1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_HTTP_HTTP_RESPONSE_HEADERS_H_ 6 #define NET_HTTP_HTTP_RESPONSE_HEADERS_H_ 7 8 #include <stddef.h> 9 #include <stdint.h> 10 11 #include <optional> 12 #include <string> 13 #include <string_view> 14 #include <unordered_set> 15 #include <vector> 16 17 #include "base/check.h" 18 #include "base/functional/callback.h" 19 #include "base/memory/ref_counted.h" 20 #include "base/time/time.h" 21 #include "base/trace_event/base_tracing_forward.h" 22 #include "base/types/pass_key.h" 23 #include "base/values.h" 24 #include "net/base/net_export.h" 25 #include "net/http/http_util.h" 26 #include "net/http/http_version.h" 27 #include "net/log/net_log_capture_mode.h" 28 #include "third_party/abseil-cpp/absl/container/inlined_vector.h" 29 30 namespace base { 31 class Pickle; 32 class PickleIterator; 33 class Time; 34 class TimeDelta; 35 } 36 37 namespace net { 38 39 class HttpByteRange; 40 41 enum ValidationType { 42 VALIDATION_NONE, // The resource is fresh. 43 VALIDATION_ASYNCHRONOUS, // The resource requires async revalidation. 44 VALIDATION_SYNCHRONOUS // The resource requires sync revalidation. 45 }; 46 47 // HttpResponseHeaders: parses and holds HTTP response headers. 48 class NET_EXPORT HttpResponseHeaders 49 : public base::RefCountedThreadSafe<HttpResponseHeaders> { 50 public: 51 // This class provides the most efficient way to build an HttpResponseHeaders 52 // object if the headers are all available in memory at once. 53 // Example usage: 54 // scoped_refptr<HttpResponseHeaders> headers = 55 // HttpResponseHeaders::Builder(HttpVersion(1, 1), 307) 56 // .AddHeader("Location", url.spec()) 57 // .Build(); 58 class NET_EXPORT Builder { 59 public: 60 // Constructs a builder with a particular `version` and `status`. `version` 61 // must be (1,0), (1,1) or (2,0). `status` is the response code optionally 62 // followed by a space and the status text, eg. "200 OK". The caller is 63 // required to guarantee that `status` does not contain embedded nul 64 // characters, and that it will remain valid until Build() is called. 65 Builder(HttpVersion version, std::string_view status); 66 67 Builder(const Builder&) = delete; 68 Builder& operator=(const Builder&) = delete; 69 70 ~Builder(); 71 72 // Adds a header. Returns a reference to the object so that calls can be 73 // chained. Duplicates will be preserved. Order will be preserved. For 74 // performance reasons, strings are not copied until Build() is called. It 75 // is the caller's responsibility to ensure the values remain valid until 76 // then. The caller is required to guarantee that `name` and `value` are 77 // valid HTTP headers and in particular that they do not contain embedded 78 // nul characters. AddHeader(std::string_view name,std::string_view value)79 Builder& AddHeader(std::string_view name, std::string_view value) { 80 DCHECK(HttpUtil::IsValidHeaderName(name)); 81 DCHECK(HttpUtil::IsValidHeaderValue(value)); 82 headers_.push_back({name, value}); 83 return *this; 84 } 85 86 scoped_refptr<HttpResponseHeaders> Build(); 87 88 private: 89 using KeyValuePair = std::pair<std::string_view, std::string_view>; 90 91 const HttpVersion version_; 92 const std::string_view status_; 93 // 40 is enough for 94% of responses on Windows and 98% on Android. 94 absl::InlinedVector<KeyValuePair, 40> headers_; 95 }; 96 97 using BuilderPassKey = base::PassKey<Builder>; 98 99 // Persist options. 100 typedef int PersistOptions; 101 static const PersistOptions PERSIST_RAW = -1; // Raw, unparsed headers. 102 static const PersistOptions PERSIST_ALL = 0; // Parsed headers. 103 static const PersistOptions PERSIST_SANS_COOKIES = 1 << 0; 104 static const PersistOptions PERSIST_SANS_CHALLENGES = 1 << 1; 105 static const PersistOptions PERSIST_SANS_HOP_BY_HOP = 1 << 2; 106 static const PersistOptions PERSIST_SANS_NON_CACHEABLE = 1 << 3; 107 static const PersistOptions PERSIST_SANS_RANGES = 1 << 4; 108 static const PersistOptions PERSIST_SANS_SECURITY_STATE = 1 << 5; 109 110 struct FreshnessLifetimes { 111 // How long the resource will be fresh for. 112 base::TimeDelta freshness; 113 // How long after becoming not fresh that the resource will be stale but 114 // usable (if async revalidation is enabled). 