// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "services/network/public/cpp/header_util.h" #include <string> #include <vector> #include "base/strings/string_split.h" #include "base/strings/string_util.h" #include "net/base/mime_sniffer.h" #include "net/http/http_request_headers.h" #include "net/http/http_response_headers.h" #include "net/http/http_status_code.h" #include "services/network/public/mojom/url_response_head.mojom.h" #include "url/gurl.h" namespace network { namespace { // Headers that consumers are not trusted to set. All "Proxy-" prefixed messages // are blocked inline. The"Authorization" auth header is deliberately not // included, since OAuth requires websites be able to set it directly. These are // a subset of headers forbidden by the fetch spec. // // This list has some values in common with // https://fetch.spec.whatwg.org/#forbidden-header-name, but excludes some // values that are still set by the caller in Chrome. const char* kUnsafeHeaders[] = …; // Headers that consumers are currently allowed to set, with the exception of // certain values could cause problems. // TODO(mmenke): Gather stats on these, and see if these headers can be banned // outright instead. const struct { … } kUnsafeHeaderValues[] = …; } // namespace bool IsRequestHeaderSafe(std::string_view key, std::string_view value) { … } bool AreRequestHeadersSafe(const net::HttpRequestHeaders& request_headers) { … } // TODO(crbug.com/40217150): Consider merging this with // ProcessReferrerPolicyHeaderOnRedirect() in //net and/or // blink::SecurityPolicy::ReferrerPolicyFromString(). mojom::ReferrerPolicy ParseReferrerPolicy( const net::HttpResponseHeaders& response_headers) { … } bool ShouldSniffContent(const GURL& url, const mojom::URLResponseHead& response) { … } bool IsSuccessfulStatus(int status) { … } } // namespace network
Codebase Browser
chromium