Use StringView for String::append and ::insert.

third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 117 matching lines @@
 {
     return detail + " Origin '" + securityOrigin->toString() + "' is therefore not allowed access.";
 }
 
 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription, WebURLRequest::RequestContext context)
 {
     DEFINE_THREAD_SAFE_STATIC_LOCAL(AtomicString, allowOriginHeaderName, (new AtomicString("access-control-allow-origin")));
     DEFINE_THREAD_SAFE_STATIC_LOCAL(AtomicString, allowCredentialsHeaderName, (new AtomicString("access-control-allow-credentials")));
     DEFINE_THREAD_SAFE_STATIC_LOCAL(AtomicString, allowSuboriginHeaderName, (new AtomicString("access-control-allow-suborigin")));
 
+    // TODO(esprehn): This code is using String::append extremely inefficiently
+    // causing tons of copies. It should pass around a StringBuilder instead.
+
     int statusCode = response.httpStatusCode();
 
     if (!statusCode) {
         errorDescription = buildAccessControlFailureMessage("Invalid response.", securityOrigin);
         return false;
     }
 
     const AtomicString& allowOriginHeaderValue = response.httpHeaderField(allowOriginHeaderName);
 
     // Check Suborigins, unless the Access-Control-Allow-Origin is '*',
@@ skipping 17 matching lines @@
 
             if (context == WebURLRequest::RequestContextXMLHttpRequest)
                 errorDescription.append(" The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.");
 
             return false;
         }
     } else if (allowOriginHeaderValue != securityOrigin->toAtomicString()) {
         if (allowOriginHeaderValue.isNull()) {
             errorDescription = buildAccessControlFailureMessage("No 'Access-Control-Allow-Origin' header is present on the requested resource.", securityOrigin);
 
-            if (isInterestingStatusCode(statusCode))
-                errorDescription.append(" The response had HTTP status code " + String::number(statusCode) + ".");
+            if (isInterestingStatusCode(statusCode)) {
+                errorDescription.append(" The response had HTTP status code ");
+                errorDescription.append(String::number(statusCode));
+                errorDescription.append('.');
+            }
 
             if (context == WebURLRequest::RequestContextFetch)
                 errorDescription.append(" If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.");
 
             return false;
         }
 
         String detail;
         if (allowOriginHeaderValue.getString().find(isOriginSeparator, 0) != kNotFound) {
             detail = "The 'Access-Control-Allow-Origin' header contains multiple values '" + allowOriginHeaderValue + "', but only one is allowed.";
@@ skipping 132 matching lines @@
         newRequest.setHTTPOrigin(securityOrigin);
         // If the user didn't request credentials in the first place, update our
         // state so we neither request them nor expect they must be allowed.
         if (options.credentialsRequested == ClientDidNotRequestCredentials)
             options.allowCredentials = DoNotAllowStoredCredentials;
     }
     return true;
 }
 
 } // namespace blink