[webkit-changes] [106057] trunk/Source

Thu, 26 Jan 2012 15:50:38 -0800

Title: [106057] trunk/Source
Revision
106057
Author
[email protected]
Date
2012-01-26 15:50:31 -0800 (Thu, 26 Jan 2012)

Log Message

Source/WebCore: Add a scheme registry for CORS requests. Allow simple CORS requests to be made to registered schemes.
https://bugs.webkit.org/show_bug.cgi?id=77041

Reviewed by Alexey Proskuryakov.

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest):
* platform/SchemeRegistry.cpp:
(WebCore::CORSEnabledSchemes):
(WebCore):
(WebCore::SchemeRegistry::registerCORSEnabledScheme):
(WebCore::SchemeRegistry::isCORSEnabledScheme):
* platform/SchemeRegistry.h:
(SchemeRegistry):

Source/WebKit/chromium: Add API to register schemes which can be sent simple CORS requests.
https://bugs.webkit.org/show_bug.cgi?id=77041

Reviewed by Alexey Proskuryakov.

* public/WebSecurityPolicy.h:
(WebSecurityPolicy):
* src/WebSecurityPolicy.cpp:
(WebKit::WebSecurityPolicy::registerCORSEnabledScheme):
(WebKit):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (106056 => 106057)


--- trunk/Source/WebCore/ChangeLog	2012-01-26 23:48:11 UTC (rev 106056)
+++ trunk/Source/WebCore/ChangeLog	2012-01-26 23:50:31 UTC (rev 106057)
@@ -1,3 +1,20 @@
+2012-01-25  Cris Neckar  <[email protected]>
+
+        Add a scheme registry for CORS requests. Allow simple CORS requests to be made to registered schemes.
+        https://bugs.webkit.org/show_bug.cgi?id=77041
+
+        Reviewed by Alexey Proskuryakov.
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest):
+        * platform/SchemeRegistry.cpp:
+        (WebCore::CORSEnabledSchemes):
+        (WebCore):
+        (WebCore::SchemeRegistry::registerCORSEnabledScheme):
+        (WebCore::SchemeRegistry::isCORSEnabledScheme):
+        * platform/SchemeRegistry.h:
+        (SchemeRegistry):
+
 2012-01-26  Noel Gordon  <[email protected]>
 
         File extension for webp files is .webp

Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (106056 => 106057)


--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp	2012-01-26 23:48:11 UTC (rev 106056)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp	2012-01-26 23:50:31 UTC (rev 106057)
@@ -41,6 +41,7 @@
 #include "FrameLoader.h"
 #include "ResourceError.h"
 #include "ResourceRequest.h"
+#include "SchemeRegistry.h"
 #include "SecurityOrigin.h"
 #include "ThreadableLoaderClient.h"
 #include <wtf/Assertions.h>
@@ -115,9 +116,8 @@
     ASSERT(m_options.preflightPolicy != ForcePreflight);
     ASSERT(m_options.preflightPolicy == PreventPreflight || isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()));
 
-    // Cross-origin requests are only defined for HTTP. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
-    // FIXME: Consider allowing simple CORS requests to non-HTTP URLs.
-    if (!request.url().protocolInHTTPFamily()) {
+    // Cross-origin requests are only allowed for HTTP and registered schemes. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
+    if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
         m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP."));
         return;
     }

Modified: trunk/Source/WebCore/platform/SchemeRegistry.cpp (106056 => 106057)


--- trunk/Source/WebCore/platform/SchemeRegistry.cpp	2012-01-26 23:48:11 UTC (rev 106056)
+++ trunk/Source/WebCore/platform/SchemeRegistry.cpp	2012-01-26 23:50:31 UTC (rev 106057)
@@ -25,6 +25,7 @@
  */
 #include "config.h"
 #include "SchemeRegistry.h"
+#include <wtf/MainThread.h>
 
 namespace WebCore {
 
@@ -152,6 +153,19 @@
     return schemesAllowingDatabaseAccessInPrivateBrowsing;
 }
 
+static URLSchemesMap& CORSEnabledSchemes()
+{
+    ASSERT(isMainThread());
+    DEFINE_STATIC_LOCAL(URLSchemesMap, CORSEnabledSchemes, ());
+
+    if (CORSEnabledSchemes.isEmpty()) {
+        CORSEnabledSchemes.add("http");
+        CORSEnabledSchemes.add("https");
+    }
+
+    return CORSEnabledSchemes;
+}
+
 bool SchemeRegistry::shouldTreatURLSchemeAsLocal(const String& scheme)
 {
     if (scheme.isEmpty())
@@ -273,4 +287,16 @@
     return schemesAllowingDatabaseAccessInPrivateBrowsing().contains(scheme);
 }
 
