Source/WebCore/loader/CrossOriginAccessControl.cpp - WebKit - Git at Google

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */

 #include "config.h"
 #include "CrossOriginAccessControl.h"

 #include "HTTPHeaderNames.h"
 #include "HTTPParsers.h"
 #include "ResourceRequest.h"
 #include "ResourceResponse.h"
 #include "SchemeRegistry.h"
 #include "SecurityOrigin.h"
 #include <mutex>
 #include <wtf/NeverDestroyed.h>
 #include <wtf/text/AtomicString.h>
 #include <wtf/text/StringBuilder.h>

 namespace WebCore {

 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)
 {
     return method == "GET" || method == "HEAD" || method == "POST";
 }

 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
 {
     if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
         return false;

     for (const auto& header : headerMap) {
         if (!header.keyAsHTTPHeaderName || !isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value))
             return false;
     }

     return true;
 }

 bool isOnAccessControlResponseHeaderWhitelist(const String& name)
 {
     static std::once_flag onceFlag;
     static LazyNeverDestroyed<HTTPHeaderSet> allowedCrossOriginResponseHeaders;

     std::call_once(onceFlag, []{
         allowedCrossOriginResponseHeaders.construct<std::initializer_list<String>>({
             "cache-control",
             "content-language",
             "content-type",
             "expires",
             "last-modified",
             "pragma"
         });
     });

     return allowedCrossOriginResponseHeaders.get().contains(name);
 }

 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin& securityOrigin, StoredCredentials allowCredentials)
 {
     request.removeCredentials();
     request.setAllowCookies(allowCredentials == AllowStoredCredentials);
     request.setHTTPOrigin(securityOrigin.toString());
 }

 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin& securityOrigin, const String& referrer)
 {
     ResourceRequest preflightRequest(request.url());
     static const double platformDefaultTimeout = 0;
     preflightRequest.setTimeoutInterval(platformDefaultTimeout);
     updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
     preflightRequest.setHTTPMethod("OPTIONS");
     preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestMethod, request.httpMethod());
     preflightRequest.setPriority(request.priority());
     if (!referrer.isNull())
         preflightRequest.setHTTPReferrer(referrer);

     const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();

     if (!requestHeaderFields.isEmpty()) {
         Vector<String> unsafeHeaders;
         for (const auto& headerField : requestHeaderFields.commonHeaders()) {
             if (!isCrossOriginSafeRequestHeader(headerField.key, headerField.value))
                 unsafeHeaders.append(httpHeaderNameString(headerField.key).toStringWithoutCopying().convertToASCIILowercase());
         }
         for (const auto& headerField : requestHeaderFields.uncommonHeaders())
             unsafeHeaders.append(headerField.key.convertToASCIILowercase());

         std::sort(unsafeHeaders.begin(), unsafeHeaders.end(), WTF::codePointCompareLessThan);

         StringBuilder headerBuffer;

         bool appendComma = false;
         for (const auto& headerField : unsafeHeaders) {
             if (appendComma)
                 headerBuffer.append(',');
             else
                 appendComma = true;

             headerBuffer.append(headerField);
         }
         preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestHeaders, headerBuffer.toString());
     }

     return preflightRequest;
 }

 bool isValidCrossOriginRedirectionURL(const URL& redirectURL)
 {
     return SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(redirectURL.protocol().toStringWithoutCopying())
         && redirectURL.user().isEmpty()
         && redirectURL.pass().isEmpty();
 }

 void cleanRedirectedRequestForAccessControl(ResourceRequest& request)
 {
     // Remove headers that may have been added by the network layer that cause access control to fail.
     request.clearHTTPContentType();
     request.clearHTTPReferrer();
     request.clearHTTPOrigin();
     request.clearHTTPUserAgent();
     request.clearHTTPAccept();
     request.clearHTTPAcceptEncoding();
 }

 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin& securityOrigin, String& errorDescription)
 {
     // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
     // even with Access-Control-Allow-Credentials set to true.
     const String& accessControlOriginString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowOrigin);
     if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials)
         return true;

     // FIXME: Access-Control-Allow-Origin can contain a list of origins.
     if (accessControlOriginString != securityOrigin.toString()) {
         if (accessControlOriginString == "*")
             errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.";
         else
             errorDescription =  "Origin " + securityOrigin.toString() + " is not allowed by Access-Control-Allow-Origin.";
         return false;
     }

     if (includeCredentials == AllowStoredCredentials) {
         const String& accessControlCredentialsString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowCredentials);
         if (accessControlCredentialsString != "true") {
             errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\".";
             return false;
         }
     }

     return true;
 }

 } // namespace WebCore
	/*
	* Copyright (C) 2008 Apple Inc. All Rights Reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions
	* are met:
	* 1. Redistributions of source code must retain the above copyright
	* notice, this list of conditions and the following disclaimer.
	* 2. Redistributions in binary form must reproduce the above copyright
	* notice, this list of conditions and the following disclaimer in the
	* documentation and/or other materials provided with the distribution.
	*
	* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
	* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
	* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
	* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
	* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
	* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	*
	*/