115 base::TimeDelta staleness; 116 }; 117 118 static const char kContentRange[]; 119 static const char kLastModified[]; 120 static const char kVary[]; 121 122 HttpResponseHeaders() = delete; 123 124 // Parses the given raw_headers. raw_headers should be formatted thus: 125 // includes the http status response line, each line is \0-terminated, and 126 // it's terminated by an empty line (ie, 2 \0s in a row). 127 // (Note that line continuations should have already been joined; 128 // see HttpUtil::AssembleRawHeaders) 129 // 130 // HttpResponseHeaders does not perform any encoding changes on the input. 131 // 132 explicit HttpResponseHeaders(const std::string& raw_headers); 133 134 // Initializes from the representation stored in the given pickle. The data 135 // for this object is found relative to the given pickle_iter, which should 136 // be passed to the pickle's various Read* methods. 137 explicit HttpResponseHeaders(base::PickleIterator* pickle_iter); 138 139 // Use Builder::Build() rather than calling this directly. The BuilderPassKey 140 // prevents accidental use from other code. 141 HttpResponseHeaders( 142 BuilderPassKey, 143 HttpVersion version, 144 std::string_view status, 145 base::span<const std::pair<std::string_view, std::string_view>> headers); 146 147 // Takes headers as an ASCII string and tries to parse them as HTTP response 148 // headers. returns nullptr on failure. Unlike the HttpResponseHeaders 149 // constructor that takes a std::string, HttpUtil::AssembleRawHeaders should 150 // not be called on |headers| before calling this method. 151 static scoped_refptr<HttpResponseHeaders> TryToCreate( 152 std::string_view headers); 153 154 // Takes content_type as an ASCII string and tries to combine it with the HTTP 155 // status line for data: URLs. Returns nullptr on failure. Unlike TryToCreate, 156 // HttpUtil::AssembleRawHeaders does not need to be called as the raw headers 157 // are already known. 158 static scoped_refptr<HttpResponseHeaders> TryToCreateForDataURL( 159 std::string_view content_type); 160 161 HttpResponseHeaders(const HttpResponseHeaders&) = delete; 162 HttpResponseHeaders& operator=(const HttpResponseHeaders&) = delete; 163 164 // Appends a representation of this object to the given pickle. 165 // The options argument can be a combination of PersistOptions. 166 void Persist(base::Pickle* pickle, PersistOptions options); 167 168 // Performs header merging as described in 13.5.3 of RFC 2616. 169 void Update(const HttpResponseHeaders& new_headers); 170 171 // Removes all instances of a particular header. 172 void RemoveHeader(std::string_view name); 173 174 // Removes all instances of particular headers. 175 void RemoveHeaders(const std::unordered_set<std::string>& header_names); 176 177 // Removes a particular header line. The header name is compared 178 // case-insensitively. 179 void RemoveHeaderLine(const std::string& name, const std::string& value); 180 181 // Adds the specified response header. If a header with the same name is 182 // already stored, the two headers are not merged together by this method; the 183 // one provided is simply put at the end of the list. 184 void AddHeader(std::string_view name, std::string_view value); 185 186 // Sets the specified response header, removing any matching old one if 187 // present. The new header is added to the end of the header list, rather than 188 // replacing the old one. This is the same as calling RemoveHeader() followed 189 // be SetHeader(). 190 void SetHeader(std::string_view name, std::string_view value); 191 192 // Adds a cookie header. |cookie_string| should be the header value without 193 // the header name (Set-Cookie). 194 void AddCookie(const std::string& cookie_string); 195 196 // Replaces the current status line with the provided one (|new_status| should 197 // not have any EOL). 198 void ReplaceStatusLine(const std::string& new_status); 199 200 // Updates headers (Content-Length and Content-Range) in the |headers| to 201 // include the right content length and range for |byte_range|. This also 202 // updates HTTP status line if |replace_status_line| is true. 203 // |byte_range| must have a valid, bounded range (i.e. coming from a valid 204 // response or should be usable for a response). 