+void SchemeRegistry::registerURLSchemeAsCORSEnabled(const String& scheme)
+{
+    CORSEnabledSchemes().add(scheme);
+}
+
+bool SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(const String& scheme)
+{
+    if (scheme.isEmpty())
+        return false;
+    return CORSEnabledSchemes().contains(scheme);
+}
+
 } // namespace WebCore

Modified: trunk/Source/WebCore/platform/SchemeRegistry.h (106056 => 106057)


--- trunk/Source/WebCore/platform/SchemeRegistry.h	2012-01-26 23:48:11 UTC (rev 106056)
+++ trunk/Source/WebCore/platform/SchemeRegistry.h	2012-01-26 23:50:31 UTC (rev 106057)
@@ -78,6 +78,10 @@
     static bool allowsLocalStorageAccessInPrivateBrowsing(const String& scheme);
     static void registerURLSchemeAsAllowingDatabaseAccessInPrivateBrowsing(const String& scheme);
     static bool allowsDatabaseAccessInPrivateBrowsing(const String& scheme);
+
+    // Allow non-HTTP schemes to be registered to allow CORS requests.
+    static void registerURLSchemeAsCORSEnabled(const String& scheme);
+    static bool shouldTreatURLSchemeAsCORSEnabled(const String& scheme);
 };
 
 } // namespace WebCore

Modified: trunk/Source/WebKit/chromium/ChangeLog (106056 => 106057)


--- trunk/Source/WebKit/chromium/ChangeLog	2012-01-26 23:48:11 UTC (rev 106056)
+++ trunk/Source/WebKit/chromium/ChangeLog	2012-01-26 23:50:31 UTC (rev 106057)
@@ -1,3 +1,16 @@
+2012-01-25  Cris Neckar  <[email protected]>
+
+        Add API to register schemes which can be sent simple CORS requests.
+        https://bugs.webkit.org/show_bug.cgi?id=77041
+
+        Reviewed by Alexey Proskuryakov.
+
+        * public/WebSecurityPolicy.h:
+        (WebSecurityPolicy):
+        * src/WebSecurityPolicy.cpp:
+        (WebKit::WebSecurityPolicy::registerCORSEnabledScheme):
+        (WebKit):
+
 2012-01-10  James Robinson  <[email protected]>
 
         [chromium] Add enter/exitRunLoop to WebThread API

Modified: trunk/Source/WebKit/chromium/public/WebSecurityPolicy.h (106056 => 106057)


--- trunk/Source/WebKit/chromium/public/WebSecurityPolicy.h	2012-01-26 23:48:11 UTC (rev 106056)
+++ trunk/Source/WebKit/chromium/public/WebSecurityPolicy.h	2012-01-26 23:50:31 UTC (rev 106057)
@@ -61,6 +61,9 @@
     // included by an HTTPS page.
     WEBKIT_EXPORT static void registerURLSchemeAsSecure(const WebString&);
 
+    // Registers a non-HTTP URL scheme which can be sent CORS requests. 
+    WEBKIT_EXPORT static void registerURLSchemeAsCORSEnabled(const WebString&);
+
     // Support for whitelisting access to origins beyond the same-origin policy.
     WEBKIT_EXPORT static void addOriginAccessWhitelistEntry(
         const WebURL& sourceOrigin, const WebString& destinationProtocol,

Modified: trunk/Source/WebKit/chromium/src/WebSecurityPolicy.cpp (106056 => 106057)


--- trunk/Source/WebKit/chromium/src/WebSecurityPolicy.cpp	2012-01-26 23:48:11 UTC (rev 106056)
+++ trunk/Source/WebKit/chromium/src/WebSecurityPolicy.cpp	2012-01-26 23:50:31 UTC (rev 106057)
@@ -63,6 +63,11 @@
     SchemeRegistry::registerURLSchemeAsSecure(scheme);
 }
 
+void WebSecurityPolicy::registerURLSchemeAsCORSEnabled(const WebString& scheme)
+{
+    SchemeRegistry::registerURLSchemeAsCORSEnabled(scheme);
+}
+
 void WebSecurityPolicy::addOriginAccessWhitelistEntry(
     const WebURL& sourceOrigin,
     const WebString& destinationProtocol,

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to