| OLD | NEW |
|---|
| (Empty) |
| 1 /* | |
| 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | |
| 3 * | |
| 4 * Redistribution and use in source and binary forms, with or without | |
| 5 * modification, are permitted provided that the following conditions | |
| 6 * are met: | |
| 7 * 1. Redistributions of source code must retain the above copyright | |
| 8 * notice, this list of conditions and the following disclaimer. | |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | |
| 10 * notice, this list of conditions and the following disclaimer in the | |
| 11 * documentation and/or other materials provided with the distribution. | |
| 12 * | |
| 13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY | |
| 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
| 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
| 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR | |
| 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | |
| 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | |
| 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | |
| 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY | |
| 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
| 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
| 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
| 24 * | |
| 25 */ | |
| 26 | |
| 27 #ifndef CrossOriginAccessControl_h | |
| 28 #define CrossOriginAccessControl_h | |
| 29 | |
| 30 #include "core/CoreExport.h" | |
| 31 #include "core/fetch/ResourceLoaderOptions.h" | |
| 32 #include "platform/network/ResourceRequest.h" | |
| 33 #include "wtf/Allocator.h" | |
| 34 #include "wtf/Forward.h" | |
| 35 #include "wtf/HashSet.h" | |
| 36 #include "wtf/PassRefPtr.h" | |
| 37 | |
| 38 namespace blink { | |
| 39 | |
| 40 using HTTPHeaderSet = HashSet<String, CaseFoldingHash>; | |
| 41 | |
| 42 struct ResourceLoaderOptions; | |
| 43 class ResourceRequest; | |
| 44 class ResourceResponse; | |
| 45 class SecurityOrigin; | |
| 46 | |
| 47 class CrossOriginAccessControl { | |
| 48 STATIC_ONLY(CrossOriginAccessControl); | |
| 49 | |
| 50 public: | |
| 51 // Enumerating the error conditions that the CORS | |
| 52 // access control check can report, including success. | |
| 53 // | |
| 54 // See |checkAccess()| and |accessControlErrorString()| which respectively | |
| 55 // produce and consume these error values, for precise meaning. | |
| 56 enum AccessStatus { | |
| 57 kAccessAllowed, | |
| 58 kInvalidResponse, | |
| 59 kAllowOriginMismatch, | |
| 60 kSubOriginMismatch, | |
| 61 kWildcardOriginNotAllowed, | |
| 62 kMissingAllowOriginHeader, | |
| 63 kMultipleAllowOriginValues, | |
| 64 kInvalidAllowOriginValue, | |
| 65 kDisallowCredentialsNotSetToTrue, | |
| 66 }; | |
| 67 | |
| 68 // Enumerating the error conditions that CORS preflight | |
| 69 // can report, including success. | |
| 70 // | |
| 71 // See |checkPreflight()| methods and |preflightErrorString()| which | |
| 72 // respectively produce and consume these error values, for precise meaning. | |
| 73 enum PreflightStatus { | |
| 74 kPreflightSuccess, | |
| 75 kPreflightInvalidStatus, | |
| 76 // "Access-Control-Allow-External:" | |
| 77 // ( https://wicg.github.io/cors-rfc1918/#headers ) specific error | |
| 78 // conditions: | |
| 79 kPreflightMissingAllowExternal, | |
| 80 kPreflightInvalidAllowExternal, | |
| 81 }; | |
| 82 | |
| 83 // Enumerating the error conditions that CORS redirect target URL | |
| 84 // checks can report, including success. | |
| 85 // | |
| 86 // See |checkRedirectLocation()| methods and |redirectErrorString()| which | |
| 87 // respectively produce and consume these error values, for precise meaning. | |
| 88 enum RedirectStatus { | |
| 89 kRedirectSuccess, | |
| 90 kRedirectDisallowedScheme, | |
| 91 kRedirectContainsCredentials, | |
| 92 }; | |
| 93 | |
| 94 // Perform a CORS access check on the response. Returns |kAccessAllowed| if | |
| 95 // access is allowed. Use |accessControlErrorString()| to construct a | |
| 96 // user-friendly error message for any of the other (error) conditions. | |
| 97 static AccessStatus checkAccess(const ResourceResponse&, | |
| 98 StoredCredentials, | |
| 99 const SecurityOrigin*); | |
| 100 | |
| 101 // Perform the required CORS checks on the response to a preflight request. | |
| 102 // Returns |kPreflightSuccess| if preflight response was successful. | |
| 103 // Use |preflightErrorString()| to construct a user-friendly error message | |
| 104 // for any of the other (error) conditions. | |
| 105 static PreflightStatus checkPreflight(const ResourceResponse&); | |
| 106 | |
| 107 // Error checking for the currently experimental | |
| 108 // "Access-Control-Allow-External:" header. Shares error conditions with | |
| 109 // standard preflight checking. | |
| 110 static PreflightStatus checkExternalPreflight(const ResourceResponse&); | |
| 111 | |
| 112 // Given a redirected-to URL, check if the location is allowed | |
| 113 // according to CORS. That is: | |
| 114 // - the URL has a CORS supported scheme and | |
| 115 // - the URL does not contain the userinfo production. | |
| 116 // | |
| 117 // Returns |kRedirectSuccess| in all other cases. Use | |
| 118 // |redirectErrorString()| to construct a user-friendly error | |
| 119 // message for any of the error conditions. | |
| 120 static RedirectStatus checkRedirectLocation(const KURL&); | |
| 121 | |
| 122 static bool handleRedirect(PassRefPtr<SecurityOrigin>, | |
| 123 ResourceRequest&, | |
| 124 const ResourceResponse&, | |
| 125 StoredCredentials, | |
| 126 ResourceLoaderOptions&, | |
| 127 String&); | |
| 128 | |
| 129 // Stringify errors from CORS access checks, preflight or redirect checks. | |
| 130 static void accessControlErrorString(StringBuilder&, | |
| 131 AccessStatus, | |
| 132 const ResourceResponse&, | |
| 133 const SecurityOrigin*, | |
| 134 WebURLRequest::RequestContext); | |
| 135 static void preflightErrorString(StringBuilder&, | |
| 136 PreflightStatus, | |
| 137 const ResourceResponse&); | |
| 138 static void redirectErrorString(StringBuilder&, RedirectStatus, const KURL&); | |
| 139 }; | |
| 140 | |
| 141 // TODO: also migrate these into the above static class. | |
| 142 CORE_EXPORT bool isOnAccessControlResponseHeaderWhitelist(const String&); | |
| 143 | |
| 144 CORE_EXPORT ResourceRequest | |
| 145 createAccessControlPreflightRequest(const ResourceRequest&); | |
| 146 | |
| 147 CORE_EXPORT void parseAccessControlExposeHeadersAllowList( | |
| 148 const String& headerValue, | |
| 149 HTTPHeaderSet&); | |
| 150 CORE_EXPORT void extractCorsExposedHeaderNamesList(const ResourceResponse&, | |
| 151 HTTPHeaderSet&); | |
| 152 | |
| 153 } // namespace blink | |
| 154 | |
| 155 #endif // CrossOriginAccessControl_h | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2584423002:
Loading: move core/fetch to platform/loader/fetch (Closed)
