|
1 /* |
|
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
|
3 * |
|
4 * Redistribution and use in source and binary forms, with or without |
|
5 * modification, are permitted provided that the following conditions |
|
6 * are met: |
|
7 * 1. Redistributions of source code must retain the above copyright |
|
8 * notice, this list of conditions and the following disclaimer. |
|
9 * 2. Redistributions in binary form must reproduce the above copyright |
|
10 * notice, this list of conditions and the following disclaimer in the |
|
11 * documentation and/or other materials provided with the distribution. |
|
12 * |
|
13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY |
|
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
|
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR |
|
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
|
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
|
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
|
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
|
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
|
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
|
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
24 * |
|
25 */ |
|
26 |
|
27 #include "config.h" |
|
28 #include "CrossOriginAccessControl.h" |
|
29 |
|
30 #include "AtomicString.h" |
|
31 #include "HTTPParsers.h" |
|
32 #include "ResourceResponse.h" |
|
33 #include "SecurityOrigin.h" |
|
34 #include <wtf/Threading.h> |
|
35 |
|
36 namespace WebCore { |
|
37 |
|
38 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method) |
|
39 { |
|
40 return method == "GET" || method == "HEAD" || method == "POST"; |
|
41 } |
|
42 |
|
43 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value) |
|
44 { |
|
45 if (equalIgnoringCase(name, "accept") || equalIgnoringCase(name, "accept-language") || equalIgnoringCase(name, "content-language")) |
|
46 return true; |
|
47 |
|
48 // Preflight is required for MIME types that can not be sent via form submission. |
|
49 if (equalIgnoringCase(name, "content-type")) { |
|
50 String mimeType = extractMIMETypeFromMediaType(value); |
|
51 return equalIgnoringCase(mimeType, "application/x-www-form-urlencoded") |
|
52 || equalIgnoringCase(mimeType, "multipart/form-data") |
|
53 || equalIgnoringCase(mimeType, "text/plain"); |
|
54 } |
|
55 |
|
56 return false; |
|
57 } |
|
58 |
|
59 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap) |
|
60 { |
|
61 if (!isOnAccessControlSimpleRequestMethodWhitelist(method)) |
|
62 return false; |
|
63 |
|
64 HTTPHeaderMap::const_iterator end = headerMap.end(); |
|
65 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) { |
|
66 if (!isOnAccessControlSimpleRequestHeaderWhitelist(it->first, it->second)) |
|
67 return false; |
|
68 } |
|
69 |
|
70 return true; |
|
71 } |
|
72 |
|
73 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet; |
|
74 static HTTPHeaderSet* createAllowedCrossOriginResponseHeadersSet() |
|
75 { |
|
76 HTTPHeaderSet* headerSet = new HashSet<String, CaseFoldingHash>; |
|
77 |
|
78 headerSet->add("cache-control"); |
|
79 headerSet->add("content-language"); |
|
80 headerSet->add("content-type"); |
|
81 headerSet->add("expires"); |
|
82 headerSet->add("last-modified"); |
|
83 headerSet->add("pragma"); |
|
84 |
|
85 return headerSet; |
|
86 } |
|
87 |
|
88 bool isOnAccessControlResponseHeaderWhitelist(const String& name) |
|
89 { |
|
90 AtomicallyInitializedStatic(HTTPHeaderSet*, allowedCrossOriginResponseHeaders = createAllowedCrossOriginResponseHeadersSet()); |
|
91 |
|
92 return allowedCrossOriginResponseHeaders->contains(name); |
|
93 } |
|
94 |
|
95 bool passesAccessControlCheck(const ResourceResponse& response, bool includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription) |
|
96 { |
|
97 // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent, |
|
98 // even with Access-Control-Allow-Credentials set to true. |
|
99 const String& accessControlOriginString = response.httpHeaderField("Access-Control-Allow-Origin"); |
|
100 if (accessControlOriginString == "*" && !includeCredentials) |
|
101 return true; |
|
102 |
|
103 if (securityOrigin->isUnique()) { |
|
104 errorDescription = "Cannot make any requests from " + securityOrigin->toString() + "."; |
|
105 return false; |
|
106 } |
|
107 |
|
108 // FIXME: Access-Control-Allow-Origin can contain a list of origins. |
|
109 RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString); |
|
110 if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin)) { |
|
111 errorDescription = (accessControlOriginString == "*") ? "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true." |
|
112 : "Origin " + securityOrigin->toString() + " is not allowed by Access-Control-Allow-Origin."; |
|
113 return false; |
|
114 } |
|
115 |
|
116 if (includeCredentials) { |
|
117 const String& accessControlCredentialsString = response.httpHeaderField("Access-Control-Allow-Credentials"); |
|
118 if (accessControlCredentialsString != "true") { |
|
119 errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\"."; |
|
120 return false; |
|
121 } |
|
122 } |
|
123 |
|
124 return true; |
|
125 } |
|
126 |
|
127 } // namespace WebCore |