Changeset 105076 in webkit
- Timestamp:
- Jan 16, 2012 10:42:03 AM (12 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r105073 r105076 1 2012-01-16 Joe Thomas <joethomas@motorola.com> 2 3 https://bugs.webkit.org/show_bug.cgi?id=41210 4 Cross Origin XMLHttpRequest can not expose headers indicated in Access-Control-Expose-Headers HTTP Response Header 5 6 Added test cases for Access-Control-Expose-Headers 7 8 Reviewed by Alexey Proskuryakov. 9 10 * http/tests/xmlhttprequest/access-control-response-with-expose-headers-expected.txt: Added. 11 * http/tests/xmlhttprequest/access-control-response-with-expose-headers.html: Added. 12 * http/tests/xmlhttprequest/resources/access-control-response-with-expose-headers.php: Added. 13 1 14 2012-01-16 Alexander Pavlov <apavlov@chromium.org> 2 15 -
trunk/Source/WebCore/ChangeLog
r105071 r105076 1 2012-01-16 Joe Thomas <joethomas@motorola.com> 2 3 https://bugs.webkit.org/show_bug.cgi?id=41210 4 Cross Origin XMLHttpRequest can not expose headers indicated in Access-Control-Expose-Headers HTTP Response Header 5 6 Parsing the "Access-Control-Expose-Headers" in the XMLHTTPRequest response header. 7 If the custom response-header is part of Access-Control-Expose-Headers, then consider that custom response-header as a valid one. 8 9 Reviewed by Alexey Proskuryakov. 10 11 Test: http/tests/xmlhttprequest/access-control-response-with-expose-headers.html 12 13 * loader/CrossOriginAccessControl.cpp: 14 (WebCore::parseAccessControlExposeHeadersAllowList): parsing logic of Access-Control-Expose-Headers 15 * loader/CrossOriginAccessControl.h: 16 * xml/XMLHttpRequest.cpp: 17 (WebCore::XMLHttpRequest::getAllResponseHeaders): checking whether the custom response-header is part of "Access-Control-Expose-Headers" 18 (WebCore::XMLHttpRequest::getResponseHeader): checking whether the custom response-header is part of "Access-Control-Expose-Headers" 19 1 20 2012-01-16 Pavel Feldman <pfeldman@google.com> 2 21 -
trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp
r95903 r105076 31 31 #include "ResourceResponse.h" 32 32 #include "SecurityOrigin.h" 33 #include <wtf/HashSet.h>34 33 #include <wtf/Threading.h> 35 34 #include <wtf/text/AtomicString.h> … … 77 76 } 78 77 79 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet;80 78 static PassOwnPtr<HTTPHeaderSet> createAllowedCrossOriginResponseHeadersSet() 81 79 { … … 172 170 } 173 171 172 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet) 173 { 174 Vector<String> headers; 175 headerValue.split(',', false, headers); 176 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++) { 177 String strippedHeader = headers[headerCount].stripWhiteSpace(); 178 if (!strippedHeader.isEmpty()) 179 headerSet.add(strippedHeader); 180 } 181 } 182 174 183 } // namespace WebCore -
trunk/Source/WebCore/loader/CrossOriginAccessControl.h
r93886 r105076 31 31 #include "ResourceRequest.h" 32 32 #include <wtf/Forward.h> 33 #include <wtf/HashSet.h> 33 34 34 35 namespace WebCore { 36 37 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet; 35 38 36 39 class HTTPHeaderMap; … … 47 50 48 51 bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin*, String& errorDescription); 52 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&); 49 53 50 54 } // namespace WebCore -
trunk/Source/WebCore/xml/XMLHttpRequest.cpp
r103675 r105076 893 893 StringBuilder stringBuilder; 894 894 895 HTTPHeaderSet accessControlExposeHeaderSet; 896 parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField("Access-Control-Expose-Headers"), accessControlExposeHeaderSet); 895 897 HTTPHeaderMap::const_iterator end = m_response.httpHeaderFields().end(); 896 898 for (HTTPHeaderMap::const_iterator it = m_response.httpHeaderFields().begin(); it!= end; ++it) { … … 904 906 continue; 905 907 906 if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(it->first) )908 if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(it->first) && !accessControlExposeHeaderSet.contains(it->first)) 907 909 continue; 908 910 … … 930 932 return String(); 931 933 } 932 933 if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name)) { 934 935 HTTPHeaderSet accessControlExposeHeaderSet; 936 parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField("Access-Control-Expose-Headers"), accessControlExposeHeaderSet); 937 938 if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name) && !accessControlExposeHeaderSet.contains(name)) { 934 939 logConsoleError(scriptExecutionContext(), "Refused to get unsafe header \"" + name + "\""); 935 940 return String();
Note: See TracChangeset
for help on using the changeset viewer.