Changeset 34504 in webkit

Timestamp:

Jun 11, 2008 10:15:27 PM (16 years ago)

Author:

abarth@webkit.org

Message:

WebCore:

2008-06-11 Adam Barth <​abarth@webkit.org>

Reviewed and tweaked by Sam Weinig.

Fix for ​https://bugs.webkit.org/show_bug.cgi?id=19242
Data URLs should set an Access-Control-Origin of "null"

Correctly generate "null" as the value of the Access-Control-Origin
header for cross-site XMLHttpRequests for data URLs.

Test: http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html

• platform/SecurityOrigin.cpp: (WebCore::SecurityOrigin::toString):
• xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::accessControlOrigin): (WebCore::XMLHttpRequest::crossSiteAccessRequest): (WebCore::XMLHttpRequest::handleAsynchronousMethodCheckResult):
• xml/XMLHttpRequest.h:

LayoutTests:

2008-06-11 Adam Barth <​abarth@webkit.org>

Reviewed and tweaked by Sam Weinig.

Test for ​https://bugs.webkit.org/show_bug.cgi?id=19242
Data URLs should set an Access-Control-Origin of "null"

Test that we correctly generate "null" as the value for the
Access-Control-Origin header when making requests from a data URL.

• http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url-expected.txt: Added.
• http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html: Added.
• http/tests/xmlhttprequest/resources/access-control-basic-allow-access-control-origin-header.cgi:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url-expected.txt (added)
• LayoutTests/http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html (added)
• LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-access-control-origin-header.cgi (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/platform/SecurityOrigin.cpp (modified) (1 diff)
• WebCore/xml/XMLHttpRequest.cpp (modified) (4 diffs)
• WebCore/xml/XMLHttpRequest.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-06-11  Adam Barth  <abarth@webkit.org>
+
+        Reviewed and tweaked by Sam Weinig.
+
+        Test for https://bugs.webkit.org/show_bug.cgi?id=19242
+        Data URLs should set an Access-Control-Origin of "null"
+
+        Test that we correctly generate "null" as the value for the
+        Access-Control-Origin header when making requests from a data URL.
+
+        * http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url-expected.txt: Added.
+        * http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html: Added.
+        * http/tests/xmlhttprequest/resources/access-control-basic-allow-access-control-origin-header.cgi:
+
 2008-06-11  Sam Weinig  <sam@webkit.org>
 

trunk/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-access-control-origin-header.cgi

@@ -3 +3 @@
 
 print "Content-Type: text/plain\n";
-print "Access-Control: allow <http://127.0.0.1:8000>\n\n";
+print "Access-Control: allow <*>\n\n";
 
 print "PASS: Cross-domain access allowed.\n";

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-06-11  Adam Barth  <abarth@webkit.org>
+
+        Reviewed and tweaked by Sam Weinig.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=19242
+        Data URLs should set an Access-Control-Origin of "null"
+
+        Correctly generate "null" as the value of the Access-Control-Origin
+        header for cross-site XMLHttpRequests for data URLs.
+
+        Test: http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html
+
+        * platform/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::toString):
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::accessControlOrigin):
+        (WebCore::XMLHttpRequest::crossSiteAccessRequest):
+        (WebCore::XMLHttpRequest::handleAsynchronousMethodCheckResult):
+        * xml/XMLHttpRequest.h:
+
 2008-06-11  Sam Weinig  <sam@webkit.org>
 

trunk/WebCore/platform/SecurityOrigin.cpp

@@ -192 +192 @@
         return String();
 
+    if (m_noAccess)
+        return String();
+
     if (m_protocol == "file")
         return String("file://");

trunk/WebCore/xml/XMLHttpRequest.cpp

@@ -462 +462 @@
 }
 
+String XMLHttpRequest::accessControlOrigin() const
+{
+    String accessControlOrigin = m_doc->securityOrigin()->toString();
+    if (accessControlOrigin.isEmpty())
+        return "null";
+    return accessControlOrigin;
+}
+
 void XMLHttpRequest::crossSiteAccessRequest(const String& body, ResourceRequest& request, ExceptionCode& ec)
 {
@@ -468 +476 @@
     url.setPass(String());
 
-    String accessControlOrigin = m_doc->securityOrigin()->toString();
+    String origin = accessControlOrigin();
 
     request.setURL(url);
     request.setHTTPMethod(m_method);
-    request.setHTTPHeaderField("Access-Control-Origin", accessControlOrigin);
+    request.setHTTPHeaderField("Access-Control-Origin", origin);
 
     if (m_method == "GET")
@@ -481 +489 @@
     preflightRequest.setURL(url);
     preflightRequest.setHTTPMethod("OPTIONS");
-    preflightRequest.setHTTPHeaderField("Access-Control-Origin", accessControlOrigin);
+    preflightRequest.setHTTPHeaderField("Access-Control-Origin", origin);
 
     if (m_async) {
@@ -503 +511 @@
     url.setPass(String());
 
-    String accessControlOrigin = m_doc->securityOrigin()->toString();
+    String origin = accessControlOrigin();
 
     ResourceRequest request;
     request.setURL(url);
     request.setHTTPMethod(m_method);
-    request.setHTTPHeaderField("Access-Control-Origin", accessControlOrigin);
+    request.setHTTPHeaderField("Access-Control-Origin", origin);
 
     loadRequestAsynchronously(request);

trunk/WebCore/xml/XMLHttpRequest.h

@@ -131 +131 @@
     void handleAsynchronousMethodCheckResult();
 
+    String accessControlOrigin() const;
+
     void genericError();
     void networkError();