1 /*
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 */
26
27 #include "config.h"
28 #include "CrossOriginAccessControl.h"
29
30 #include "HTTPParsers.h"
31 #include "ResourceResponse.h"
32 #include "SecurityOrigin.h"
33 #include <wtf/HashSet.h>
34 #include <wtf/Threading.h>
35 #include <wtf/text/AtomicString.h>
36
37 namespace WebCore {
38
isOnAccessControlSimpleRequestMethodWhitelist(const String & method)39 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)
40 {
41 return method == "GET" || method == "HEAD" || method == "POST";
42 }
43
isOnAccessControlSimpleRequestHeaderWhitelist(const String & name,const String & value)44 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value)
45 {
46 if (equalIgnoringCase(name, "accept") || equalIgnoringCase(name, "accept-language") || equalIgnoringCase(name, "content-language"))
47 return true;
48
49 // Preflight is required for MIME types that can not be sent via form submission.
50 if (equalIgnoringCase(name, "content-type")) {
51 String mimeType = extractMIMETypeFromMediaType(value);
52 return equalIgnoringCase(mimeType, "application/x-www-form-urlencoded")
53 || equalIgnoringCase(mimeType, "multipart/form-data")
54 || equalIgnoringCase(mimeType, "text/plain");
55 }
56
57 return false;
58 }
59
isSimpleCrossOriginAccessRequest(const String & method,const HTTPHeaderMap & headerMap)60 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
61 {
62 if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
63 return false;
64
65 HTTPHeaderMap::const_iterator end = headerMap.end();
66 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) {
67 if (!isOnAccessControlSimpleRequestHeaderWhitelist(it->first, it->second))
68 return false;
69 }
70
71 return true;
72 }
73
74 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet;
createAllowedCrossOriginResponseHeadersSet()75 static PassOwnPtr<HTTPHeaderSet> createAllowedCrossOriginResponseHeadersSet()
76 {
77 OwnPtr<HTTPHeaderSet> headerSet = adoptPtr(new HashSet<String, CaseFoldingHash>);
78
79 headerSet->add("cache-control");
80 headerSet->add("content-language");
81 headerSet->add("content-type");
82 headerSet->add("expires");
83 headerSet->add("last-modified");
84 headerSet->add("pragma");
85
86 return headerSet.release();
87 }
88
isOnAccessControlResponseHeaderWhitelist(const String & name)89 bool isOnAccessControlResponseHeaderWhitelist(const String& name)
90 {
91 AtomicallyInitializedStatic(HTTPHeaderSet*, allowedCrossOriginResponseHeaders = createAllowedCrossOriginResponseHeadersSet().leakPtr());
92
93 return allowedCrossOriginResponseHeaders->contains(name);
94 }
95
passesAccessControlCheck(const ResourceResponse & response,bool includeCredentials,SecurityOrigin * securityOrigin,String & errorDescription)96 bool passesAccessControlCheck(const ResourceResponse& response, bool includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
97 {
98 // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
99 // even with Access-Control-Allow-Credentials set to true.
100 const String& accessControlOriginString = response.httpHeaderField("Access-Control-Allow-Origin");
101 if (accessControlOriginString == "*" && !includeCredentials)
102 return true;
103
104 if (securityOrigin->isUnique()) {
105 errorDescription = "Cannot make any requests from " + securityOrigin->toString() + ".";
106 return false;
107 }
108
109 // FIXME: Access-Control-Allow-Origin can contain a list of origins.
110 RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
111 if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin)) {
112 errorDescription = (accessControlOriginString == "*") ? "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."
113 : "Origin " + securityOrigin->toString() + " is not allowed by Access-Control-Allow-Origin.";
114 return false;
115 }
116
117 if (includeCredentials) {
118 const String& accessControlCredentialsString = response.httpHeaderField("Access-Control-Allow-Credentials");
119 if (accessControlCredentialsString != "true") {
120 errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\".";
121 return false;
122 }
123 }
124
125 return true;
126 }
127
128 } // namespace WebCore
129