Changeset 86980 in webkit
- Timestamp:
- May 20, 2011 1:58:34 PM (13 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r86978 r86980 1 2011-05-20 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Alexey Proskuryakov. 4 5 Factor CORS request preparation out of DocumentThreadableLoader 6 https://bugs.webkit.org/show_bug.cgi?id=61209 7 8 DocumentThreadableLoader has two jobs: 9 10 1) Proxy loads between threads. 11 2) Run the CORS state machine. 12 13 This patch begins the work of separating those concerns, allowing CORS 14 to be used elsewhere in the loading pipeline. In particular, this 15 patch moves knowledge of how to prepare CORS requests out of 16 DocumentThreadableLoder. 17 18 * loader/CrossOriginAccessControl.cpp: 19 (WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): 20 (WebCore::updateRequestForAccessControl): 21 (WebCore::createAccessControlPreflightRequest): 22 * loader/CrossOriginAccessControl.h: 23 * loader/DocumentThreadableLoader.cpp: 24 (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): 25 (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): 26 (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight): 27 1 28 2011-05-20 Rob Buis <rbuis@rim.com> 2 29 -
trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp
r86330 r86980 44 44 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value) 45 45 { 46 if (equalIgnoringCase(name, "accept") || equalIgnoringCase(name, "accept-language") || equalIgnoringCase(name, "content-language")) 46 if (equalIgnoringCase(name, "accept") 47 || equalIgnoringCase(name, "accept-language") 48 || equalIgnoringCase(name, "content-language") 49 || equalIgnoringCase(name, "origin")) 47 50 return true; 48 51 … … 94 97 } 95 98 99 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* securityOrigin, bool allowCredentials) 100 { 101 request.removeCredentials(); 102 request.setAllowCookies(allowCredentials); 103 request.setHTTPOrigin(securityOrigin->toString()); 104 } 105 106 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin, bool allowCredentials) 107 { 108 ResourceRequest preflightRequest(request.url()); 109 updateRequestForAccessControl(preflightRequest, securityOrigin, allowCredentials); 110 preflightRequest.setHTTPMethod("OPTIONS"); 111 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod()); 112 preflightRequest.setPriority(request.priority()); 113 114 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); 115 116 if (requestHeaderFields.size() > 0) { 117 Vector<UChar> headerBuffer; 118 HTTPHeaderMap::const_iterator it = requestHeaderFields.begin(); 119 append(headerBuffer, it->first); 120 ++it; 121 122 HTTPHeaderMap::const_iterator end = requestHeaderFields.end(); 123 for (; it != end; ++it) { 124 headerBuffer.append(','); 125 headerBuffer.append(' '); 126 append(headerBuffer, it->first); 127 } 128 129 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer)); 130 } 131 132 return preflightRequest; 133 } 134 96 135 bool passesAccessControlCheck(const ResourceResponse& response, bool includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription) 97 136 { -
trunk/Source/WebCore/loader/CrossOriginAccessControl.h
r75971 r86980 28 28 #define CrossOriginAccessControl_h 29 29 30 #include "ResourceRequest.h" 30 31 #include <wtf/Forward.h> 31 32 32 33 namespace WebCore { 33 34 34 35 36 35 class HTTPHeaderMap; 36 class ResourceResponse; 37 class SecurityOrigin; 37 38 38 39 40 41 39 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&); 40 bool isOnAccessControlSimpleRequestMethodWhitelist(const String&); 41 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value); 42 bool isOnAccessControlResponseHeaderWhitelist(const String&); 42 43 43 bool passesAccessControlCheck(const ResourceResponse&, bool includeCredentials, SecurityOrigin*, String& errorDescription); 44 void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin*, bool allowCredentials); 45 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*, bool allowCredentials); 46 47 bool passesAccessControlCheck(const ResourceResponse&, bool includeCredentials, SecurityOrigin*, String& errorDescription); 44 48 45 49 } // namespace WebCore -
trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp
r86290 r86980 90 90 91 91 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(request)); 92 crossOriginRequest->removeCredentials(); 93 crossOriginRequest->setAllowCookies(m_options.allowCredentials); 92 updateRequestForAccessControl(*crossOriginRequest, m_document->securityOrigin(), m_options.allowCredentials); 94 93 95 94 if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) … … 110 109 111 110 // Cross-origin requests are only defined for HTTP. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied. 111 // FIXME: Consider allowing simple CORS requests to non-HTTP URLs. 112 112 if (!request.url().protocolInHTTPFamily()) { 113 113 m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP.")); … … 115 115 } 116 116 117 // Make a copy of the passed request so that we can modify some details. 118 ResourceRequest crossOriginRequest(request); 119 crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString()); 120 121 loadRequest(crossOriginRequest, DoSecurityCheck); 117 loadRequest(request, DoSecurityCheck); 122 118 } 123 119 124 120 void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request) 125 121 { 126 ResourceRequest preflightRequest(request.url()); 127 preflightRequest.removeCredentials(); 128 preflightRequest.setHTTPOrigin(m_document->securityOrigin()->toString()); 129 preflightRequest.setAllowCookies(m_options.allowCredentials); 130 preflightRequest.setHTTPMethod("OPTIONS"); 131 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod()); 132 133 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); 134 135 if (requestHeaderFields.size() > 0) { 136 Vector<UChar> headerBuffer; 137 HTTPHeaderMap::const_iterator it = requestHeaderFields.begin(); 138 append(headerBuffer, it->first); 139 ++it; 140 141 HTTPHeaderMap::const_iterator end = requestHeaderFields.end(); 142 for (; it != end; ++it) { 143 headerBuffer.append(','); 144 headerBuffer.append(' '); 145 append(headerBuffer, it->first); 146 } 147 148 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer)); 149 } 150 151 preflightRequest.setPriority(request.priority()); 152 122 ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, m_document->securityOrigin(), m_options.allowCredentials); 153 123 loadRequest(preflightRequest, DoSecurityCheck); 154 124 }
Note: See TracChangeset
for help on using the changeset viewer.