Chromium Code Reviews Chromium Code Reviews
Issue 875363002:
Sort header names in Access-Control-Request-Headers (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 78 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt oredCredentials); | 78 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt oredCredentials); |
| 79 preflightRequest.setHTTPMethod("OPTIONS"); | 79 preflightRequest.setHTTPMethod("OPTIONS"); |
| 80 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request .httpMethod()); | 80 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request .httpMethod()); |
| 81 preflightRequest.setPriority(request.priority()); | 81 preflightRequest.setPriority(request.priority()); |
| 82 preflightRequest.setRequestContext(request.requestContext()); | 82 preflightRequest.setRequestContext(request.requestContext()); |
| 83 preflightRequest.setSkipServiceWorker(true); | 83 preflightRequest.setSkipServiceWorker(true); |
| 84 | 84 |
| 85 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); | 85 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); |
| 86 | 86 |
| 87 if (requestHeaderFields.size() > 0) { | 87 if (requestHeaderFields.size() > 0) { |
| 88 StringBuilder headerBuffer; | 88 // Sort header names lexicographically: https://crbug.com/452391 |
| 89 // Fetch API Spec: | |
| 90 // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 | |
| 91 // CORS Spec: | |
| 92 // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 | |
|
tyoshino (SeeGerritForStatus)
2015/01/29 10:44:53
it's ok to omit the W3C version.
hiroshige
2015/01/29 11:08:11
Done.
| |
| 93 Vector<String> headers; | |
| 89 for (const auto& header : requestHeaderFields) { | 94 for (const auto& header : requestHeaderFields) { |
| 90 if (equalIgnoringCase(header.key, "referer")) { | 95 if (equalIgnoringCase(header.key, "referer")) { |
| 91 // When the request is from a Worker, referrer header was added | 96 // When the request is from a Worker, referrer header was added |
| 92 // by WorkerThreadableLoader. But it should not be added to | 97 // by WorkerThreadableLoader. But it should not be added to |
| 93 // Access-Control-Request-Headers header. | 98 // Access-Control-Request-Headers header. |
| 94 continue; | 99 continue; |
| 95 } | 100 } |
| 101 headers.append(header.key.lower()); | |
| 102 } | |
| 103 std::sort(headers.begin(), headers.end(), WTF::codePointCompareLessThan) ; | |
| 104 StringBuilder headerBuffer; | |
| 105 for (const String& header : headers) { | |
| 96 if (!headerBuffer.isEmpty()) | 106 if (!headerBuffer.isEmpty()) |
| 97 headerBuffer.appendLiteral(", "); | 107 headerBuffer.appendLiteral(", "); |
| 98 headerBuffer.append(header.key); | 108 headerBuffer.append(header); |
| 99 } | 109 } |
| 100 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", At omicString(headerBuffer.toString().lower())); | 110 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", At omicString(headerBuffer.toString())); |
| 101 } | 111 } |
| 102 | 112 |
| 103 return preflightRequest; | 113 return preflightRequest; |
| 104 } | 114 } |
| 105 | 115 |
| 106 static bool isOriginSeparator(UChar ch) | 116 static bool isOriginSeparator(UChar ch) |
| 107 { | 117 { |
| 108 return isASCIISpace(ch) || ch == ','; | 118 return isASCIISpace(ch) || ch == ','; |
| 109 } | 119 } |
| 110 | 120 |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 245 request.setHTTPOrigin(securityOrigin->toAtomicString()); | 255 request.setHTTPOrigin(securityOrigin->toAtomicString()); |
| 246 // If the user didn't request credentials in the first place, update our | 256 // If the user didn't request credentials in the first place, update our |
| 247 // state so we neither request them nor expect they must be allowed. | 257 // state so we neither request them nor expect they must be allowed. |
| 248 if (options.credentialsRequested == ClientDidNotRequestCredentials) | 258 if (options.credentialsRequested == ClientDidNotRequestCredentials) |
| 249 options.allowCredentials = DoNotAllowStoredCredentials; | 259 options.allowCredentials = DoNotAllowStoredCredentials; |
| 250 } | 260 } |
| 251 return true; | 261 return true; |
| 252 } | 262 } |
| 253 | 263 |
| 254 } // namespace blink | 264 } // namespace blink |
| OLD | NEW |
