| Index: Source/core/xml/XMLHttpRequest.cpp
|
| diff --git a/Source/core/xml/XMLHttpRequest.cpp b/Source/core/xml/XMLHttpRequest.cpp
|
| index e6fbebce58a4567fabe87eaf773b5bb2ba3bb82d..606ecefe8071ce9505a01cc9ac40f905a44f09ee 100644
|
| --- a/Source/core/xml/XMLHttpRequest.cpp
|
| +++ b/Source/core/xml/XMLHttpRequest.cpp
|
| @@ -66,42 +66,6 @@ namespace WebCore {
|
|
|
| DEFINE_DEBUG_ONLY_GLOBAL(WTF::RefCountedLeakCounter, xmlHttpRequestCounter, ("XMLHttpRequest"));
|
|
|
| -struct XMLHttpRequestStaticData {
|
| - WTF_MAKE_NONCOPYABLE(XMLHttpRequestStaticData); WTF_MAKE_FAST_ALLOCATED;
|
| -public:
|
| - XMLHttpRequestStaticData();
|
| - String m_proxyHeaderPrefix;
|
| - String m_secHeaderPrefix;
|
| - HashSet<String, CaseFoldingHash> m_forbiddenRequestHeaders;
|
| -};
|
| -
|
| -XMLHttpRequestStaticData::XMLHttpRequestStaticData()
|
| - : m_proxyHeaderPrefix("proxy-")
|
| - , m_secHeaderPrefix("sec-")
|
| -{
|
| - m_forbiddenRequestHeaders.add("accept-charset");
|
| - m_forbiddenRequestHeaders.add("accept-encoding");
|
| - m_forbiddenRequestHeaders.add("access-control-request-headers");
|
| - m_forbiddenRequestHeaders.add("access-control-request-method");
|
| - m_forbiddenRequestHeaders.add("connection");
|
| - m_forbiddenRequestHeaders.add("content-length");
|
| - m_forbiddenRequestHeaders.add("cookie");
|
| - m_forbiddenRequestHeaders.add("cookie2");
|
| - m_forbiddenRequestHeaders.add("date");
|
| - m_forbiddenRequestHeaders.add("dnt");
|
| - m_forbiddenRequestHeaders.add("expect");
|
| - m_forbiddenRequestHeaders.add("host");
|
| - m_forbiddenRequestHeaders.add("keep-alive");
|
| - m_forbiddenRequestHeaders.add("origin");
|
| - m_forbiddenRequestHeaders.add("referer");
|
| - m_forbiddenRequestHeaders.add("te");
|
| - m_forbiddenRequestHeaders.add("trailer");
|
| - m_forbiddenRequestHeaders.add("transfer-encoding");
|
| - m_forbiddenRequestHeaders.add("upgrade");
|
| - m_forbiddenRequestHeaders.add("user-agent");
|
| - m_forbiddenRequestHeaders.add("via");
|
| -}
|
| -
|
| static bool isSetCookieHeader(const AtomicString& name)
|
| {
|
| return equalIgnoringCase(name, "set-cookie") || equalIgnoringCase(name, "set-cookie2");
|
| @@ -126,21 +90,6 @@ static void replaceCharsetInMediaType(String& mediaType, const String& charsetVa
|
| }
|
| }
|
|
|
| -static const XMLHttpRequestStaticData* staticData = 0;
|
| -
|
| -static const XMLHttpRequestStaticData* createXMLHttpRequestStaticData()
|
| -{
|
| - staticData = new XMLHttpRequestStaticData;
|
| - return staticData;
|
| -}
|
| -
|
| -static const XMLHttpRequestStaticData* initializeXMLHttpRequestStaticData()
|
| -{
|
| - // Uses dummy to avoid warnings about an unused variable.
