Home | History | Annotate | Download | only in loader 
      1 /*
      2  * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions
      6  * are met:
      7  * 1. Redistributions of source code must retain the above copyright
      8  *    notice, this list of conditions and the following disclaimer.
      9  * 2. Redistributions in binary form must reproduce the above copyright
     10  *    notice, this list of conditions and the following disclaimer in the
     11  *    documentation and/or other materials provided with the distribution.
     12  *
     13  * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
     14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
     17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
     18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
     19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
     20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
     21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     24  *
     25  */
     26 
     27 #include "config.h"
     28 #include "core/loader/CrossOriginPreflightResultCache.h"
     29 
     30 #include "core/fetch/CrossOriginAccessControl.h"
     31 #include "platform/network/ResourceResponse.h"
     32 #include "wtf/CurrentTime.h"
     33 #include "wtf/MainThread.h"
     34 #include "wtf/StdLibExtras.h"
     35 
     36 namespace WebCore {
     37 
     38 // These values are at the discretion of the user agent.
     39 static const unsigned defaultPreflightCacheTimeoutSeconds = 5;
     40 static const unsigned maxPreflightCacheTimeoutSeconds = 600; // Should be short enough to minimize the risk of using a poisoned cache after switching to a secure network.
     41 
     42 static bool parseAccessControlMaxAge(const String& string, unsigned& expiryDelta)
     43 {
     44     // FIXME: this will not do the correct thing for a number starting with a '+'
     45     bool ok = false;
     46     expiryDelta = string.toUIntStrict(&ok);
     47     return ok;
     48 }
     49 
     50 template<class HashType>
     51 static void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)
     52 {
     53     StringImpl* stringImpl = string.impl();
     54     if (!stringImpl)
     55         return;
     56 
     57     // Skip white space from start.
     58     while (start <= end && isSpaceOrNewline((*stringImpl)[start]))
     59         ++start;
     60 
     61     // only white space
     62     if (start > end)
     63         return;
     64 
     65     // Skip white space from end.
     66     while (end && isSpaceOrNewline((*stringImpl)[end]))
     67         --end;
     68 
     69     set.add(string.substring(start, end - start + 1));
     70 }
     71 
     72 template<class HashType>
     73 static bool parseAccessControlAllowList(const String& string, HashSet<String, HashType>& set)
     74 {
     75     unsigned start = 0;
     76     size_t end;
     77     while ((end = string.find(',', start)) != kNotFound) {
     78         if (start != end)
     79             addToAccessControlAllowList(string, start, end - 1, set);
     80         start = end + 1;
     81     }
     82     if (start != string.length())
     83         addToAccessControlAllowList(string, start, string.length() - 1, set);
     84 
     85     return true;
     86 }
     87 
     88 bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response, String& errorDescription)
     89 {
     90     m_methods.clear();
     91     if (!parseAccessControlAllowList(response.httpHeaderField("Access-Control-Allow-Methods"), m_methods)) {
     92         errorDescription = "Cannot parse Access-Control-Allow-Methods response header field.";
     93         return false;
     94     }
     95 
     96     m_headers.clear();
     97     if (!parseAccessControlAllowList(response.httpHeaderField("Access-Control-Allow-Headers"), m_headers)) {
     98         errorDescription = "Cannot parse Access-Control-Allow-Headers response header field.";
     99         return false;
    100     }
    101 
    102     unsigned expiryDelta;
    103     if (parseAccessControlMaxAge(response.httpHeaderField("Access-Control-Max-Age"), expiryDelta)) {
    104         if (expiryDelta > maxPreflightCacheTimeoutSeconds)
    105             expiryDelta = maxPreflightCacheTimeoutSeconds;
    106     } else
    107         expiryDelta = defaultPreflightCacheTimeoutSeconds;
    108 
    109     m_absoluteExpiryTime = currentTime() + expiryDelta;
    110     return true;
    111 }
    112 
    113 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, String& errorDescription) const
    114 {
    115     if (m_methods.contains(method) || isOnAccessControlSimpleRequestMethodWhitelist(method))
    116         return true;
    117 
    118     errorDescription = "Method " + method + " is not allowed by Access-Control-Allow-Methods.";
    119     return false;
    120 }
    121 
    122 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const
    123 {
    124     HTTPHeaderMap::const_iterator end = requestHeaders.end();
    125     for (HTTPHeaderMap::const_iterator it = requestHeaders.begin(); it != end; ++it) {
    126         if (!m_headers.contains(it->key) && !isOnAccessControlSimpleRequestHeaderWhitelist(it->key, it->value)) {
    127             errorDescription = "Request header field " + it->key.string() + " is not allowed by Access-Control-Allow-Headers.";
    128             return false;
    129         }
    130     }
    131     return true;
    132 }
    133 
    134 bool CrossOriginPreflightResultCacheItem::allowsRequest(StoredCredentials includeCredentials, const String& method, const HTTPHeaderMap& requestHeaders) const
    135 {
    136     String ignoredExplanation;
    137     if (m_absoluteExpiryTime < currentTime())
    138         return false;
    139     if (includeCredentials == AllowStoredCredentials && m_credentials == DoNotAllowStoredCredentials)
    140         return false;
    141     if (!allowsCrossOriginMethod(method, ignoredExplanation))
    142         return false;
    143     if (!allowsCrossOriginHeaders(requestHeaders, ignoredExplanation))
    144         return false;
    145     return true;
    146 }
    147 
    148 CrossOriginPreflightResultCache& CrossOriginPreflightResultCache::shared()
    149 {
    150     DEFINE_STATIC_LOCAL(CrossOriginPreflightResultCache, cache, ());
    151     ASSERT(isMainThread());
    152     return cache;
    153 }
    154 
    155 void CrossOriginPreflightResultCache::appendEntry(const String& origin, const KURL& url, PassOwnPtr<CrossOriginPreflightResultCacheItem> preflightResult)
    156 {
    157     ASSERT(isMainThread());
    158     m_preflightHashMap.set(std::make_pair(origin, url), preflightResult);
    159 }
    160 
    161 bool CrossOriginPreflightResultCache::canSkipPreflight(const String& origin, const KURL& url, StoredCredentials includeCredentials, const String& method, const HTTPHeaderMap& requestHeaders)
    162 {
    163     ASSERT(isMainThread());
    164     CrossOriginPreflightResultHashMap::iterator cacheIt = m_preflightHashMap.find(std::make_pair(origin, url));
    165     if (cacheIt == m_preflightHashMap.end())
    166         return false;
    167 
    168     if (cacheIt->value->allowsRequest(includeCredentials, method, requestHeaders))
    169         return true;
    170 
    171     m_preflightHashMap.remove(cacheIt);
    172     return false;
    173 }
    174 
    175 } // namespace WebCore
    176