Source/WebCore/loader/CrossOriginAccessControl.cpp - WebKit - Git at Google

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */

 #include "config.h"
 #include "CrossOriginAccessControl.h"

 #include "HTTPHeaderNames.h"
 #include "HTTPParsers.h"
 #include "ResourceRequest.h"
 #include "ResourceResponse.h"
 #include "SecurityOrigin.h"
 #include <mutex>
 #include <wtf/NeverDestroyed.h>
 #include <wtf/text/AtomicString.h>
 #include <wtf/text/StringBuilder.h>

 namespace WebCore {

 bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)
 {
     return method == "GET" || method == "HEAD" || method == "POST";
 }

 bool isOnAccessControlSimpleRequestHeaderWhitelist(HTTPHeaderName name, const String& value)
 {
     switch (name) {
     case HTTPHeaderName::Accept:
     case HTTPHeaderName::AcceptLanguage:
     case HTTPHeaderName::ContentLanguage:
     case HTTPHeaderName::Origin:
     case HTTPHeaderName::Referer:
         return true;
     case HTTPHeaderName::ContentType: {
         // Preflight is required for MIME types that can not be sent via form submission.
         String mimeType = extractMIMETypeFromMediaType(value);
         return equalIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded")
             || equalIgnoringASCIICase(mimeType, "multipart/form-data")
             || equalIgnoringASCIICase(mimeType, "text/plain");
     }
     default:
         return false;
     }
 }

 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
 {
     if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
         return false;

     for (const auto& header : headerMap) {
         if (!header.keyAsHTTPHeaderName || !isOnAccessControlSimpleRequestHeaderWhitelist(header.keyAsHTTPHeaderName.value(), header.value))
             return false;
     }

     return true;
 }

 bool isOnAccessControlResponseHeaderWhitelist(const String& name)
 {
     static std::once_flag onceFlag;
     static LazyNeverDestroyed<HTTPHeaderSet> allowedCrossOriginResponseHeaders;

     std::call_once(onceFlag, []{
         allowedCrossOriginResponseHeaders.construct<std::initializer_list<String>>({
             "cache-control",
             "content-language",
             "content-type",
             "expires",
             "last-modified",
             "pragma"
         });
     });

     return allowedCrossOriginResponseHeaders.get().contains(name);
 }

 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* securityOrigin, StoredCredentials allowCredentials)
 {
     request.removeCredentials();
     request.setAllowCookies(allowCredentials == AllowStoredCredentials);
     request.setHTTPOrigin(securityOrigin->toString());
 }

 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
 {
     ResourceRequest preflightRequest(request.url());
     updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
     preflightRequest.setHTTPMethod("OPTIONS");
     preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestMethod, request.httpMethod());
     preflightRequest.setPriority(request.priority());

     const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();

     if (!requestHeaderFields.isEmpty()) {
         StringBuilder headerBuffer;

         bool appendComma = false;
         for (const auto& headerField : requestHeaderFields) {
             if (appendComma)
                 headerBuffer.appendLiteral(", ");
             else
                 appendComma = true;

             headerBuffer.append(headerField.key);
         }

         preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestHeaders, headerBuffer.toString().convertToASCIILowercase());
     }

     return preflightRequest;
 }

 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
 {
     // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
     // even with Access-Control-Allow-Credentials set to true.
     const String& accessControlOriginString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowOrigin);
     if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials)
         return true;

     // FIXME: Access-Control-Allow-Origin can contain a list of origins.
     if (accessControlOriginString != securityOrigin->toString()) {
         if (accessControlOriginString == "*")
             errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.";
         else
             errorDescription =  "Origin " + securityOrigin->toString() + " is not allowed by Access-Control-Allow-Origin.";
         return false;
     }

     if (includeCredentials == AllowStoredCredentials) {
         const String& accessControlCredentialsString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowCredentials);
         if (accessControlCredentialsString != "true") {
             errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\".";
             return false;
         }
     }

     return true;
 }

 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet)
 {
     Vector<String> headers;
     headerValue.split(',', false, headers);
     for (auto& header : headers) {
         String strippedHeader = header.stripWhiteSpace();
         if (!strippedHeader.isEmpty())
             headerSet.add(strippedHeader);
     }
 }

 } // namespace WebCore
	/*
	* Copyright (C) 2008 Apple Inc. All Rights Reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions
	* are met:
	* 1. Redistributions of source code must retain the above copyright
	* notice, this list of conditions and the following disclaimer.
	* 2. Redistributions in binary form must reproduce the above copyright
	* notice, this list of conditions and the following disclaimer in the
	* documentation and/or other materials provided with the distribution.
	*
	* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
	* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
	* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
	* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
	* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
	* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	*
	*/

