| /* |
| * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in the |
| * documentation and/or other materials provided with the distribution. |
| * |
| * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY |
| * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR |
| * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
| * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
| * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
| * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
| * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| * |
| */ |
| |
| #include "config.h" |
| #include "CrossOriginAccessControl.h" |
| |
| #include "HTTPHeaderNames.h" |
| #include "HTTPParsers.h" |
| #include "ResourceRequest.h" |
| #include "ResourceResponse.h" |
| #include "SchemeRegistry.h" |
| #include "SecurityOrigin.h" |
| #include <mutex> |
| #include <wtf/NeverDestroyed.h> |
| #include <wtf/text/AtomicString.h> |
| #include <wtf/text/StringBuilder.h> |
| |
| namespace WebCore { |
| |
| bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method) |
| { |
| return method == "GET" || method == "HEAD" || method == "POST"; |
| } |
| |
| bool isOnAccessControlSimpleRequestHeaderWhitelist(HTTPHeaderName name, const String& value) |
| { |
| switch (name) { |
| case HTTPHeaderName::Accept: |
| case HTTPHeaderName::AcceptLanguage: |
| case HTTPHeaderName::ContentLanguage: |
| return true; |
| case HTTPHeaderName::ContentType: { |
| // Preflight is required for MIME types that can not be sent via form submission. |
| String mimeType = extractMIMETypeFromMediaType(value); |
| return equalIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded") |
| || equalIgnoringASCIICase(mimeType, "multipart/form-data") |
| || equalIgnoringASCIICase(mimeType, "text/plain"); |
| } |
| default: |
| return false; |
| } |
| } |
| |
| bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap) |
| { |
| if (!isOnAccessControlSimpleRequestMethodWhitelist(method)) |
| return false; |
| |
| for (const auto& header : headerMap) { |
| if (!header.keyAsHTTPHeaderName || !isOnAccessControlSimpleRequestHeaderWhitelist(header.keyAsHTTPHeaderName.value(), header.value)) |
| return false; |
| } |
| |
| return true; |
| } |
| |
| bool isOnAccessControlResponseHeaderWhitelist(const String& name) |
| { |
| static std::once_flag onceFlag; |
| static LazyNeverDestroyed<HTTPHeaderSet> allowedCrossOriginResponseHeaders; |
| |
| std::call_once(onceFlag, []{ |
| allowedCrossOriginResponseHeaders.construct<std::initializer_list<String>>({ |
| "cache-control", |
| "content-language", |
| "content-type", |
| "expires", |
| "last-modified", |
| "pragma" |
| }); |
| }); |
| |
| return allowedCrossOriginResponseHeaders.get().contains(name); |
| } |
| |
| void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin& securityOrigin, StoredCredentials allowCredentials) |
| { |
| request.removeCredentials(); |
| request.setAllowCookies(allowCredentials == AllowStoredCredentials); |
| request.setHTTPOrigin(securityOrigin.toString()); |
| } |
| |
| ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin& securityOrigin) |
| { |
| ResourceRequest preflightRequest(request.url()); |
| updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials); |
| preflightRequest.setHTTPMethod("OPTIONS"); |
| preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestMethod, request.httpMethod()); |
| preflightRequest.setPriority(request.priority()); |
| |
| const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); |
| |
| if (!requestHeaderFields.isEmpty()) { |
| Vector<String> unsafeHeaders; |
| for (const auto& headerField : requestHeaderFields.commonHeaders()) { |
| if (!isCrossOriginSafeRequestHeader(headerField.key, headerField.value)) |
| unsafeHeaders.append(httpHeaderNameString(headerField.key).toStringWithoutCopying().convertToASCIILowercase()); |
| } |
| for (const auto& headerField : requestHeaderFields.uncommonHeaders()) |
| unsafeHeaders.append(headerField.key.convertToASCIILowercase()); |
| |
| std::sort(unsafeHeaders.begin(), unsafeHeaders.end(), WTF::codePointCompareLessThan); |
| |
| StringBuilder headerBuffer; |
| |
| bool appendComma = false; |
| for (const auto& headerField : unsafeHeaders) { |
| if (appendComma) |
| headerBuffer.append(','); |
| else |
| appendComma = true; |
| |
| headerBuffer.append(headerField); |
| } |
| preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestHeaders, headerBuffer.toString()); |
| } |
| |
| return preflightRequest; |
| } |
| |
| bool isValidCrossOriginRedirectionURL(const URL& redirectURL) |
| { |
| return SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(redirectURL.protocol()) |
| && redirectURL.user().isEmpty() |
| && redirectURL.pass().isEmpty(); |
| } |
| |
| void cleanRedirectedRequestForAccessControl(ResourceRequest& request) |
| { |
| // Remove headers that may have been added by the network layer that cause access control to fail. |
| request.clearHTTPContentType(); |
| request.clearHTTPReferrer(); |
| request.clearHTTPOrigin(); |
| request.clearHTTPUserAgent(); |
| request.clearHTTPAccept(); |
| request.clearHTTPAcceptEncoding(); |
| } |
| |
| bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin& securityOrigin, String& errorDescription) |
| { |
| // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent, |
| // even with Access-Control-Allow-Credentials set to true. |
| const String& accessControlOriginString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowOrigin); |
| if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials) |
| return true; |
| |
| // FIXME: Access-Control-Allow-Origin can contain a list of origins. |
| if (accessControlOriginString != securityOrigin.toString()) { |
| if (accessControlOriginString == "*") |
| errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."; |
| else |
| errorDescription = "Origin " + securityOrigin.toString() + " is not allowed by Access-Control-Allow-Origin."; |
| return false; |
| } |
| |
| if (includeCredentials == AllowStoredCredentials) { |
| const String& accessControlCredentialsString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowCredentials); |
| if (accessControlCredentialsString != "true") { |
| errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\"."; |
| return false; |
| } |
| } |
| |
| return true; |
| } |
| |
| } // namespace WebCore |
