[WIP] off-main-thread loading

third_party/WebKit/Source/platform/loader/fetch/CrossOriginAccessControl.cpp

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 131 matching lines @@
   builder.append(
       " Have the server send the header with a valid value, or, if an "
       "opaque response serves your needs, set the request's mode to "
       "'no-cors' to fetch the resource with CORS disabled.");
 }
 
 CrossOriginAccessControl::AccessStatus CrossOriginAccessControl::checkAccess(
     const ResourceResponse& response,
     StoredCredentials includeCredentials,
     const SecurityOrigin* securityOrigin) {
-  DEFINE_THREAD_SAFE_STATIC_LOCAL(
-      AtomicString, allowOriginHeaderName,
-      (new AtomicString("access-control-allow-origin")));
-  DEFINE_THREAD_SAFE_STATIC_LOCAL(
-      AtomicString, allowCredentialsHeaderName,
-      (new AtomicString("access-control-allow-credentials")));
-  DEFINE_THREAD_SAFE_STATIC_LOCAL(
-      AtomicString, allowSuboriginHeaderName,
-      (new AtomicString("access-control-allow-suborigin")));
+  static const char allowOriginHeaderName[] = "access-control-allow-origin";
+  static const char allowCredentialsHeaderName[] =
+      "access-control-allow-credentials";
+  static const char allowSuboriginHeaderName[] =
+      "access-control-allow-suborigin";
 
   int statusCode = response.httpStatusCode();
   if (!statusCode)
     return kInvalidResponse;
 
   const AtomicString& allowOriginHeaderValue =
       response.httpHeaderField(allowOriginHeaderName);
 
   // Check Suborigins, unless the Access-Control-Allow-Origin is '*', which
   // implies that all Suborigins are okay as well.
   if (securityOrigin->hasSuborigin() && allowOriginHeaderValue != starAtom) {
     const AtomicString& allowSuboriginHeaderValue =
         response.httpHeaderField(allowSuboriginHeaderName);
     AtomicString atomicSuboriginName(securityOrigin->suborigin()->name());
     if (allowSuboriginHeaderValue != starAtom &&
         allowSuboriginHeaderValue != atomicSuboriginName) {
       return kSubOriginMismatch;
     }
   }
-
-  if (allowOriginHeaderValue == starAtom) {
+  if (allowOriginHeaderValue == "*") {
     // A wildcard Access-Control-Allow-Origin can not be used if credentials are
     // to be sent, even with Access-Control-Allow-Credentials set to true.
     if (includeCredentials == DoNotAllowStoredCredentials)
       return kAccessAllowed;
     if (response.isHTTP()) {
       return kWildcardOriginNotAllowed;
     }
   } else if (allowOriginHeaderValue != securityOrigin->toAtomicString()) {
     if (allowOriginHeaderValue.isNull())
       return kMissingAllowOriginHeader;
@@ skipping 340 matching lines @@
     //
     // This is equivalent to the step 2 in
     // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
     if (options.credentialsRequested == ClientDidNotRequestCredentials)
       options.allowCredentials = DoNotAllowStoredCredentials;
   }
   return true;
 }
 
 }  // namespace blink