OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
143 builder.Append( | 143 builder.Append( |
144 " Have the server send the header with a valid value, or, if an " | 144 " Have the server send the header with a valid value, or, if an " |
145 "opaque response serves your needs, set the request's mode to " | 145 "opaque response serves your needs, set the request's mode to " |
146 "'no-cors' to fetch the resource with CORS disabled."); | 146 "'no-cors' to fetch the resource with CORS disabled."); |
147 } | 147 } |
148 | 148 |
149 CrossOriginAccessControl::AccessStatus CrossOriginAccessControl::CheckAccess( | 149 CrossOriginAccessControl::AccessStatus CrossOriginAccessControl::CheckAccess( |
150 const ResourceResponse& response, | 150 const ResourceResponse& response, |
151 StoredCredentials include_credentials, | 151 StoredCredentials include_credentials, |
152 const SecurityOrigin* security_origin) { | 152 const SecurityOrigin* security_origin) { |
153 DEFINE_THREAD_SAFE_STATIC_LOCAL( | 153 static const char allow_origin_header_name[] = "access-control-allow-origin"; |
154 AtomicString, allow_origin_header_name, | 154 static const char allow_credentials_header_name[] = |
155 (new AtomicString("access-control-allow-origin"))); | 155 "access-control-allow-credentials"; |
156 DEFINE_THREAD_SAFE_STATIC_LOCAL( | 156 static const char allow_suborigin_header_name[] = |
157 AtomicString, allow_credentials_header_name, | 157 "access-control-allow-suborigin"; |
158 (new AtomicString("access-control-allow-credentials"))); | |
159 DEFINE_THREAD_SAFE_STATIC_LOCAL( | |
160 AtomicString, allow_suborigin_header_name, | |
161 (new AtomicString("access-control-allow-suborigin"))); | |
162 | |
163 int status_code = response.HttpStatusCode(); | 158 int status_code = response.HttpStatusCode(); |
164 if (!status_code) | 159 if (!status_code) |
165 return kInvalidResponse; | 160 return kInvalidResponse; |
166 | 161 |
167 const AtomicString& allow_origin_header_value = | 162 const AtomicString& allow_origin_header_value = |
168 response.HttpHeaderField(allow_origin_header_name); | 163 response.HttpHeaderField(allow_origin_header_name); |
169 | 164 |
170 // Check Suborigins, unless the Access-Control-Allow-Origin is '*', which | 165 // Check Suborigins, unless the Access-Control-Allow-Origin is '*', which |
171 // implies that all Suborigins are okay as well. | 166 // implies that all Suborigins are okay as well. |
172 if (security_origin->HasSuborigin() && | 167 if (security_origin->HasSuborigin() && |
173 allow_origin_header_value != g_star_atom) { | 168 allow_origin_header_value != g_star_atom) { |
174 const AtomicString& allow_suborigin_header_value = | 169 const AtomicString& allow_suborigin_header_value = |
175 response.HttpHeaderField(allow_suborigin_header_name); | 170 response.HttpHeaderField(allow_suborigin_header_name); |
176 AtomicString atomic_suborigin_name( | 171 AtomicString atomic_suborigin_name( |
177 security_origin->GetSuborigin()->GetName()); | 172 security_origin->GetSuborigin()->GetName()); |
178 if (allow_suborigin_header_value != g_star_atom && | 173 if (allow_suborigin_header_value != g_star_atom && |
179 allow_suborigin_header_value != atomic_suborigin_name) { | 174 allow_suborigin_header_value != atomic_suborigin_name) { |
180 return kSubOriginMismatch; | 175 return kSubOriginMismatch; |
181 } | 176 } |
182 } | 177 } |
183 | 178 |
184 if (allow_origin_header_value == g_star_atom) { | 179 if (allow_origin_header_value == "*") { |
185 // A wildcard Access-Control-Allow-Origin can not be used if credentials are | 180 // A wildcard Access-Control-Allow-Origin can not be used if credentials are |
186 // to be sent, even with Access-Control-Allow-Credentials set to true. | 181 // to be sent, even with Access-Control-Allow-Credentials set to true. |
187 if (include_credentials == kDoNotAllowStoredCredentials) | 182 if (include_credentials == kDoNotAllowStoredCredentials) |
188 return kAccessAllowed; | 183 return kAccessAllowed; |
189 if (response.IsHTTP()) { | 184 if (response.IsHTTP()) { |
190 return kWildcardOriginNotAllowed; | 185 return kWildcardOriginNotAllowed; |
191 } | 186 } |
192 } else if (allow_origin_header_value != security_origin->ToAtomicString()) { | 187 } else if (allow_origin_header_value != security_origin->ToAtomicString()) { |
193 if (allow_origin_header_value.IsNull()) | 188 if (allow_origin_header_value.IsNull()) |
194 return kMissingAllowOriginHeader; | 189 return kMissingAllowOriginHeader; |
(...skipping 340 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
535 // | 530 // |
536 // This is equivalent to the step 2 in | 531 // This is equivalent to the step 2 in |
537 // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch | 532 // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch |
538 if (options.credentials_requested == kClientDidNotRequestCredentials) | 533 if (options.credentials_requested == kClientDidNotRequestCredentials) |
539 options.allow_credentials = kDoNotAllowStoredCredentials; | 534 options.allow_credentials = kDoNotAllowStoredCredentials; |
540 } | 535 } |
541 return true; | 536 return true; |
542 } | 537 } |
543 | 538 |
544 } // namespace blink | 539 } // namespace blink |
OLD | NEW |