|
| - AtomicallyInitializedStatic(const XMLHttpRequestStaticData*, dummy = createXMLHttpRequestStaticData());
|
| - return dummy;
|
| -}
|
| -
|
| static void logConsoleError(ExecutionContext* context, const String& message)
|
| {
|
| if (!context)
|
| @@ -177,7 +126,6 @@ XMLHttpRequest::XMLHttpRequest(ExecutionContext* context, PassRefPtr<SecurityOri
|
| , m_uploadComplete(false)
|
| , m_sameOriginRequest(true)
|
| {
|
| - initializeXMLHttpRequestStaticData();
|
| #ifndef NDEBUG
|
| xmlHttpRequestCounter.increment();
|
| #endif
|
| @@ -487,13 +435,6 @@ void XMLHttpRequest::setWithCredentials(bool value, ExceptionState& exceptionSta
|
| m_includeCredentials = value;
|
| }
|
|
|
| -bool XMLHttpRequest::isAllowedHTTPMethod(const String& method)
|
| -{
|
| - return !equalIgnoringCase(method, "TRACE")
|
| - && !equalIgnoringCase(method, "TRACK")
|
| - && !equalIgnoringCase(method, "CONNECT");
|
| -}
|
| -
|
| AtomicString XMLHttpRequest::uppercaseKnownHTTPMethod(const AtomicString& method)
|
| {
|
| // Valid methods per step-5 of http://xhr.spec.whatwg.org/#the-open()-method.
|
| @@ -516,13 +457,6 @@ AtomicString XMLHttpRequest::uppercaseKnownHTTPMethod(const AtomicString& method
|
| return method;
|
| }
|
|
|
| -bool XMLHttpRequest::isAllowedHTTPHeader(const String& name)
|
| -{
|
| - initializeXMLHttpRequestStaticData();
|
| - return !staticData->m_forbiddenRequestHeaders.contains(name) && !name.startsWith(staticData->m_proxyHeaderPrefix, false)
|
| - && !name.startsWith(staticData->m_secHeaderPrefix, false);
|
| -}
|
| -
|
| void XMLHttpRequest::open(const AtomicString& method, const KURL& url, ExceptionState& exceptionState)
|
| {
|
| open(method, url, true, exceptionState);
|
| @@ -551,7 +485,7 @@ void XMLHttpRequest::open(const AtomicString& method, const KURL& url, bool asyn
|
| return;
|
| }
|
|
|
| - if (!isAllowedHTTPMethod(method)) {
|
| + if (CrossOriginAccessControl::isForbiddenMethod(method)) {
|
| exceptionState.throwSecurityError("'" + method + "' HTTP method is unsupported.");
|
| return;
|
| }
|
| @@ -815,7 +749,7 @@ void XMLHttpRequest::createRequest(PassRefPtr<FormData> httpBody, ExceptionState
|
|
|
| // We also remember whether upload events should be allowed for this request in case the upload listeners are
|
| // added after the request is started.
|
| - m_uploadEventsAllowed = m_sameOriginRequest || uploadEvents || !isSimpleCrossOriginAccessRequest(m_method, m_requestHeaders);
|
| + m_uploadEventsAllowed = m_sameOriginRequest || uploadEvents || !CrossOriginAccessControl::isSimpleRequest(m_method, m_requestHeaders);
|
|
|
| ASSERT(executionContext());
|
| ExecutionContext& executionContext = *this->executionContext();
|
| @@ -1081,7 +1015,7 @@ void XMLHttpRequest::setRequestHeader(const AtomicString& name, const AtomicStri
|
| }
|
|
|
| // No script (privileged or not) can set unsafe headers.
|
| - if (!isAllowedHTTPHeader(name)) {
|
| + if (CrossOriginAccessControl::isForbiddenHeaderName(name)) {
|
| logConsoleError(executionContext(), "Refused to set unsafe header \"" + name + "\"");
|
| return;
|
| }
|
|
|
Chromium Code Reviews
Issue 379113002:
Move fetch-related predicates to core/fetch. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master