OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. | 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
142 builder.append( | 142 builder.append( |
143 " Have the server send the header with a valid value, or, if an " | 143 " Have the server send the header with a valid value, or, if an " |
144 "opaque response serves your needs, set the request's mode to " | 144 "opaque response serves your needs, set the request's mode to " |
145 "'no-cors' to fetch the resource with CORS disabled."); | 145 "'no-cors' to fetch the resource with CORS disabled."); |
146 } | 146 } |
147 | 147 |
148 CrossOriginAccessControl::AccessStatus CrossOriginAccessControl::checkAccess( | 148 CrossOriginAccessControl::AccessStatus CrossOriginAccessControl::checkAccess( |
149 const ResourceResponse& response, | 149 const ResourceResponse& response, |
150 StoredCredentials includeCredentials, | 150 StoredCredentials includeCredentials, |
151 const SecurityOrigin* securityOrigin) { | 151 const SecurityOrigin* securityOrigin) { |
152 DEFINE_THREAD_SAFE_STATIC_LOCAL( | 152 static const char allowOriginHeaderName[] = "access-control-allow-origin"; |
153 AtomicString, allowOriginHeaderName, | 153 static const char allowCredentialsHeaderName[] = |
154 (new AtomicString("access-control-allow-origin"))); | 154 "access-control-allow-credentials"; |
155 DEFINE_THREAD_SAFE_STATIC_LOCAL( | 155 static const char allowSuboriginHeaderName[] = |
156 AtomicString, allowCredentialsHeaderName, | 156 "access-control-allow-suborigin"; |
157 (new AtomicString("access-control-allow-credentials"))); | |
158 DEFINE_THREAD_SAFE_STATIC_LOCAL( | |
159 AtomicString, allowSuboriginHeaderName, | |
160 (new AtomicString("access-control-allow-suborigin"))); | |
161 | 157 |
162 int statusCode = response.httpStatusCode(); | 158 int statusCode = response.httpStatusCode(); |
163 if (!statusCode) | 159 if (!statusCode) |
164 return kInvalidResponse; | 160 return kInvalidResponse; |
165 | 161 |
166 const AtomicString& allowOriginHeaderValue = | 162 const AtomicString& allowOriginHeaderValue = |
167 response.httpHeaderField(allowOriginHeaderName); | 163 response.httpHeaderField(allowOriginHeaderName); |
168 | 164 |
169 // Check Suborigins, unless the Access-Control-Allow-Origin is '*', which | 165 // Check Suborigins, unless the Access-Control-Allow-Origin is '*', which |
170 // implies that all Suborigins are okay as well. | 166 // implies that all Suborigins are okay as well. |
171 if (securityOrigin->hasSuborigin() && allowOriginHeaderValue != starAtom) { | 167 if (securityOrigin->hasSuborigin() && allowOriginHeaderValue != starAtom) { |
172 const AtomicString& allowSuboriginHeaderValue = | 168 const AtomicString& allowSuboriginHeaderValue = |
173 response.httpHeaderField(allowSuboriginHeaderName); | 169 response.httpHeaderField(allowSuboriginHeaderName); |
174 AtomicString atomicSuboriginName(securityOrigin->suborigin()->name()); | 170 AtomicString atomicSuboriginName(securityOrigin->suborigin()->name()); |
175 if (allowSuboriginHeaderValue != starAtom && | 171 if (allowSuboriginHeaderValue != starAtom && |
176 allowSuboriginHeaderValue != atomicSuboriginName) { | 172 allowSuboriginHeaderValue != atomicSuboriginName) { |
177 return kSubOriginMismatch; | 173 return kSubOriginMismatch; |
178 } | 174 } |
179 } | 175 } |
180 | 176 if (allowOriginHeaderValue == "*") { |
181 if (allowOriginHeaderValue == starAtom) { | |
182 // A wildcard Access-Control-Allow-Origin can not be used if credentials are | 177 // A wildcard Access-Control-Allow-Origin can not be used if credentials are |
183 // to be sent, even with Access-Control-Allow-Credentials set to true. | 178 // to be sent, even with Access-Control-Allow-Credentials set to true. |
184 if (includeCredentials == DoNotAllowStoredCredentials) | 179 if (includeCredentials == DoNotAllowStoredCredentials) |
185 return kAccessAllowed; | 180 return kAccessAllowed; |
186 if (response.isHTTP()) { | 181 if (response.isHTTP()) { |
187 return kWildcardOriginNotAllowed; | 182 return kWildcardOriginNotAllowed; |
188 } | 183 } |
189 } else if (allowOriginHeaderValue != securityOrigin->toAtomicString()) { | 184 } else if (allowOriginHeaderValue != securityOrigin->toAtomicString()) { |
190 if (allowOriginHeaderValue.isNull()) | 185 if (allowOriginHeaderValue.isNull()) |
191 return kMissingAllowOriginHeader; | 186 return kMissingAllowOriginHeader; |
(...skipping 340 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
532 // | 527 // |
533 // This is equivalent to the step 2 in | 528 // This is equivalent to the step 2 in |
534 // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch | 529 // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch |
535 if (options.credentialsRequested == ClientDidNotRequestCredentials) | 530 if (options.credentialsRequested == ClientDidNotRequestCredentials) |
536 options.allowCredentials = DoNotAllowStoredCredentials; | 531 options.allowCredentials = DoNotAllowStoredCredentials; |
537 } | 532 } |
538 return true; | 533 return true; |
539 } | 534 } |
540 | 535 |
541 } // namespace blink | 536 } // namespace blink |
OLD | NEW |