OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
50 headerSet->add("content-type"); | 50 headerSet->add("content-type"); |
51 headerSet->add("expires"); | 51 headerSet->add("expires"); |
52 headerSet->add("last-modified"); | 52 headerSet->add("last-modified"); |
53 headerSet->add("pragma"); | 53 headerSet->add("pragma"); |
54 | 54 |
55 return headerSet.release(); | 55 return headerSet.release(); |
56 } | 56 } |
57 | 57 |
58 bool isOnAccessControlResponseHeaderWhitelist(const String& name) | 58 bool isOnAccessControlResponseHeaderWhitelist(const String& name) |
59 { | 59 { |
60 AtomicallyInitializedStatic(HTTPHeaderSet*, allowedCrossOriginResponseHeader
s = createAllowedCrossOriginResponseHeadersSet().leakPtr()); | 60 AtomicallyInitializedStaticReference(HTTPHeaderSet, allowedCrossOriginRespon
seHeaders, (createAllowedCrossOriginResponseHeadersSet().leakPtr())); |
61 | 61 |
62 return allowedCrossOriginResponseHeaders->contains(name); | 62 return allowedCrossOriginResponseHeaders.contains(name); |
63 } | 63 } |
64 | 64 |
65 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* sec
urityOrigin, StoredCredentials allowCredentials) | 65 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* sec
urityOrigin, StoredCredentials allowCredentials) |
66 { | 66 { |
67 request.removeCredentials(); | 67 request.removeCredentials(); |
68 request.setAllowStoredCredentials(allowCredentials == AllowStoredCredentials
); | 68 request.setAllowStoredCredentials(allowCredentials == AllowStoredCredentials
); |
69 request.setFetchCredentialsMode(allowCredentials == AllowStoredCredentials ?
WebURLRequest::FetchCredentialsModeInclude : WebURLRequest::FetchCredentialsMod
eOmit); | 69 request.setFetchCredentialsMode(allowCredentials == AllowStoredCredentials ?
WebURLRequest::FetchCredentialsModeInclude : WebURLRequest::FetchCredentialsMod
eOmit); |
70 | 70 |
71 if (securityOrigin) | 71 if (securityOrigin) |
72 request.setHTTPOrigin(securityOrigin->toAtomicString()); | 72 request.setHTTPOrigin(securityOrigin->toAtomicString()); |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
111 static bool isInterestingStatusCode(int statusCode) | 111 static bool isInterestingStatusCode(int statusCode) |
112 { | 112 { |
113 // Predicate that gates what status codes should be included in | 113 // Predicate that gates what status codes should be included in |
114 // console error messages for responses containing no access | 114 // console error messages for responses containing no access |
115 // control headers. | 115 // control headers. |
116 return statusCode >= 400; | 116 return statusCode >= 400; |
117 } | 117 } |
118 | 118 |
119 bool passesAccessControlCheck(ExecutionContext* context, const ResourceResponse&
response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin,
String& errorDescription) | 119 bool passesAccessControlCheck(ExecutionContext* context, const ResourceResponse&
response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin,
String& errorDescription) |
120 { | 120 { |
121 AtomicallyInitializedStatic(AtomicString&, accessControlAllowOrigin = *new A
tomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral)); | 121 AtomicallyInitializedStaticReference(AtomicString, accessControlAllowOrigin,
(new AtomicString("access-control-allow-origin", AtomicString::ConstructFromLit
eral))); |
122 AtomicallyInitializedStatic(AtomicString&, accessControlAllowCredentials = *
new AtomicString("access-control-allow-credentials", AtomicString::ConstructFrom
Literal)); | 122 AtomicallyInitializedStaticReference(AtomicString, accessControlAllowCredent
ials, (new AtomicString("access-control-allow-credentials", AtomicString::Constr
uctFromLiteral))); |
123 | 123 |
124 if (!response.httpStatusCode()) { | 124 if (!response.httpStatusCode()) { |
125 errorDescription = "Received an invalid response. Origin '" + securityOr
igin->toString() + "' is therefore not allowed access."; | 125 errorDescription = "Received an invalid response. Origin '" + securityOr
igin->toString() + "' is therefore not allowed access."; |
126 return false; | 126 return false; |
127 } | 127 } |
128 | 128 |
129 const AtomicString& accessControlOriginString = response.httpHeaderField(acc
essControlAllowOrigin); | 129 const AtomicString& accessControlOriginString = response.httpHeaderField(acc
essControlAllowOrigin); |
130 if (accessControlOriginString == starAtom) { | 130 if (accessControlOriginString == starAtom) { |
131 // A wildcard Access-Control-Allow-Origin can not be used if credentials
are to be sent, | 131 // A wildcard Access-Control-Allow-Origin can not be used if credentials
are to be sent, |
132 // even with Access-Control-Allow-Credentials set to true. | 132 // even with Access-Control-Allow-Credentials set to true. |
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
245 request.setHTTPOrigin(securityOrigin->toAtomicString()); | 245 request.setHTTPOrigin(securityOrigin->toAtomicString()); |
246 // If the user didn't request credentials in the first place, update our | 246 // If the user didn't request credentials in the first place, update our |
247 // state so we neither request them nor expect they must be allowed. | 247 // state so we neither request them nor expect they must be allowed. |
248 if (options.credentialsRequested == ClientDidNotRequestCredentials) | 248 if (options.credentialsRequested == ClientDidNotRequestCredentials) |
249 options.allowCredentials = DoNotAllowStoredCredentials; | 249 options.allowCredentials = DoNotAllowStoredCredentials; |
250 } | 250 } |
251 return true; | 251 return true; |
252 } | 252 } |
253 | 253 |
254 } // namespace blink | 254 } // namespace blink |
OLD | NEW |