers) { | 106 for (const String& header : headers) { |
| 109 if (!headerBuffer.isEmpty()) | 107 if (!headerBuffer.isEmpty()) |
| 110 headerBuffer.appendLiteral(", "); | 108 headerBuffer.appendLiteral(", "); |
| 111 headerBuffer.append(header); | 109 headerBuffer.append(header); |
| 112 } | 110 } |
| 113 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_He
aders, AtomicString(headerBuffer.toString())); | 111 preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_He
aders, AtomicString(headerBuffer.toString())); |
| 114 } | 112 } |
| 115 | 113 |
| (...skipping 180 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 296 newRequest.setHTTPOrigin(securityOrigin); | 294 newRequest.setHTTPOrigin(securityOrigin); |
| 297 // If the user didn't request credentials in the first place, update our | 295 // If the user didn't request credentials in the first place, update our |
| 298 // state so we neither request them nor expect they must be allowed. | 296 // state so we neither request them nor expect they must be allowed. |
| 299 if (options.credentialsRequested == ClientDidNotRequestCredentials) | 297 if (options.credentialsRequested == ClientDidNotRequestCredentials) |
| 300 options.allowCredentials = DoNotAllowStoredCredentials; | 298 options.allowCredentials = DoNotAllowStoredCredentials; |
| 301 } | 299 } |
| 302 return true; | 300 return true; |
| 303 } | 301 } |
| 304 | 302 |
| 305 } // namespace blink | 303 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1890053002:
Exclude simple headers when building Access-Control-Request-Headers (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master