net/url_request/url_request_redirect_job.cc - Issue 348253002: Add CORS headers to URLRequestRedirectJob.

Side by Side Diff: net/url_request/url_request_redirect_job.cc

Issue 348253002: Add CORS headers to URLRequestRedirectJob. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 6 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/url_request/url_request_redirect_job.h"	5 #include "net/url_request/url_request_redirect_job.h"

6	6

7 #include "base/bind.h"	7 #include "base/bind.h"

8 #include "base/compiler_specific.h"	8 #include "base/compiler_specific.h"

9 #include "base/logging.h"	9 #include "base/logging.h"

10 #include "base/message_loop/message_loop.h"	10 #include "base/message_loop/message_loop.h"

	11 #include "base/strings/string_number_conversions.h"

11 #include "net/base/load_timing_info.h"	12 #include "net/base/load_timing_info.h"

12 #include "net/base/net_log.h"	13 #include "net/base/net_log.h"

	14 #include "net/http/http_response_headers.h"

13 #include "net/url_request/url_request.h"	15 #include "net/url_request/url_request.h"

14	16

15 namespace net {	17 namespace net {

16	18

17 URLRequestRedirectJob::URLRequestRedirectJob(URLRequest* request,	19 URLRequestRedirectJob::URLRequestRedirectJob(URLRequest* request,

18 NetworkDelegate* network_delegate,	20 NetworkDelegate* network_delegate,

19 const GURL& redirect_destination,	21 const GURL& redirect_destination,

20 StatusCode http_status_code,	22 StatusCode http_status_code,

21 const std::string& redirect_reason)	23 const std::string& redirect_reason)

22 : URLRequestJob(request, network_delegate),	24 : URLRequestJob(request, network_delegate),

(...skipping 27 matching lines...) Expand all Loading...
50 return false;	52 return false;

51 }	53 }

52	54

53 URLRequestRedirectJob::~URLRequestRedirectJob() {}	55 URLRequestRedirectJob::~URLRequestRedirectJob() {}

54	56

55 void URLRequestRedirectJob::StartAsync() {	57 void URLRequestRedirectJob::StartAsync() {

56 receive_headers_end_ = base::TimeTicks::Now();	58 receive_headers_end_ = base::TimeTicks::Now();

57 NotifyHeadersComplete();	59 NotifyHeadersComplete();

58 }	60 }

59	61

	62 void URLRequestRedirectJob::GetResponseInfo(HttpResponseInfo* info) {

	63 scoped_refptr<net::HttpResponseHeaders> response_headers(

	64 new net::HttpResponseHeaders(std::string()));

	65 std::string status_line;

	66 status_line += "HTTP/1.1 ";

	67 status_line += base::IntToString(http_status_code_);

	68 status_line += " " + redirect_reason_;;
	abarth-chromium 2014/06/23 17:01:09 This is a very slow way to construct a string. This is a very slow way to construct a string. robwu 2014/06/23 17:28:19 What about: std::string status_line(base::StringP Show quoted text On 2014/06/23 17:01:09, abarth wrote: > This is a very slow way to construct a string. What about: std::string status_line(base::StringPrintf("HTTP/1.1 %d %s", http_status_code_, redirect_reason_.c_str()));
	69

	70 response_headers->ReplaceStatusLine(status_line);

	71 const net::HttpRequestHeaders& headers = request_->extra_request_headers();

	72 std::string http_origin;

	73 if (headers.GetHeader("Origin", &http_origin)) {

	74 // If this redirect is used in a cross-origin request, add the necessary

	75 // CORS headers to prevent the redirect from being blocked by cross-origin

	76 // access control. Note that the request is still blocked if the redirection

	77 // target does not serve the necessary CORS headers.

	78 response_headers->AddHeader("Access-Control-Allow-Origin: " + http_origin);
	abarth-chromium 2014/06/23 17:01:09 Does this line represent an HTTP header injection Does this line represent an HTTP header injection vulnerability? How do you know that http_origin won't split the header? robwu 2014/06/23 17:28:19 The Origin request header is set by the browser (B Show quoted text On 2014/06/23 17:01:09, abarth wrote: > Does this line represent an HTTP header injection vulnerability? How do you > know that http_origin won't split the header? The Origin request header is set by the browser (Blink). This header cannot be forged by regular web pages (not even through XMLHttpRequest).
	79 response_headers->AddHeader("Access-Control-Allow-Credentials: true");

	80 }

	81 info->headers = response_headers;

	82 }

	83

60 void URLRequestRedirectJob::GetLoadTimingInfo(	84 void URLRequestRedirectJob::GetLoadTimingInfo(

61 LoadTimingInfo* load_timing_info) const {	85 LoadTimingInfo* load_timing_info) const {

62 // Set send_start and send_end to receive_headers_end_ to keep consistent	86 // Set send_start and send_end to receive_headers_end_ to keep consistent

63 // with network cache behavior.	87 // with network cache behavior.

64 load_timing_info->send_start = receive_headers_end_;	88 load_timing_info->send_start = receive_headers_end_;

65 load_timing_info->send_end = receive_headers_end_;	89 load_timing_info->send_end = receive_headers_end_;

66 load_timing_info->receive_headers_end = receive_headers_end_;	90 load_timing_info->receive_headers_end = receive_headers_end_;

67 }	91 }

68	92

69 } // namespace net	93 } // namespace net

OLD	NEW

« no previous file with comments | « net/url_request/url_request_redirect_job.h ('k') | no next file » | no next file with comments »