	#include "config.h"
	#include "CrossOriginAccessControl.h"

	#include "HTTPHeaderNames.h"
	#include "HTTPParsers.h"
	#include "ResourceRequest.h"
	#include "ResourceResponse.h"
	#include "SecurityOrigin.h"
	#include <mutex>
	#include <wtf/NeverDestroyed.h>
	#include <wtf/text/AtomicString.h>
	#include <wtf/text/StringBuilder.h>

	namespace WebCore {

	bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)
	{
	return method == "GET" \|\| method == "HEAD" \|\| method == "POST";
	}

	bool isOnAccessControlSimpleRequestHeaderWhitelist(HTTPHeaderName name, const String& value)
	{
	switch (name) {
	case HTTPHeaderName::Accept:
	case HTTPHeaderName::AcceptLanguage:
	case HTTPHeaderName::ContentLanguage:
	case HTTPHeaderName::Origin:
	case HTTPHeaderName::Referer:
	return true;
	case HTTPHeaderName::ContentType: {
	// Preflight is required for MIME types that can not be sent via form submission.
	String mimeType = extractMIMETypeFromMediaType(value);
	return equalIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded")
	\|\| equalIgnoringASCIICase(mimeType, "multipart/form-data")
	\|\| equalIgnoringASCIICase(mimeType, "text/plain");
	}
	default:
	return false;
	}
	}

	bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
	{
	if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
	return false;

	for (const auto& header : headerMap) {
	if (!header.keyAsHTTPHeaderName \|\| !isOnAccessControlSimpleRequestHeaderWhitelist(header.keyAsHTTPHeaderName.value(), header.value))
	return false;
	}

	return true;
	}

	bool isOnAccessControlResponseHeaderWhitelist(const String& name)
	{
	static std::once_flag onceFlag;
	static LazyNeverDestroyed<HTTPHeaderSet> allowedCrossOriginResponseHeaders;

	std::call_once(onceFlag, []{
	allowedCrossOriginResponseHeaders.construct<std::initializer_list<String>>({
	"cache-control",
	"content-language",
	"content-type",
	"expires",
	"last-modified",
	"pragma"
	});
	});

	return allowedCrossOriginResponseHeaders.get().contains(name);
	}

	void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* securityOrigin, StoredCredentials allowCredentials)
	{
	request.removeCredentials();
	request.setAllowCookies(allowCredentials == AllowStoredCredentials);
	request.setHTTPOrigin(securityOrigin->toString());
	}

	ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
	{
	ResourceRequest preflightRequest(request.url());
	updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
	preflightRequest.setHTTPMethod("OPTIONS");
	preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestMethod, request.httpMethod());
	preflightRequest.setPriority(request.priority());

	const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();

	if (!requestHeaderFields.isEmpty()) {
	StringBuilder headerBuffer;

	bool appendComma = false;
	for (const auto& headerField : requestHeaderFields) {
	if (appendComma)
	headerBuffer.appendLiteral(", ");
	else
	appendComma = true;

	headerBuffer.append(headerField.key);
	}

	preflightRequest.setHTTPHeaderField(HTTPHeaderName::AccessControlRequestHeaders, headerBuffer.toString().convertToASCIILowercase());
	}

	return preflightRequest;
	}

	bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
	{
	// A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
	// even with Access-Control-Allow-Credentials set to true.
	const String& accessControlOriginString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowOrigin);
	if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials)
	return true;

	// FIXME: Access-Control-Allow-Origin can contain a list of origins.
	if (accessControlOriginString != securityOrigin->toString()) {
	if (accessControlOriginString == "*")
	errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.";
	else
	errorDescription = "Origin " + securityOrigin->toString() + " is not allowed by Access-Control-Allow-Origin.";
	return false;
	}

	if (includeCredentials == AllowStoredCredentials) {
	const String& accessControlCredentialsString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowCredentials);
	if (accessControlCredentialsString != "true") {
	errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\".";
	return false;
	}
	}

	return true;
	}

	void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet)
	{
	Vector<String> headers;
	headerValue.split(',', false, headers);
	for (auto& header : headers) {
	String strippedHeader = header.stripWhiteSpace();
	if (!strippedHeader.isEmpty())
	headerSet.add(strippedHeader);
	}
	}

	} // namespace WebCore