Changeset 86980 in webkit


Ignore:
Timestamp:
May 20, 2011 1:58:34 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-05-20 Adam Barth <abarth@webkit.org>

Reviewed by Alexey Proskuryakov.

Factor CORS request preparation out of DocumentThreadableLoader
https://bugs.webkit.org/show_bug.cgi?id=61209

DocumentThreadableLoader has two jobs:

1) Proxy loads between threads.
2) Run the CORS state machine.

This patch begins the work of separating those concerns, allowing CORS
to be used elsewhere in the loading pipeline. In particular, this
patch moves knowledge of how to prepare CORS requests out of
DocumentThreadableLoder.

  • loader/CrossOriginAccessControl.cpp: (WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): (WebCore::updateRequestForAccessControl): (WebCore::createAccessControlPreflightRequest):
  • loader/CrossOriginAccessControl.h:
  • loader/DocumentThreadableLoader.cpp: (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight):
Location:
trunk/Source/WebCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r86978 r86980  
     12011-05-20  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Alexey Proskuryakov.
     4
     5        Factor CORS request preparation out of DocumentThreadableLoader
     6        https://bugs.webkit.org/show_bug.cgi?id=61209
     7
     8        DocumentThreadableLoader has two jobs:
     9
     10        1) Proxy loads between threads.
     11        2) Run the CORS state machine.
     12
     13        This patch begins the work of separating those concerns, allowing CORS
     14        to be used elsewhere in the loading pipeline.  In particular, this
     15        patch moves knowledge of how to prepare CORS requests out of
     16        DocumentThreadableLoder.
     17
     18        * loader/CrossOriginAccessControl.cpp:
     19        (WebCore::isOnAccessControlSimpleRequestHeaderWhitelist):
     20        (WebCore::updateRequestForAccessControl):
     21        (WebCore::createAccessControlPreflightRequest):
     22        * loader/CrossOriginAccessControl.h:
     23        * loader/DocumentThreadableLoader.cpp:
     24        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
     25        (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest):
     26        (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight):
     27
    1282011-05-20  Rob Buis  <rbuis@rim.com>
    229

  • trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

    r86330 r86980  
    4444bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value)
    4545{
    46     if (equalIgnoringCase(name, "accept") || equalIgnoringCase(name, "accept-language") || equalIgnoringCase(name, "content-language"))
     46    if (equalIgnoringCase(name, "accept")
     47        || equalIgnoringCase(name, "accept-language")
     48        || equalIgnoringCase(name, "content-language")
     49        || equalIgnoringCase(name, "origin"))
    4750        return true;
    4851
     
    9497}
    9598
     99void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* securityOrigin, bool allowCredentials)
     100{
     101    request.removeCredentials();
     102    request.setAllowCookies(allowCredentials);
     103    request.setHTTPOrigin(securityOrigin->toString());
     104}
     105
     106ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin, bool allowCredentials)
     107{
     108    ResourceRequest preflightRequest(request.url());
     109    updateRequestForAccessControl(preflightRequest, securityOrigin, allowCredentials);
     110    preflightRequest.setHTTPMethod("OPTIONS");
     111    preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod());
     112    preflightRequest.setPriority(request.priority());
     113
     114    const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
     115
     116    if (requestHeaderFields.size() > 0) {
     117        Vector<UChar> headerBuffer;
     118        HTTPHeaderMap::const_iterator it = requestHeaderFields.begin();
     119        append(headerBuffer, it->first);
     120        ++it;
     121
     122        HTTPHeaderMap::const_iterator end = requestHeaderFields.end();
     123        for (; it != end; ++it) {
     124            headerBuffer.append(',');
     125            headerBuffer.append(' ');
     126            append(headerBuffer, it->first);
     127        }
     128
     129        preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer));
     130    }
     131
     132    return preflightRequest;
     133}
     134
    96135bool passesAccessControlCheck(const ResourceResponse& response, bool includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
    97136{

  • trunk/Source/WebCore/loader/CrossOriginAccessControl.h

    r75971 r86980  
    2828#define CrossOriginAccessControl_h
    2929
     30#include "ResourceRequest.h"
    3031#include <wtf/Forward.h>
    3132
    3233namespace WebCore {
    3334
    34     class HTTPHeaderMap;
    35     class ResourceResponse;
    36     class SecurityOrigin;
     35class HTTPHeaderMap;
     36class ResourceResponse;
     37class SecurityOrigin;
    3738
    38     bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&);
    39     bool isOnAccessControlSimpleRequestMethodWhitelist(const String&);
    40     bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value);
    41     bool isOnAccessControlResponseHeaderWhitelist(const String&);
     39bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&);
     40bool isOnAccessControlSimpleRequestMethodWhitelist(const String&);
     41bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value);
     42bool isOnAccessControlResponseHeaderWhitelist(const String&);
    4243
    43     bool passesAccessControlCheck(const ResourceResponse&, bool includeCredentials, SecurityOrigin*, String& errorDescription);
     44void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin*, bool allowCredentials);
     45ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*, bool allowCredentials);
     46
     47bool passesAccessControlCheck(const ResourceResponse&, bool includeCredentials, SecurityOrigin*, String& errorDescription);
    4448
    4549} // namespace WebCore

  • trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

    r86290 r86980  
    9090
    9191    OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(request));
    92     crossOriginRequest->removeCredentials();
    93     crossOriginRequest->setAllowCookies(m_options.allowCredentials);
     92    updateRequestForAccessControl(*crossOriginRequest, m_document->securityOrigin(), m_options.allowCredentials);
    9493
    9594    if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields()))
     
    110109
    111110    // Cross-origin requests are only defined for HTTP. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
     111    // FIXME: Consider allowing simple CORS requests to non-HTTP URLs.
    112112    if (!request.url().protocolInHTTPFamily()) {
    113113        m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP."));
     
    115115    }
    116116
    117     // Make a copy of the passed request so that we can modify some details.
    118     ResourceRequest crossOriginRequest(request);
    119     crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString());
    120 
    121     loadRequest(crossOriginRequest, DoSecurityCheck);
     117    loadRequest(request, DoSecurityCheck);
    122118}
    123119
    124120void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
    125121{
    126     ResourceRequest preflightRequest(request.url());
    127     preflightRequest.removeCredentials();
    128     preflightRequest.setHTTPOrigin(m_document->securityOrigin()->toString());
    129     preflightRequest.setAllowCookies(m_options.allowCredentials);
    130     preflightRequest.setHTTPMethod("OPTIONS");
    131     preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod());
    132 
    133     const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
    134 
    135     if (requestHeaderFields.size() > 0) {
    136         Vector<UChar> headerBuffer;
    137         HTTPHeaderMap::const_iterator it = requestHeaderFields.begin();
    138         append(headerBuffer, it->first);
    139         ++it;
    140 
    141         HTTPHeaderMap::const_iterator end = requestHeaderFields.end();
    142         for (; it != end; ++it) {
    143             headerBuffer.append(',');
    144             headerBuffer.append(' ');
    145             append(headerBuffer, it->first);
    146         }
    147 
    148         preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer));
    149     }
    150 
    151     preflightRequest.setPriority(request.priority());
    152 
     122    ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, m_document->securityOrigin(), m_options.allowCredentials);
    153123    loadRequest(preflightRequest, DoSecurityCheck);
    154124}
Note: See TracChangeset for help on using the changeset viewer.