OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 18 matching lines...) Expand all Loading... |
29 | 29 |
30 #include "AtomicString.h" | 30 #include "AtomicString.h" |
31 #include "ResourceResponse.h" | 31 #include "ResourceResponse.h" |
32 #include "SecurityOrigin.h" | 32 #include "SecurityOrigin.h" |
33 #include <wtf/Threading.h> | 33 #include <wtf/Threading.h> |
34 | 34 |
35 namespace WebCore { | 35 namespace WebCore { |
36 | 36 |
37 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name) | 37 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name) |
38 { | 38 { |
39 return equalIgnoringCase(name, "accept") || equalIgnoringCase(name, "accept-
language") || equalIgnoringCase(name, "content-type"); | 39 return equalIgnoringCase(name, "accept") |
| 40 || equalIgnoringCase(name, "accept-language") |
| 41 || equalIgnoringCase(name, "content-language") |
| 42 || equalIgnoringCase(name, "content-type"); |
40 } | 43 } |
41 | 44 |
42 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&
headerMap) | 45 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&
headerMap) |
43 { | 46 { |
44 if (method != "GET" && method != "POST") | 47 if (method != "GET" && method != "HEAD" && method != "POST") |
45 return false; | 48 return false; |
46 | 49 |
47 HTTPHeaderMap::const_iterator end = headerMap.end(); | 50 HTTPHeaderMap::const_iterator end = headerMap.end(); |
48 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it)
{ | 51 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it)
{ |
49 if (!isOnAccessControlSimpleRequestHeaderWhitelist(it->first)) | 52 if (!isOnAccessControlSimpleRequestHeaderWhitelist(it->first)) |
50 return false; | 53 return false; |
51 } | 54 } |
52 | 55 |
| 56 HTTPHeaderMap::const_iterator contentTypeIter = headerMap.find("Content-Type
"); |
| 57 if (contentTypeIter != headerMap.end()) { |
| 58 const String& contentType = contentTypeIter->second; |
| 59 if (!equalIgnoringCase(contentType, "application/x-www-form-urlencoded") |
| 60 && !equalIgnoringCase(contentType, "multipart/form-data") |
| 61 && !equalIgnoringCase(contentType, "text/plain")) |
| 62 return false; |
| 63 } |
| 64 |
53 return true; | 65 return true; |
54 } | 66 } |
55 | 67 |
56 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet; | 68 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet; |
57 static HTTPHeaderSet* createAllowedCrossOriginResponseHeadersSet() | 69 static HTTPHeaderSet* createAllowedCrossOriginResponseHeadersSet() |
58 { | 70 { |
59 HTTPHeaderSet* headerSet = new HashSet<String, CaseFoldingHash>; | 71 HTTPHeaderSet* headerSet = new HashSet<String, CaseFoldingHash>; |
60 | 72 |
61 headerSet->add("cache-control"); | 73 headerSet->add("cache-control"); |
62 headerSet->add("content-language"); | 74 headerSet->add("content-language"); |
(...skipping 25 matching lines...) Expand all Loading... |
88 if (includeCredentials) { | 100 if (includeCredentials) { |
89 const String& accessControlCredentialsString = response.httpHeaderField(
"Access-Control-Allow-Credentials"); | 101 const String& accessControlCredentialsString = response.httpHeaderField(
"Access-Control-Allow-Credentials"); |
90 if (accessControlCredentialsString != "true") | 102 if (accessControlCredentialsString != "true") |
91 return false; | 103 return false; |
92 } | 104 } |
93 | 105 |
94 return true; | 106 return true; |
95 } | 107 } |
96 | 108 |
97 } // namespace WebCore | 109 } // namespace WebCore |
OLD | NEW |