chromium/third_party/blink/renderer/platform/loader/cors/cors.cc

// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "third_party/blink/renderer/platform/loader/cors/cors.h"

#include <string>

#include "base/containers/contains.h"
#include "base/functional/bind.h"
#include "base/functional/callback.h"
#include "net/http/http_util.h"
#include "services/network/public/cpp/cors/cors.h"
#include "third_party/blink/public/mojom/fetch/fetch_api_request.mojom-blink.h"
#include "third_party/blink/public/platform/web_string.h"
#include "third_party/blink/renderer/platform/loader/fetch/resource_response.h"
#include "third_party/blink/renderer/platform/network/http_names.h"
#include "third_party/blink/renderer/platform/weborigin/security_origin.h"

namespace blink {

namespace {

// A parser for the value of the Access-Control-Expose-Headers header.
class HTTPHeaderNameListParser { … };

}  // namespace

namespace cors {

bool IsCorsEnabledRequestMode(network::mojom::RequestMode request_mode) { … }

bool IsCorsSafelistedMethod(const String& method) { … }

bool IsCorsSafelistedContentType(const String& media_type) { … }

bool IsNoCorsSafelistedHeader(const String& name, const String& value) { … }

bool IsPrivilegedNoCorsHeaderName(const String& name) { … }

bool IsNoCorsSafelistedHeaderName(const String& name) { … }

PLATFORM_EXPORT Vector<String> PrivilegedNoCorsHeaderNames() { … }

bool IsForbiddenRequestHeader(const String& name, const String& value) { … }

bool ContainsOnlyCorsSafelistedHeaders(const HTTPHeaderMap& header_map) { … }

bool CalculateCorsFlag(const KURL& url,
                       const SecurityOrigin* initiator_origin,
                       const SecurityOrigin* isolated_world_origin,
                       network::mojom::RequestMode request_mode) { … }

HTTPHeaderSet ExtractCorsExposedHeaderNamesList(
    network::mojom::CredentialsMode credentials_mode,
    const ResourceResponse& response) { … }

bool IsCorsSafelistedResponseHeader(const String& name) { … }

// In the spec, https://fetch.spec.whatwg.org/#ref-for-concept-request-mode,
// No-CORS mode is highly discouraged from using it for new features. Only
// legacy usages for backward compatibility are allowed except for well-designed
// usages over the fetch API.
bool IsNoCorsAllowedContext(mojom::blink::RequestContextType context) { … }

}  // namespace cors

}  // namespace blink