1 /* 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 */ 26 27 #include "config.h" 28 #include "CrossOriginAccessControl.h" 29 30 #include "HTTPParsers.h" 31 #include "ResourceResponse.h" 32 #include "SecurityOrigin.h" 33 #include <wtf/HashSet.h> 34 #include <wtf/Threading.h> 35 #include <wtf/text/AtomicString.h> 36 37 namespace WebCore { 38 39 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method) 40 { 41 return method == "GET" || method == "HEAD" || method == "POST"; 42 } 43 44 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value) 45 { 46 if (equalIgnoringCase(name, "accept") || equalIgnoringCase(name, "accept-language") || equalIgnoringCase(name, "content-language")) 47 return true; 48 49 // Preflight is required for MIME types that can not be sent via form submission. 50 if (equalIgnoringCase(name, "content-type")) { 51 String mimeType = extractMIMETypeFromMediaType(value); 52 return equalIgnoringCase(mimeType, "application/x-www-form-urlencoded") 53 || equalIgnoringCase(mimeType, "multipart/form-data") 54 || equalIgnoringCase(mimeType, "text/plain"); 55 } 56 57 return false; 58 } 59 60 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap) 61 { 62 if (!isOnAccessControlSimpleRequestMethodWhitelist(method)) 63 return false; 64 65 HTTPHeaderMap::const_iterator end = headerMap.end(); 66 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) { 67 if (!isOnAccessControlSimpleRequestHeaderWhitelist(it->first, it->second)) 68 return false; 69 } 70 71 return true; 72 } 73 74 typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet; 75 static PassOwnPtr<HTTPHeaderSet> createAllowedCrossOriginResponseHeadersSet() 76 { 77 OwnPtr<HTTPHeaderSet> headerSet = adoptPtr(new HashSet<String, CaseFoldingHash>); 78 79 headerSet->add("cache-control"); 80 headerSet->add("content-language"); 81 headerSet->add("content-type"); 82 headerSet->add("expires"); 83 headerSet->add("last-modified"); 84 headerSet->add("pragma"); 85 86 return headerSet.release(); 87 } 88 89 bool isOnAccessControlResponseHeaderWhitelist(const String& name) 90 { 91 AtomicallyInitializedStatic(HTTPHeaderSet*, allowedCrossOriginResponseHeaders = createAllowedCrossOriginResponseHeadersSet().leakPtr()); 92 93 return allowedCrossOriginResponseHeaders->contains(name); 94 } 95 96 bool passesAccessControlCheck(const ResourceResponse& response, bool includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription) 97 { 98 // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent, 99 // even with Access-Control-Allow-Credentials set to true. 100 const String& accessControlOriginString = response.httpHeaderField("Access-Control-Allow-Origin"); 101 if (accessControlOriginString == "*" && !includeCredentials) 102 return true; 103 104 if (securityOrigin->isUnique()) { 105 errorDescription = "Cannot make any requests from " + securityOrigin->toString() + "."; 106 return false; 107 } 108 109 // FIXME: Access-Control-Allow-Origin can contain a list of origins. 110 RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString); 111 if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin)) { 112 errorDescription = (accessControlOriginString == "*") ? "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true." 113 : "Origin " + securityOrigin->toString() + " is not allowed by Access-Control-Allow-Origin."; 114 return false; 115 } 116 117 if (includeCredentials) { 118 const String& accessControlCredentialsString = response.httpHeaderField("Access-Control-Allow-Credentials"); 119 if (accessControlCredentialsString != "true") { 120 errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\"."; 121 return false; 122 } 123 } 124 125 return true; 126 } 127 128 } // namespace WebCore 129
