1 /* 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 */ 26 27 #include "config.h" 28 #include "core/loader/CrossOriginAccessControl.h" 29 30 #include "core/platform/network/HTTPParsers.h" 31 #include "core/platform/network/ResourceRequest.h" 32 #include "core/platform/network/ResourceResponse.h" 33 #include "weborigin/SecurityOrigin.h" 34 #include "wtf/Threading.h" 35 #include "wtf/text/AtomicString.h" 36 #include "wtf/text/StringBuilder.h" 37 38 namespace WebCore { 39 40 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method) 41 { 42 return method == "GET" || method == "HEAD" || method == "POST"; 43 } 44 45 bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value) 46 { 47 if (equalIgnoringCase(name, "accept") 48 || equalIgnoringCase(name, "accept-language") 49 || equalIgnoringCase(name, "content-language") 50 || equalIgnoringCase(name, "origin") 51 || equalIgnoringCase(name, "referer")) 52 return true; 53 54 // Preflight is required for MIME types that can not be sent via form submission. 55 if (equalIgnoringCase(name, "content-type")) { 56 String mimeType = extractMIMETypeFromMediaType(value); 57 return equalIgnoringCase(mimeType, "application/x-www-form-urlencoded") 58 || equalIgnoringCase(mimeType, "multipart/form-data") 59 || equalIgnoringCase(mimeType, "text/plain"); 60 } 61 62 return false; 63 } 64 65 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap) 66 { 67 if (!isOnAccessControlSimpleRequestMethodWhitelist(method)) 68 return false; 69 70 HTTPHeaderMap::const_iterator end = headerMap.end(); 71 for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) { 72 if (!isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value)) 73 return false; 74 } 75 76 return true; 77 } 78 79 static PassOwnPtr<HTTPHeaderSet> createAllowedCrossOriginResponseHeadersSet() 80 { 81 OwnPtr<HTTPHeaderSet> headerSet = adoptPtr(new HashSet<String, CaseFoldingHash>); 82 83 headerSet->add("cache-control"); 84 headerSet->add("content-language"); 85 headerSet->add("content-type"); 86 headerSet->add("expires"); 87 headerSet->add("last-modified"); 88 headerSet->add("pragma"); 89 90 return headerSet.release(); 91 } 92 93 bool isOnAccessControlResponseHeaderWhitelist(const String& name) 94 { 95 AtomicallyInitializedStatic(HTTPHeaderSet*, allowedCrossOriginResponseHeaders = createAllowedCrossOriginResponseHeadersSet().leakPtr()); 96 97 return allowedCrossOriginResponseHeaders->contains(name); 98 } 99 100 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* securityOrigin, StoredCredentials allowCredentials) 101 { 102 request.removeCredentials(); 103 request.setAllowCookies(allowCredentials == AllowStoredCredentials); 104 105 if (securityOrigin) 106 request.setHTTPOrigin(securityOrigin->toString()); 107 } 108 109 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin) 110 { 111 ResourceRequest preflightRequest(request.url()); 112 updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials); 113 preflightRequest.setHTTPMethod("OPTIONS"); 114 preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod()); 115 preflightRequest.setPriority(request.priority()); 116 117 const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields(); 118 119 if (requestHeaderFields.size() > 0) { 120 StringBuilder headerBuffer; 121 HTTPHeaderMap::const_iterator it = requestHeaderFields.begin(); 122 headerBuffer.append(it->key); 123 ++it; 124 125 HTTPHeaderMap::const_iterator end = requestHeaderFields.end(); 126 for (; it != end; ++it) { 127 headerBuffer.append(','); 128 headerBuffer.append(' '); 129 headerBuffer.append(it->key); 130 } 131 132 preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", headerBuffer.toString().lower()); 133 } 134 135 return preflightRequest; 136 } 137 138 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription) 139 { 140 AtomicallyInitializedStatic(AtomicString&, accessControlAllowOrigin = *new AtomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral)); 141 AtomicallyInitializedStatic(AtomicString&, accessControlAllowCredentials = *new AtomicString("access-control-allow-credentials", AtomicString::ConstructFromLiteral)); 142 143 // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent, 144 // even with Access-Control-Allow-Credentials set to true. 145 const String& accessControlOriginString = response.httpHeaderField(accessControlAllowOrigin); 146 if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials) 147 return true; 148 149 // FIXME: Access-Control-Allow-Origin can contain a list of origins. 150 if (accessControlOriginString != securityOrigin->toString()) { 151 if (accessControlOriginString == "*") 152 errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."; 153 else 154 errorDescription = "Origin " + securityOrigin->toString() + " is not allowed by Access-Control-Allow-Origin."; 155 return false; 156 } 157 158 if (includeCredentials == AllowStoredCredentials) { 159 const String& accessControlCredentialsString = response.httpHeaderField(accessControlAllowCredentials); 160 if (accessControlCredentialsString != "true") { 161 errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\"."; 162 return false; 163 } 164 } 165 166 return true; 167 } 168 169 bool passesPreflightStatusCheck(const ResourceResponse& response, String& errorDescription) 170 { 171 if (response.httpStatusCode() < 200 || response.httpStatusCode() >= 400) { 172 errorDescription = "Invalid HTTP status code " + String::number(response.httpStatusCode()); 173 return false; 174 } 175 176 return true; 177 } 178 179 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet) 180 { 181 Vector<String> headers; 182 headerValue.split(',', false, headers); 183 for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++) { 184 String strippedHeader = headers[headerCount].stripWhiteSpace(); 185 if (!strippedHeader.isEmpty()) 186 headerSet.add(strippedHeader); 187 } 188 } 189 190 } // namespace WebCore 191