• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  */
26 
27 #include "config.h"
28 #include "CrossOriginAccessControl.h"
29 
30 #include "AtomicString.h"
31 #include "HTTPParsers.h"
32 #include "ResourceResponse.h"
33 #include "SecurityOrigin.h"
34 #include <wtf/Threading.h>
35 
36 namespace WebCore {
37 
isOnAccessControlSimpleRequestMethodWhitelist(const String & method)38 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)
39 {
40     return method == "GET" || method == "HEAD" || method == "POST";
41 }
42 
isOnAccessControlSimpleRequestHeaderWhitelist(const String & name,const String & value)43 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value)
44 {
45     if (equalIgnoringCase(name, "accept") || equalIgnoringCase(name, "accept-language") || equalIgnoringCase(name, "content-language"))
46         return true;
47 
48     // Preflight is required for MIME types that can not be sent via form submission.
49     if (equalIgnoringCase(name, "content-type")) {
50         String mimeType = extractMIMETypeFromMediaType(value);
51         return equalIgnoringCase(mimeType, "application/x-www-form-urlencoded")
52             || equalIgnoringCase(mimeType, "multipart/form-data")
53             || equalIgnoringCase(mimeType, "text/plain");
54     }
55 
56     return false;
57 }
58 
isSimpleCrossOriginAccessRequest(const String & method,const HTTPHeaderMap & headerMap)59 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
60 {
61     if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
62         return false;
63 
64     HTTPHeaderMap::const_iterator end = headerMap.end();
65     for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) {
66         if (!isOnAccessControlSimpleRequestHeaderWhitelist(it->first, it->second))
67             return false;
68     }
69 
70     return true;
71 }
72 
73 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet;
createAllowedCrossOriginResponseHeadersSet()74 static HTTPHeaderSet* createAllowedCrossOriginResponseHeadersSet()
75 {
76     HTTPHeaderSet* headerSet = new HashSet<String, CaseFoldingHash>;
77 
78     headerSet->add("cache-control");
79     headerSet->add("content-language");
80     headerSet->add("content-type");
81     headerSet->add("expires");
82     headerSet->add("last-modified");
83     headerSet->add("pragma");
84 
85     return headerSet;
86 }
87 
isOnAccessControlResponseHeaderWhitelist(const String & name)88 bool isOnAccessControlResponseHeaderWhitelist(const String& name)
89 {
90     AtomicallyInitializedStatic(HTTPHeaderSet*, allowedCrossOriginResponseHeaders = createAllowedCrossOriginResponseHeadersSet());
91 
92     return allowedCrossOriginResponseHeaders->contains(name);
93 }
94 
passesAccessControlCheck(const ResourceResponse & response,bool includeCredentials,SecurityOrigin * securityOrigin)95 bool passesAccessControlCheck(const ResourceResponse& response, bool includeCredentials, SecurityOrigin* securityOrigin)
96 {
97     // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
98     // even with Access-Control-Allow-Credentials set to true.
99     const String& accessControlOriginString = response.httpHeaderField("Access-Control-Allow-Origin");
100     if (accessControlOriginString == "*" && !includeCredentials)
101         return true;
102 
103     RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
104     if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin))
105         return false;
106 
107     if (includeCredentials) {
108         const String& accessControlCredentialsString = response.httpHeaderField("Access-Control-Allow-Credentials");
109         if (accessControlCredentialsString != "true")
110             return false;
111     }
112 
113     return true;
114 }
115 
116 } // namespace WebCore
117