205 void UpdateWithNewRange(const HttpByteRange& byte_range, 206 int64_t resource_size, 207 bool replace_status_line); 208 209 // Fetches the "normalized" value of a single header, where all values for the 210 // header name are separated by commas. This will be the sequence of strings 211 // that would be returned from repeated calls to EnumerateHeader, joined by 212 // the string ", ". 213 // 214 // Returns std::nullopt if this header wasn't found. 215 // 216 // Example: 217 // Foo: a, b,c 218 // Foo: d 219 // 220 // std::optional<std::string> value = GetNormalizedHeader("Foo"); 221 // // Now, |value| is "a, b, c, d". 222 // 223 // NOTE: Do not make any assumptions about the encoding of this output 224 // string. It may be non-ASCII, and the encoding used by the server is not 225 // necessarily known to us. Do not assume that this output is UTF-8! 226 [[nodiscard]] std::optional<std::string> GetNormalizedHeader( 227 std::string_view name) const; 228 229 // Returns the normalized status line. 230 std::string GetStatusLine() const; 231 232 // Get the HTTP version of the normalized status line. GetHttpVersion()233 HttpVersion GetHttpVersion() const { 234 return http_version_; 235 } 236 237 // Get the HTTP status text of the normalized status line. 238 std::string GetStatusText() const; 239 240 // Enumerate the "lines" of the response headers. This skips over the status 241 // line. Use GetStatusLine if you are interested in that. Note that this 242 // method returns the un-coalesced response header lines, so if a response 243 // header appears on multiple lines, then it will appear multiple times in 244 // this enumeration (in the order the header lines were received from the 245 // server). Also, a given header might have an empty value. Initialize a 246 // 'size_t' variable to 0 and pass it by address to EnumerateHeaderLines. 247 // Call EnumerateHeaderLines repeatedly until it returns false. The 248 // out-params 'name' and 'value' are set upon success. 249 // 250 // WARNING: In effect, repeatedly calling EnumerateHeaderLines should return 251 // the same collection of (name, value) pairs that you'd obtain from passing 252 // each header name into EnumerateHeader and repeatedly calling 253 // EnumerateHeader. This means the output will *not* necessarily correspond to 254 // the verbatim lines of the headers. For instance, given 255 // Foo: a, b 256 // Foo: c 257 // EnumerateHeaderLines will output ("Foo", "a"), ("Foo", "b"), and 258 // ("Foo", "c"). 259 bool EnumerateHeaderLines(size_t* iter, 260 std::string* name, 261 std::string* value) const; 262 263 // Enumerate the values of the specified header. If you are only interested 264 // in the first header, then you can pass nullptr for the 'iter' parameter. 265 // Otherwise, to iterate across all values for the specified header, 266 // initialize a 'size_t' variable to 0 and pass it by address to 267 // EnumerateHeader. Note that a header might have an empty value. Call 268 // EnumerateHeader repeatedly until it returns std::nullopt. 269 // 270 // The returned value remains valid for the lifetime of HttpResponseHeaders, 271 // or until the headers are modified, so it is legal to hold onto a returned 272 // string_view while continuing to enumerate other values for a header. 273 // 274 // Unless a header is explicitly marked as non-coalescing (see 275 // HttpUtil::IsNonCoalescingHeader), headers that contain 276 // comma-separated lists are treated "as if" they had been sent as 277 // distinct headers. That is, a header of "Foo: a, b, c" would 278 // enumerate into distinct values of "a", "b", and "c". This is also 279 // true for headers that occur multiple times in a response; unless 280 // they are marked non-coalescing, "Foo: a, b" followed by "Foo: c" 281 // will enumerate to "a", "b", "c". Commas inside quoted strings are ignored, 282 // for example a header of 'Foo: "a, b", "c"' would enumerate as '"a, b"', 283 // '"c"'. 