Changeset 258660 in webkit
- Timestamp:
- Mar 18, 2020 12:40:23 PM (4 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r258655 r258660 1 2020-03-18 Youenn Fablet <youenn@apple.com> 2 3 CrossOriginPreflightResultCacheItem::allows methods should not use out parameters 4 https://bugs.webkit.org/show_bug.cgi?id=209224 5 6 Reviewed by Alex Christensen. 7 8 Instead of having an out parameter for the error description, either return whether there is an error or not. 9 Covered by existing tests. 10 11 * loader/CrossOriginPreflightResultCache.cpp: 12 (WebCore::CrossOriginPreflightResultCacheItem::validateMethodAndHeaders const): 13 (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod const): 14 (WebCore::CrossOriginPreflightResultCacheItem::validateCrossOriginHeaders const): 15 (WebCore::CrossOriginPreflightResultCacheItem::allowsRequest const): 16 (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders const): Deleted. 17 * loader/CrossOriginPreflightResultCache.h: 18 1 19 2020-03-18 Peng Liu <peng.liu6@apple.com> 2 20 -
trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp
r258631 r258660 75 75 Optional<String> CrossOriginPreflightResultCacheItem::validateMethodAndHeaders(const String& method, const HTTPHeaderMap& requestHeaders) const 76 76 { 77 String errorDescription;78 if (!allowsCrossOriginMethod(method, m_storedCredentialsPolicy, errorDescription))79 return WTFMove(errorDescription); 80 if ( !allowsCrossOriginHeaders(requestHeaders, m_storedCredentialsPolicy, errorDescription))81 return WTFMove(errorDescription);77 if (!allowsCrossOriginMethod(method, m_storedCredentialsPolicy)) 78 return makeString("Method ", method, " is not allowed by Access-Control-Allow-Methods."); 79 80 if (auto badHeader = validateCrossOriginHeaders(requestHeaders, m_storedCredentialsPolicy)) 81 return makeString("Request header field ", *badHeader, " is not allowed by Access-Control-Allow-Headers."); 82 82 return { }; 83 83 } 84 84 85 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, StoredCredentialsPolicy storedCredentialsPolicy , String& errorDescription) const85 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, StoredCredentialsPolicy storedCredentialsPolicy) const 86 86 { 87 if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use) || isOnAccessControlSimpleRequestMethodWhitelist(method)) 88 return true; 89 90 errorDescription = "Method " + method + " is not allowed by Access-Control-Allow-Methods."; 91 return false; 87 return m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use) || isOnAccessControlSimpleRequestMethodWhitelist(method); 92 88 } 93 89 94 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const90 Optional<String> CrossOriginPreflightResultCacheItem::validateCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, StoredCredentialsPolicy storedCredentialsPolicy) const 95 91 { 96 92 bool validWildcard = m_headers.contains("*") && storedCredentialsPolicy != StoredCredentialsPolicy::Use; … … 98 94 if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value)) 99 95 continue; 100 if (!m_headers.contains(header.key) && !validWildcard) { 101 errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers."; 102 return false; 103 } 96 if (!m_headers.contains(header.key) && !validWildcard) 97 return header.key; 104 98 } 105 return true;99 return { }; 106 100 } 107 101 108 102 bool CrossOriginPreflightResultCacheItem::allowsRequest(StoredCredentialsPolicy storedCredentialsPolicy, const String& method, const HTTPHeaderMap& requestHeaders) const 109 103 { 110 String ignoredExplanation;111 104 if (m_absoluteExpiryTime < MonotonicTime::now()) 112 105 return false; 113 106 if (storedCredentialsPolicy == StoredCredentialsPolicy::Use && m_storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) 114 107 return false; 115 if (!allowsCrossOriginMethod(method, storedCredentialsPolicy , ignoredExplanation))108 if (!allowsCrossOriginMethod(method, storedCredentialsPolicy)) 116 109 return false; 117 if ( !allowsCrossOriginHeaders(requestHeaders, storedCredentialsPolicy, ignoredExplanation))110 if (auto badHeader = validateCrossOriginHeaders(requestHeaders, storedCredentialsPolicy)) 118 111 return false; 119 112 return true; -
trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.h
r258631 r258660 51 51 52 52 private: 53 bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy , String& errorDescription) const;54 bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const;53 bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy) const; 54 Optional<String> validateCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy) const; 55 55 56 56 // FIXME: A better solution to holding onto the absolute expiration time might be
Note: See TracChangeset
for help on using the changeset viewer.