[WIP2] off-main-thread loading

third_party/WebKit/Source/platform/loader/fetch/CrossOriginAccessControl.cpp

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 132 matching lines @@
   builder.Append(
       " Have the server send the header with a valid value, or, if an "
       "opaque response serves your needs, set the request's mode to "
       "'no-cors' to fetch the resource with CORS disabled.");
 }
 
 CrossOriginAccessControl::AccessStatus CrossOriginAccessControl::CheckAccess(
     const ResourceResponse& response,
     StoredCredentials include_credentials,
     const SecurityOrigin* security_origin) {
-  DEFINE_THREAD_SAFE_STATIC_LOCAL(
-      AtomicString, allow_origin_header_name,
-      (new AtomicString("access-control-allow-origin")));
-  DEFINE_THREAD_SAFE_STATIC_LOCAL(
-      AtomicString, allow_credentials_header_name,
-      (new AtomicString("access-control-allow-credentials")));
-  DEFINE_THREAD_SAFE_STATIC_LOCAL(
-      AtomicString, allow_suborigin_header_name,
-      (new AtomicString("access-control-allow-suborigin")));
-
+  static const char allow_origin_header_name[] = "access-control-allow-origin";
+  static const char allow_credentials_header_name[] =
+      "access-control-allow-credentials";
+  static const char allow_suborigin_header_name[] =
+      "access-control-allow-suborigin";
   int status_code = response.HttpStatusCode();
   if (!status_code)
     return kInvalidResponse;
 
   const AtomicString& allow_origin_header_value =
       response.HttpHeaderField(allow_origin_header_name);
 
   // Check Suborigins, unless the Access-Control-Allow-Origin is '*', which
   // implies that all Suborigins are okay as well.
   if (security_origin->HasSuborigin() &&
       allow_origin_header_value != g_star_atom) {
     const AtomicString& allow_suborigin_header_value =
         response.HttpHeaderField(allow_suborigin_header_name);
     AtomicString atomic_suborigin_name(
         security_origin->GetSuborigin()->GetName());
     if (allow_suborigin_header_value != g_star_atom &&
         allow_suborigin_header_value != atomic_suborigin_name) {
       return kSubOriginMismatch;
     }
   }
 
-  if (allow_origin_header_value == g_star_atom) {
+  if (allow_origin_header_value == "*") {
     // A wildcard Access-Control-Allow-Origin can not be used if credentials are
     // to be sent, even with Access-Control-Allow-Credentials set to true.
     if (include_credentials == kDoNotAllowStoredCredentials)
       return kAccessAllowed;
     if (response.IsHTTP()) {
       return kWildcardOriginNotAllowed;
     }
   } else if (allow_origin_header_value != security_origin->ToAtomicString()) {
     if (allow_origin_header_value.IsNull())
       return kMissingAllowOriginHeader;
@@ skipping 340 matching lines @@
     //
     // This is equivalent to the step 2 in
     // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
     if (options.credentials_requested == kClientDidNotRequestCredentials)
       options.allow_credentials = kDoNotAllowStoredCredentials;
   }
   return true;
 }
 
 }  // namespace blink