284 // 285 // This can cause issues for headers that might have commas in fields that 286 // aren't quoted strings, for example a header of "Foo: <a, b>, <c>" would 287 // enumerate as '<a', 'b>', '<c>', rather than as '<a, b>', '<c>'. 288 // 289 // To handle cases such as this, use GetNormalizedHeader to return the full 290 // concatenated header, and then parse manually. 291 std::optional<std::string_view> EnumerateHeader(size_t* iter, 292 std::string_view name) const; 293 294 // Deprecated overload of EnumerateHeader. Returns a bool instead of an 295 // options, which is false once all headers with the provided name have been 296 // enumerated, and copies the header's value to `value` whenever it returns 297 // true. 298 bool EnumerateHeader(size_t* iter, 299 std::string_view name, 300 std::string* value) const; 301 302 // Returns true if the response contains the specified header-value pair. 303 // Both name and value are compared case insensitively. 304 bool HasHeaderValue(std::string_view name, std::string_view value) const; 305 306 // Returns true if the response contains the specified header. 307 // The name is compared case insensitively. 308 bool HasHeader(std::string_view name) const; 309 310 // Get the mime type and charset values in lower case form from the headers. 311 // Empty strings are returned if the values are not present. 312 void GetMimeTypeAndCharset(std::string* mime_type, 313 std::string* charset) const; 314 315 // Get the mime type in lower case from the headers. If there's no mime 316 // type, returns false. 317 bool GetMimeType(std::string* mime_type) const; 318 319 // Get the charset in lower case from the headers. If there's no charset, 320 // returns false. 321 bool GetCharset(std::string* charset) const; 322 323 // Returns true if this response corresponds to a redirect. The target 324 // location of the redirect is optionally returned if location is non-null. 325 bool IsRedirect(std::string* location) const; 326 327 // Returns true if this response included the `Activate-Storage-Access: retry; 328 // allowed-origin=...` header and the "allowed-origin" parameter matched the 329 // `expected_origin`. 330 bool HasStorageAccessRetryHeader(const std::string* expected_origin) const; 331 332 // Returns true if the HTTP response code passed in corresponds to a 333 // redirect. 334 static bool IsRedirectResponseCode(int response_code); 335 336 // Returns VALIDATION_NONE if the response can be reused without 337 // validation. VALIDATION_ASYNCHRONOUS means the response can be re-used, but 338 // asynchronous revalidation must be performed. VALIDATION_SYNCHRONOUS means 339 // that the result cannot be reused without revalidation. 340 // The result is relative to the current_time parameter, which is 341 // a parameter to support unit testing. The request_time parameter indicates 342 // the time at which the request was made that resulted in this response, 343 // which was received at response_time. 344 ValidationType RequiresValidation(const base::Time& request_time, 345 const base::Time& response_time, 346 const base::Time& current_time) const; 347 348 // Calculates the amount of time the server claims the response is fresh from 349 // the time the response was generated. See section 13.2.4 of RFC 2616. See 350 // RequiresValidation for a description of the response_time parameter. See 351 // the definition of FreshnessLifetimes above for the meaning of the return 352 // value. See RFC 5861 section 3 for the definition of 353 // stale-while-revalidate. 354 FreshnessLifetimes GetFreshnessLifetimes( 355 const base::Time& response_time) const; 356 357 // Returns the age of the response. See section 13.2.3 of RFC 2616. 358 // See RequiresValidation for a description of this method's parameters. 359 base::TimeDelta GetCurrentAge(const base::Time& request_time, 360 const base::Time& response_time, 361 const base::Time& current_time) const; 362 363 // The following methods extract values from the response headers. If a value 364 // is not present, or is invalid, then std::nullopt is returned. Otherwise, 365 // the value is returned directly. 