	#include "config.h"
	#include "CrossOriginAccessControl.h"

	#include "HTTPHeaderNames.h"
	#include "HTTPParsers.h"
	#include "ResourceRequest.h"
	#include "ResourceResponse.h"
	#include "SchemeRegistry.h"
	#include "SecurityOrigin.h"
	#include <mutex>
	#include <wtf/NeverDestroyed.h>
	#include <wtf/text/AtomicString.h>
	#include <wtf/text/StringBuilder.h>

	namespace WebCore {

	bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)
	{
	return method == "GET" \|\| method == "HEAD" \|\| method == "POST";
	}

	bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
	{
	if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
	return false;

	for (const auto& header : headerMap) {
	if (!header.keyAsHTTPHeaderName \|\| !isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value))
	return false;
	}

	return true;
	}

	bool isOnAccessControlResponseHeaderWhitelist(const String& name)
	{
	static std::once_flag onceFlag;
	static LazyNeverDestroyed<HTTPHeaderSet> allowedCrossOriginResponseHeaders;

	std::call_once(onceFlag, []{
	allowedCrossOriginResponseHeaders.construct<std::initializer_list<String>>({
	"cache-control",
	"content-language",
	"content-type",
	"expires",
	"last-modified",
	"pragma"
	});
	});

	return allowedCrossOriginResponseHeaders.get().contains(name);
	}

	void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin& securityOrigin, StoredCredentials allowCredentials)
	{
	request.removeCredentials();
	request.setAllowCookies(allowCredentials == AllowStoredCredentials);
	request.setHTTPOrigin(securityOrigin.toString());
	}

	ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin& securityOrigin, const String& referrer)
	{
	ResourceRequest preflightRequest(request.url());
	static const double platformDefaultTimeout = 0;
	preflightRequest.setTimeoutInterval(platformDefaultTimeout);
	updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
	preflightRequest.setHTTPMethod("OPTIONS");
	preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestMethod, request.httpMethod());
	preflightRequest.setPriority(request.priority());
	if (!referrer.isNull())
	preflightRequest.setHTTPReferrer(referrer);

	const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();

	if (!requestHeaderFields.isEmpty()) {
	Vector<String> unsafeHeaders;
	for (const auto& headerField : requestHeaderFields.commonHeaders()) {
	if (!isCrossOriginSafeRequestHeader(headerField.key, headerField.value))
	unsafeHeaders.append(httpHeaderNameString(headerField.key).toStringWithoutCopying().convertToASCIILowercase());
	}
	for (const auto& headerField : requestHeaderFields.uncommonHeaders())
	unsafeHeaders.append(headerField.key.convertToASCIILowercase());

	std::sort(unsafeHeaders.begin(), unsafeHeaders.end(), WTF::codePointCompareLessThan);

	StringBuilder headerBuffer;

	bool appendComma = false;
	for (const auto& headerField : unsafeHeaders) {
	if (appendComma)
	headerBuffer.append(',');
	else
	appendComma = true;

	headerBuffer.append(headerField);
	}
	preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestHeaders, headerBuffer.toString());
	}

	return preflightRequest;
	}

	bool isValidCrossOriginRedirectionURL(const URL& redirectURL)
	{
	return SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(redirectURL.protocol().toStringWithoutCopying())
	&& redirectURL.user().isEmpty()
	&& redirectURL.pass().isEmpty();
	}

	void cleanRedirectedRequestForAccessControl(ResourceRequest& request)
	{
	// Remove headers that may have been added by the network layer that cause access control to fail.
	request.clearHTTPContentType();
	request.clearHTTPReferrer();
	request.clearHTTPOrigin();
	request.clearHTTPUserAgent();
	request.clearHTTPAccept();
	request.clearHTTPAcceptEncoding();
	}

	bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin& securityOrigin, String& errorDescription)
	{
	// A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
	// even with Access-Control-Allow-Credentials set to true.
	const String& accessControlOriginString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowOrigin);
	if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials)
	return true;

	// FIXME: Access-Control-Allow-Origin can contain a list of origins.
	if (accessControlOriginString != securityOrigin.toString()) {
	if (accessControlOriginString == "*")
	errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.";
	else
	errorDescription = "Origin " + securityOrigin.toString() + " is not allowed by Access-Control-Allow-Origin.";
	return false;
	}

	if (includeCredentials == AllowStoredCredentials) {
	const String& accessControlCredentialsString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowCredentials);
	if (accessControlCredentialsString != "true") {
	errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\".";
	return false;
	}
	}

	return true;
	}

	} // namespace WebCore