1 /* 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 */ 26 27 #ifndef CrossOriginAccessControl_h 28 #define CrossOriginAccessControl_h 29 30 #include "core/fetch/ResourceLoaderOptions.h" 31 #include "platform/network/ResourceRequest.h" 32 #include "wtf/Forward.h" 33 #include "wtf/HashSet.h" 34 35 namespace WebCore { 36 37 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet; 38 39 class HTTPHeaderMap; 40 class Resource; 41 struct ResourceLoaderOptions; 42 class ResourceRequest; 43 class ResourceResponse; 44 class SecurityOrigin; 45 46 enum AccessControlStatus { 47 NotSharableCrossOrigin, 48 SharableCrossOrigin 49 }; 50 51 class CrossOriginAccessControl { 52 public: 53 static bool isLegalRedirectLocation(const KURL&, String& errorDescription); 54 static bool handleRedirect(Resource*, SecurityOrigin*, ResourceRequest&, const ResourceResponse&, ResourceLoaderOptions&, String&); 55 }; 56 57 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&); 58 bool isOnAccessControlSimpleRequestMethodWhitelist(const String&); 59 bool isOnAccessControlSimpleRequestHeaderWhitelist(const AtomicString& name, const AtomicString& value); 60 bool isOnAccessControlResponseHeaderWhitelist(const String&); 61 62 void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin*, StoredCredentials); 63 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*); 64 65 bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin*, String& errorDescription); 66 bool passesPreflightStatusCheck(const ResourceResponse&, String& errorDescription); 67 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&); 68 69 } // namespace WebCore 70 71 #endif // CrossOriginAccessControl_h 72