Home | History | Annotate | Download | only in loader 
      1 /*
      2  * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions
      6  * are met:
      7  * 1. Redistributions of source code must retain the above copyright
      8  *    notice, this list of conditions and the following disclaimer.
      9  * 2. Redistributions in binary form must reproduce the above copyright
     10  *    notice, this list of conditions and the following disclaimer in the
     11  *    documentation and/or other materials provided with the distribution.
     12  *
     13  * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
     14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
     17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
     18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
     19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
     20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
     21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     24  *
     25  */
     26 
     27 #include "config.h"
     28 #include "core/loader/CrossOriginPreflightResultCache.h"
     29 
     30 #include "core/fetch/FetchUtils.h"
     31 #include "platform/network/ResourceResponse.h"
     32 #include "wtf/CurrentTime.h"
     33 #include "wtf/MainThread.h"
     34 #include "wtf/StdLibExtras.h"
     35 
     36 namespace blink {
     37 
     38 // These values are at the discretion of the user agent.
     39 static const unsigned defaultPreflightCacheTimeoutSeconds = 5;
     40 static const unsigned maxPreflightCacheTimeoutSeconds = 600; // Should be short enough to minimize the risk of using a poisoned cache after switching to a secure network.
     41 
     42 static bool parseAccessControlMaxAge(const String& string, unsigned& expiryDelta)
     43 {
     44     // FIXME: this will not do the correct thing for a number starting with a '+'
     45     bool ok = false;
     46     expiryDelta = string.toUIntStrict(&ok);
     47     return ok;
     48 }
     49 
     50 template<class HashType>
     51 static void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)
     52 {
     53     StringImpl* stringImpl = string.impl();
     54     if (!stringImpl)
     55         return;
     56 
     57     // Skip white space from start.
     58     while (start <= end && isSpaceOrNewline((*stringImpl)[start]))
     59         ++start;
     60 
     61     // only white space
     62     if (start > end)
     63         return;
     64 
     65     // Skip white space from end.
     66     while (end && isSpaceOrNewline((*stringImpl)[end]))
     67         --end;
     68 
     69     set.add(string.substring(start, end - start + 1));
     70 }
     71 
     72 template<class HashType>
     73 static bool parseAccessControlAllowList(const String& string, HashSet<String, HashType>& set)
     74 {
     75     unsigned start = 0;
     76     size_t end;
     77     while ((end = string.find(',', start)) != kNotFound) {
     78         if (start != end)
     79             addToAccessControlAllowList(string, start, end - 1, set);
     80         start = end + 1;
     81     }
     82     if (start != string.length())
     83         addToAccessControlAllowList(string, start, string.length() - 1, set);
     84 
     85     return true;
     86 }
     87 
     88 bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response, String& errorDescription)
     89 {
     90     m_methods.clear();
     91     if (!parseAccessControlAllowList(response.httpHeaderField("Access-Control-Allow-Methods"), m_methods)) {
     92         errorDescription = "Cannot parse Access-Control-Allow-Methods response header field.";
     93         return false;
     94     }
     95 
     96     m_headers.clear();
     97     if (!parseAccessControlAllowList(response.httpHeaderField("Access-Control-Allow-Headers"), m_headers)) {
     98         errorDescription = "Cannot parse Access-Control-Allow-Headers response header field.";
     99         return false;
    100     }
    101 
    102     unsigned expiryDelta;
    103     if (parseAccessControlMaxAge(response.httpHeaderField("Access-Control-Max-Age"), expiryDelta)) {
    104         if (expiryDelta > maxPreflightCacheTimeoutSeconds)
    105             expiryDelta = maxPreflightCacheTimeoutSeconds;
    106     } else {
    107         expiryDelta = defaultPreflightCacheTimeoutSeconds;
    108     }
    109 
    110     m_absoluteExpiryTime = currentTime() + expiryDelta;
    111     return true;
    112 }
    113 
    114 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, String& errorDescription) const
    115 {
    116     if (m_methods.contains(method) || FetchUtils::isSimpleMethod(method))
    117         return true;
    118 
    119     errorDescription = "Method " + method + " is not allowed by Access-Control-Allow-Methods.";
    120     return false;
    121 }
    122 
    123 bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const
    124 {
    125     HTTPHeaderMap::const_iterator end = requestHeaders.end();
    126     for (HTTPHeaderMap::const_iterator it = requestHeaders.begin(); it != end; ++it) {
    127         if (!m_headers.contains(it->key) && !FetchUtils::isSimpleHeader(it->key, it->value) && !FetchUtils::isForbiddenHeaderName(it->key)) {
    128             errorDescription = "Request header field " + it->key.string() + " is not allowed by Access-Control-Allow-Headers.";
    129             return false;
    130         }
    131     }
    132     return true;
    133 }
    134 
    135 bool CrossOriginPreflightResultCacheItem::allowsRequest(StoredCredentials includeCredentials, const String& method, const HTTPHeaderMap& requestHeaders) const
    136 {
    137     String ignoredExplanation;
    138     if (m_absoluteExpiryTime < currentTime())
    139         return false;
    140     if (includeCredentials == AllowStoredCredentials && m_credentials == DoNotAllowStoredCredentials)
    141         return false;
    142     if (!allowsCrossOriginMethod(method, ignoredExplanation))
    143         return false;
    144     if (!allowsCrossOriginHeaders(requestHeaders, ignoredExplanation))
    145         return false;
    146     return true;
    147 }
    148 
    149 CrossOriginPreflightResultCache& CrossOriginPreflightResultCache::shared()
    150 {
    151     DEFINE_STATIC_LOCAL(CrossOriginPreflightResultCache, cache, ());
    152     ASSERT(isMainThread());
    153     return cache;
    154 }
    155 
    156 void CrossOriginPreflightResultCache::appendEntry(const String& origin, const KURL& url, PassOwnPtr<CrossOriginPreflightResultCacheItem> preflightResult)
    157 {
    158     ASSERT(isMainThread());
    159     m_preflightHashMap.set(std::make_pair(origin, url), preflightResult);
    160 }
    161 
    162 bool CrossOriginPreflightResultCache::canSkipPreflight(const String& origin, const KURL& url, StoredCredentials includeCredentials, const String& method, const HTTPHeaderMap& requestHeaders)
    163 {
    164     ASSERT(isMainThread());
    165     CrossOriginPreflightResultHashMap::iterator cacheIt = m_preflightHashMap.find(std::make_pair(origin, url));
    166     if (cacheIt == m_preflightHashMap.end())
    167         return false;
    168 
    169     if (cacheIt->value->allowsRequest(includeCredentials, method, requestHeaders))
    170         return true;
    171 
    172     m_preflightHashMap.remove(cacheIt);
    173     return false;
    174 }
    175 
    176 } // namespace blink
    177