366 std::optional<base::TimeDelta> GetMaxAgeValue() const; 367 std::optional<base::TimeDelta> GetAgeValue() const; 368 std::optional<base::Time> GetDateValue() const; 369 std::optional<base::Time> GetLastModifiedValue() const; 370 std::optional<base::Time> GetExpiresValue() const; 371 std::optional<base::TimeDelta> GetStaleWhileRevalidateValue() const; 372 373 // Extracts the time value of a particular header. This method looks for the 374 // first matching header value and parses its value as a HTTP-date. 375 std::optional<base::Time> GetTimeValuedHeader(const std::string& name) const; 376 377 // Determines if this response indicates a keep-alive connection. 378 bool IsKeepAlive() const; 379 380 // Returns true if this response has a strong etag or last-modified header. 381 // See section 13.3.3 of RFC 2616. 382 bool HasStrongValidators() const; 383 384 // Returns true if this response has any validator (either a Last-Modified or 385 // an ETag) regardless of whether it is strong or weak. See section 13.3.3 of 386 // RFC 2616. 387 bool HasValidators() const; 388 389 // Extracts the value of the Content-Length header or returns -1 if there is 390 // no such header in the response. 391 int64_t GetContentLength() const; 392 393 // Extracts the value of the specified header or returns -1 if there is no 394 // such header in the response. 395 int64_t GetInt64HeaderValue(const std::string& header) const; 396 397 // Extracts the values in a Content-Range header and returns true if all three 398 // values are present and valid for a 206 response; otherwise returns false. 399 // The following values will be outputted: 400 // |*first_byte_position| = inclusive position of the first byte of the range 401 // |*last_byte_position| = inclusive position of the last byte of the range 402 // |*instance_length| = size in bytes of the object requested 403 // If this method returns false, then all of the outputs will be -1. 404 bool GetContentRangeFor206(int64_t* first_byte_position, 405 int64_t* last_byte_position, 406 int64_t* instance_length) const; 407 408 // Returns true if the response is chunk-encoded. 409 bool IsChunkEncoded() const; 410 411 // Creates a Value for use with the NetLog containing the response headers. 412 base::Value::Dict NetLogParams(NetLogCaptureMode capture_mode) const; 413 414 // Returns the HTTP response code. This is 0 if the response code text seems 415 // to exist but could not be parsed. Otherwise, it defaults to 200 if the 416 // response code is not found in the raw headers. response_code()417 int response_code() const { return response_code_; } 418 419 // Returns the raw header string. raw_headers()420 const std::string& raw_headers() const { return raw_headers_; } 421 422 // Returns true if |name| is a cookie related header name. This is consistent 423 // with |PERSIST_SANS_COOKIES|. 424 static bool IsCookieResponseHeader(std::string_view name); 425 426 // Write a representation of this object into tracing proto. 427 void WriteIntoTrace(perfetto::TracedValue context) const; 428 429 // Returns true if this instance precises matches another. This is stronger 430 // than semantic equality as it is intended for verification that the new 431 // Builder implementation works correctly. 432 bool StrictlyEquals(const HttpResponseHeaders& other) const; 433 434 private: 435 friend class base::RefCountedThreadSafe<HttpResponseHeaders>; 436 437 using HeaderSet = std::unordered_set<std::string>; 438 439 // The members of this structure point into raw_headers_. 440 struct ParsedHeader; 441 typedef std::vector<ParsedHeader> HeaderList; 442 443 // Whether or not a header value passed to the private AddHeader() method 444 // contains commas. 445 enum class ContainsCommas { 446 kNo, // Definitely no commas. No need to parse it. 447 kYes, // Contains commas. Needs to be parsed. 448 kMaybe, // Unknown whether commas are present. Needs to be parsed. 449 }; 450 451 ~HttpResponseHeaders(); 452 453 // Initializes from the given raw headers. 454 void Parse(const std::string& raw_input); 455 456 // Helper function for ParseStatusLine. 457 // Tries to extract the "HTTP/X.Y" from a status line formatted like: 458 // HTTP/1.1 200 OK 459 // with line_begin and end pointing at the begin and end of this line. If the 460 // status line is malformed, returns HttpVersion(0,0). 