Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(180)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/fetch/CrossOriginAccessControl.cpp

Issue 875363002: Sort header names in Access-Control-Request-Headers (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: tyoshino's comments Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/xmlhttprequest/resources/access-control-preflight-request-header-sorted.php ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after
78 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt oredCredentials); 78 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowSt oredCredentials);
79 preflightRequest.setHTTPMethod("OPTIONS"); 79 preflightRequest.setHTTPMethod("OPTIONS");
80 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request .httpMethod()); 80 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request .httpMethod());
81 preflightRequest.setPriority(request.priority()); 81 preflightRequest.setPriority(request.priority());
82 preflightRequest.setRequestContext(request.requestContext()); 82 preflightRequest.setRequestContext(request.requestContext());
83 preflightRequest.setSkipServiceWorker(true); 83 preflightRequest.setSkipServiceWorker(true);
84 84
85 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); 85 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
86 86
87 if (requestHeaderFields.size() > 0) { 87 if (requestHeaderFields.size() > 0) {
88 StringBuilder headerBuffer; 88 // Sort header names lexicographically: https://crbug.com/452391
89 // Fetch API Spec:
90 // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0
91 Vector<String> headers;
89 for (const auto& header : requestHeaderFields) { 92 for (const auto& header : requestHeaderFields) {
90 if (equalIgnoringCase(header.key, "referer")) { 93 if (equalIgnoringCase(header.key, "referer")) {
91 // When the request is from a Worker, referrer header was added 94 // When the request is from a Worker, referrer header was added
92 // by WorkerThreadableLoader. But it should not be added to 95 // by WorkerThreadableLoader. But it should not be added to
93 // Access-Control-Request-Headers header. 96 // Access-Control-Request-Headers header.
94 continue; 97 continue;
95 } 98 }
99 headers.append(header.key.lower());
100 }
101 std::sort(headers.begin(), headers.end(), WTF::codePointCompareLessThan) ;
102 StringBuilder headerBuffer;
103 for (const String& header : headers) {
96 if (!headerBuffer.isEmpty()) 104 if (!headerBuffer.isEmpty())
97 headerBuffer.appendLiteral(", "); 105 headerBuffer.appendLiteral(", ");
98 headerBuffer.append(header.key); 106 headerBuffer.append(header);
99 } 107 }
100 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", At omicString(headerBuffer.toString().lower())); 108 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", At omicString(headerBuffer.toString()));
101 } 109 }
102 110
103 return preflightRequest; 111 return preflightRequest;
104 } 112 }
105 113
106 static bool isOriginSeparator(UChar ch) 114 static bool isOriginSeparator(UChar ch)
107 { 115 {
108 return isASCIISpace(ch) || ch == ','; 116 return isASCIISpace(ch) || ch == ',';
109 } 117 }
110 118
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after
245 request.setHTTPOrigin(securityOrigin->toAtomicString()); 253 request.setHTTPOrigin(securityOrigin->toAtomicString());
246 // If the user didn't request credentials in the first place, update our 254 // If the user didn't request credentials in the first place, update our
247 // state so we neither request them nor expect they must be allowed. 255 // state so we neither request them nor expect they must be allowed.
248 if (options.credentialsRequested == ClientDidNotRequestCredentials) 256 if (options.credentialsRequested == ClientDidNotRequestCredentials)
249 options.allowCredentials = DoNotAllowStoredCredentials; 257 options.allowCredentials = DoNotAllowStoredCredentials;
250 } 258 }
251 return true; 259 return true;
252 } 260 }
253 261
254 } // namespace blink 262 } // namespace blink
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/xmlhttprequest/resources/access-control-preflight-request-header-sorted.php ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698