Changeset 105076 in webkit


Ignore:
Timestamp:
Jan 16, 2012 10:42:03 AM (12 years ago)
Author:
commit-queue@webkit.org
Message:

https://bugs.webkit.org/show_bug.cgi?id=41210
Cross Origin XMLHttpRequest can not expose headers indicated in Access-Control-Expose-Headers HTTP Response Header

Source/WebCore:

Parsing the "Access-Control-Expose-Headers" in the XMLHTTPRequest response header.
If the custom response-header is part of Access-Control-Expose-Headers, then consider that custom response-header as a valid one.

Patch by Joe Thomas <joethomas@motorola.com> on 2012-01-16
Reviewed by Alexey Proskuryakov.

Test: http/tests/xmlhttprequest/access-control-response-with-expose-headers.html

  • loader/CrossOriginAccessControl.cpp:

(WebCore::parseAccessControlExposeHeadersAllowList): parsing logic of Access-Control-Expose-Headers

  • loader/CrossOriginAccessControl.h:
  • xml/XMLHttpRequest.cpp:

(WebCore::XMLHttpRequest::getAllResponseHeaders): checking whether the custom response-header is part of "Access-Control-Expose-Headers"
(WebCore::XMLHttpRequest::getResponseHeader): checking whether the custom response-header is part of "Access-Control-Expose-Headers"

LayoutTests:

Added test cases for Access-Control-Expose-Headers

Patch by Joe Thomas <joethomas@motorola.com> on 2012-01-16
Reviewed by Alexey Proskuryakov.

  • http/tests/xmlhttprequest/access-control-response-with-expose-headers-expected.txt: Added.
  • http/tests/xmlhttprequest/access-control-response-with-expose-headers.html: Added.
  • http/tests/xmlhttprequest/resources/access-control-response-with-expose-headers.php: Added.
Location:
trunk
Files:
3 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r105073 r105076  
     12012-01-16  Joe Thomas  <joethomas@motorola.com>
     2
     3        https://bugs.webkit.org/show_bug.cgi?id=41210
     4        Cross Origin XMLHttpRequest can not expose headers indicated in Access-Control-Expose-Headers HTTP Response Header
     5
     6        Added test cases for Access-Control-Expose-Headers
     7
     8        Reviewed by Alexey Proskuryakov.
     9
     10        * http/tests/xmlhttprequest/access-control-response-with-expose-headers-expected.txt: Added.
     11        * http/tests/xmlhttprequest/access-control-response-with-expose-headers.html: Added.
     12        * http/tests/xmlhttprequest/resources/access-control-response-with-expose-headers.php: Added.
     13
    1142012-01-16  Alexander Pavlov  <apavlov@chromium.org>
    215
  • trunk/Source/WebCore/ChangeLog

    r105071 r105076  
     12012-01-16  Joe Thomas  <joethomas@motorola.com>
     2
     3        https://bugs.webkit.org/show_bug.cgi?id=41210
     4        Cross Origin XMLHttpRequest can not expose headers indicated in Access-Control-Expose-Headers HTTP Response Header
     5
     6        Parsing the "Access-Control-Expose-Headers" in the XMLHTTPRequest response header.
     7        If the custom response-header is part of Access-Control-Expose-Headers, then consider that custom response-header as a valid one.
     8
     9        Reviewed by Alexey Proskuryakov.
     10
     11        Test: http/tests/xmlhttprequest/access-control-response-with-expose-headers.html
     12
     13        * loader/CrossOriginAccessControl.cpp:
     14        (WebCore::parseAccessControlExposeHeadersAllowList):  parsing logic of Access-Control-Expose-Headers
     15        * loader/CrossOriginAccessControl.h:
     16        * xml/XMLHttpRequest.cpp:
     17        (WebCore::XMLHttpRequest::getAllResponseHeaders): checking whether the custom response-header is part of "Access-Control-Expose-Headers"
     18        (WebCore::XMLHttpRequest::getResponseHeader):  checking whether the custom response-header is part of "Access-Control-Expose-Headers"
     19
    1202012-01-16  Pavel Feldman  <pfeldman@google.com>
    221
  • trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

    r95903 r105076  
    3131#include "ResourceResponse.h"
    3232#include "SecurityOrigin.h"
    33 #include <wtf/HashSet.h>
    3433#include <wtf/Threading.h>
    3534#include <wtf/text/AtomicString.h>
     
    7776}
    7877
    79 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet;
    8078static PassOwnPtr<HTTPHeaderSet> createAllowedCrossOriginResponseHeadersSet()
    8179{
     
    172170}
    173171
     172void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet)
     173{
     174    Vector<String> headers;
     175    headerValue.split(',', false, headers);
     176    for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++) {
     177        String strippedHeader = headers[headerCount].stripWhiteSpace();
     178        if (!strippedHeader.isEmpty())
     179            headerSet.add(strippedHeader);
     180    }
     181}
     182
    174183} // namespace WebCore
  • trunk/Source/WebCore/loader/CrossOriginAccessControl.h

    r93886 r105076  
    3131#include "ResourceRequest.h"
    3232#include <wtf/Forward.h>
     33#include <wtf/HashSet.h>
    3334
    3435namespace WebCore {
     36
     37typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet;
    3538
    3639class HTTPHeaderMap;
     
    4750
    4851bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin*, String& errorDescription);
     52void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&);
    4953
    5054} // namespace WebCore
  • trunk/Source/WebCore/xml/XMLHttpRequest.cpp

    r103675 r105076  
    893893    StringBuilder stringBuilder;
    894894
     895    HTTPHeaderSet accessControlExposeHeaderSet;
     896    parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField("Access-Control-Expose-Headers"), accessControlExposeHeaderSet);
    895897    HTTPHeaderMap::const_iterator end = m_response.httpHeaderFields().end();
    896898    for (HTTPHeaderMap::const_iterator it = m_response.httpHeaderFields().begin(); it!= end; ++it) {
     
    904906            continue;
    905907
    906         if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(it->first))
     908        if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(it->first) && !accessControlExposeHeaderSet.contains(it->first))
    907909            continue;
    908910
     
    930932        return String();
    931933    }
    932 
    933     if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name)) {
     934   
     935    HTTPHeaderSet accessControlExposeHeaderSet;
     936    parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField("Access-Control-Expose-Headers"), accessControlExposeHeaderSet);
     937
     938    if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name) && !accessControlExposeHeaderSet.contains(name)) {
    934939        logConsoleError(scriptExecutionContext(), "Refused to get unsafe header \"" + name + "\"");
    935940        return String();
Note: See TracChangeset for help on using the changeset viewer.