461 static HttpVersion ParseVersion(std::string::const_iterator line_begin, 462 std::string::const_iterator line_end); 463 464 // Tries to extract the status line from a header block, given the first 465 // line of said header block. If the status line is malformed, we'll 466 // construct a valid one. Example input: 467 // HTTP/1.1 200 OK 468 // with line_begin and end pointing at the begin and end of this line. 469 // Output will be a normalized version of this. 470 void ParseStatusLine(std::string::const_iterator line_begin, 471 std::string::const_iterator line_end, 472 bool has_headers); 473 474 // Find the header in our list (case-insensitive) starting with |parsed_| at 475 // index |from|. Returns string::npos if not found. 476 size_t FindHeader(size_t from, std::string_view name) const; 477 478 // Search the Cache-Control header for a directive matching |directive|. If 479 // present, treat its value as a time offset in seconds. 480 std::optional<base::TimeDelta> GetCacheControlDirective( 481 std::string_view directive) const; 482 483 // Add header->value pair(s) to our list. The value will be split into 484 // multiple values if it contains unquoted commas. If `contains_commas` is 485 // ContainsCommas::kNo then the value will not be parsed as a performance 486 // optimization. 487 void AddHeader(std::string::const_iterator name_begin, 488 std::string::const_iterator name_end, 489 std::string::const_iterator value_begin, 490 std::string::const_iterator value_end, 491 ContainsCommas contains_commas); 492 493 // Add to parsed_ given the fields of a ParsedHeader object. 494 void AddToParsed(std::string::const_iterator name_begin, 495 std::string::const_iterator name_end, 496 std::string::const_iterator value_begin, 497 std::string::const_iterator value_end); 498 499 // Replaces the current headers with the merged version of `raw_headers` and 500 // the current headers without the headers in `headers_to_remove`. Note that 501 // `headers_to_remove` are removed from the current headers (before the 502 // merge), not after the merge. 503 // `raw_headers` is a std::string, not a const reference to a std::string, 504 // to avoid a potentially excessive copy. 505 void MergeWithHeaders(std::string raw_headers, 506 const HeaderSet& headers_to_remove); 507 508 // Adds the values from any 'cache-control: no-cache="foo,bar"' headers. 509 void AddNonCacheableHeaders(HeaderSet* header_names) const; 510 511 // Adds the set of header names that contain cookie values. 512 static void AddSensitiveHeaders(HeaderSet* header_names); 513 514 // Adds the set of rfc2616 hop-by-hop response headers. 515 static void AddHopByHopHeaders(HeaderSet* header_names); 516 517 // Adds the set of challenge response headers. 518 static void AddChallengeHeaders(HeaderSet* header_names); 519 520 // Adds the set of cookie response headers. 521 static void AddCookieHeaders(HeaderSet* header_names); 522 523 // Adds the set of content range response headers. 524 static void AddHopContentRangeHeaders(HeaderSet* header_names); 525 526 // Adds the set of transport security state headers. 527 static void AddSecurityStateHeaders(HeaderSet* header_names); 528 529 // We keep a list of ParsedHeader objects. These tell us where to locate the 530 // header-value pairs within raw_headers_. 531 HeaderList parsed_; 532 533 // The raw_headers_ consists of the normalized status line (terminated with a 534 // null byte) and then followed by the raw null-terminated headers from the 535 // input that was passed to our constructor. We preserve the input [*] to 536 // maintain as much ancillary fidelity as possible (since it is sometimes 537 // hard to tell what may matter down-stream to a consumer of XMLHttpRequest). 538 // [*] The status line may be modified. 539 std::string raw_headers_; 540 541 // This is the parsed HTTP response code. 542 int response_code_; 543 544 // The normalized http version (consistent with what GetStatusLine() returns). 545 HttpVersion http_version_; 546 }; 547 548 using ResponseHeadersCallback = 549 base::RepeatingCallback<void(scoped_refptr<const HttpResponseHeaders>)>; 550 551 } // namespace net 552 553 #endif // NET_HTTP_HTTP_RESPONSE_HEADERS_H_ 554