1/*
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 *    notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 *    notice, this list of conditions and the following disclaimer in the
11 *    documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 *
25 */
26
27#include "config.h"
28#include "CrossOriginAccessControl.h"
29
30#include "AtomicString.h"
31#include "HTTPParsers.h"
32#include "ResourceResponse.h"
33#include "SecurityOrigin.h"
34#include <wtf/Threading.h>
35
36namespace WebCore {
37
38bool isOnAccessControlSimpleRequestMethodWhitelist(const String& method)
39{
40    return method == "GET" || method == "HEAD" || method == "POST";
41}
42
43bool isOnAccessControlSimpleRequestHeaderWhitelist(const String& name, const String& value)
44{
45    if (equalIgnoringCase(name, "accept") || equalIgnoringCase(name, "accept-language") || equalIgnoringCase(name, "content-language"))
46        return true;
47
48    // Preflight is required for MIME types that can not be sent via form submission.
49    if (equalIgnoringCase(name, "content-type")) {
50        String mimeType = extractMIMETypeFromMediaType(value);
51        return equalIgnoringCase(mimeType, "application/x-www-form-urlencoded")
52            || equalIgnoringCase(mimeType, "multipart/form-data")
53            || equalIgnoringCase(mimeType, "text/plain");
54    }
55
56    return false;
57}
58
59bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap& headerMap)
60{
61    if (!isOnAccessControlSimpleRequestMethodWhitelist(method))
62        return false;
63
64    HTTPHeaderMap::const_iterator end = headerMap.end();
65    for (HTTPHeaderMap::const_iterator it = headerMap.begin(); it != end; ++it) {
66        if (!isOnAccessControlSimpleRequestHeaderWhitelist(it->first, it->second))
67            return false;
68    }
69
70    return true;
71}
72
73typedef HashSet<String, CaseFoldingHash> HTTPHeaderSet;
74static HTTPHeaderSet* createAllowedCrossOriginResponseHeadersSet()
75{
76    HTTPHeaderSet* headerSet = new HashSet<String, CaseFoldingHash>;
77
78    headerSet->add("cache-control");
79    headerSet->add("content-language");
80    headerSet->add("content-type");
81    headerSet->add("expires");
82    headerSet->add("last-modified");
83    headerSet->add("pragma");
84
85    return headerSet;
86}
87
88bool isOnAccessControlResponseHeaderWhitelist(const String& name)
89{
90    AtomicallyInitializedStatic(HTTPHeaderSet*, allowedCrossOriginResponseHeaders = createAllowedCrossOriginResponseHeadersSet());
91
92    return allowedCrossOriginResponseHeaders->contains(name);
93}
94
95bool passesAccessControlCheck(const ResourceResponse& response, bool includeCredentials, SecurityOrigin* securityOrigin)
96{
97    // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
98    // even with Access-Control-Allow-Credentials set to true.
99    const String& accessControlOriginString = response.httpHeaderField("Access-Control-Allow-Origin");
100    if (accessControlOriginString == "*" && !includeCredentials)
101        return true;
102
103    if (securityOrigin->isUnique())
104        return false;
105
106    RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
107    if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin))
108        return false;
109
110    if (includeCredentials) {
111        const String& accessControlCredentialsString = response.httpHeaderField("Access-Control-Allow-Credentials");
112        if (accessControlCredentialsString != "true")
113            return false;
114    }
115
116    return true;
117}
118
119} // namespace WebCore
120