// Copyright 2018 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifdef UNSAFE_BUFFERS_BUILD // TODO(crbug.com/351564777): Remove this and convert code to safer constructs. #pragma allow_unsafe_buffers #endif #include "services/network/public/cpp/cors/cors.h" #include <set> #include <string_view> #include <vector> #include "base/containers/contains.h" #include "base/containers/fixed_flat_set.h" #include "base/feature_list.h" #include "base/metrics/histogram_functions.h" #include "base/ranges/algorithm.h" #include "base/strings/string_util.h" #include "net/base/mime_util.h" #include "net/http/http_byte_range.h" #include "net/http/http_request_headers.h" #include "net/http/http_util.h" #include "services/network/public/cpp/client_hints.h" #include "services/network/public/cpp/is_potentially_trustworthy.h" #include "services/network/public/cpp/request_mode.h" #include "third_party/abseil-cpp/absl/strings/ascii.h" #include "url/gurl.h" #include "url/origin.h" #include "url/url_constants.h" #include "url/url_util.h" // String conversion from blink::String to std::string for header name/value // should be latin-1, not utf-8, as per HTTP. Note that as we use ByteString // as the IDL types of header name/value, a character whose code point is // greater than 255 has already been blocked. namespace network { namespace { const char kAsterisk[] = …; const char kLowerCaseTrue[] = …; // Returns true only if |header_value| satisfies ABNF: 1*DIGIT [ "." 1*DIGIT ] bool IsSimilarToDoubleABNF(const std::string& header_value) { … } // Returns true only if |header_value| satisfies ABNF: 1*DIGIT bool IsSimilarToIntABNF(const std::string& header_value) { … } // https://fetch.spec.whatwg.org/#cors-unsafe-request-header-byte bool IsCorsUnsafeRequestHeaderByte(char c) { … } // |value| should be lower case. bool IsCorsSafelistedLowerCaseContentType(const std::string& value) { … } bool IsNoCorsSafelistedHeaderNameLowerCase(const std::string& lower_name) { … } } // namespace namespace cors { namespace header_names { const char kAccessControlAllowCredentials[] = …; const char kAccessControlAllowHeaders[] = …; const char kAccessControlAllowMethods[] = …; const char kAccessControlAllowOrigin[] = …; const char kAccessControlAllowPrivateNetwork[] = …; const char kAccessControlMaxAge[] = …; const char kAccessControlRequestHeaders[] = …; const char kAccessControlRequestMethod[] = …; const char kAccessControlRequestPrivateNetwork[] = …; const char kPrivateNetworkDeviceId[] = …; const char kPrivateNetworkDeviceName[] = …; } // namespace header_names // See https://fetch.spec.whatwg.org/#cors-check. base::expected<void, CorsErrorStatus> CheckAccess( const GURL& response_url, const std::optional<std::string>& allow_origin_header, const std::optional<std::string>& allow_credentials_header, mojom::CredentialsMode credentials_mode, const url::Origin& origin) { … } base::expected<void, CorsErrorStatus> CheckAccessAndReportMetrics( const GURL& response_url, const std::optional<std::string>& allow_origin_header, const std::optional<std::string>& allow_credentials_header, mojom::CredentialsMode credentials_mode, const url::Origin& origin) { … } bool ShouldCheckCors(const GURL& request_url, const std::optional<url::Origin>& request_initiator, mojom::RequestMode request_mode) { … } bool IsCorsEnabledRequestMode(mojom::RequestMode mode) { … } bool IsCorsSafelistedMethod(const std::string& method) { … } bool IsCorsSafelistedContentType(const std::string& media_type) { … } bool IsCorsSafelistedHeader(const std::string& name, const std::string& value) { … } bool IsNoCorsSafelistedHeaderName(const std::string& name) { … } bool IsPrivilegedNoCorsHeaderName(const std::string& name) { … } bool IsNoCorsSafelistedHeader(const std::string& name, const std::string& value) { … } std::vector<std::string> CorsUnsafeRequestHeaderNames( const net::HttpRequestHeaders::HeaderVector& headers) { … } std::vector<std::string> PrivilegedNoCorsHeaderNames() { … } bool IsForbiddenMethod(const std::string& method) { … } bool IsCorsSameOriginResponseType(mojom::FetchResponseType type) { … } bool IsCorsCrossOriginResponseType(mojom::FetchResponseType type) { … } bool CalculateCredentialsFlag(mojom::CredentialsMode credentials_mode, mojom::FetchResponseType response_tainting) { … } mojom::FetchResponseType CalculateResponseType( mojom::RequestMode mode, bool is_request_considered_same_origin) { … } } // namespace cors } // namespace network
Codebase Browser
chromium