Source/WebCore: Add a scheme registry for CORS requests. Allow simple CORS requests...
authorcdn@chromium.org <cdn@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Jan 2012 23:50:31 +0000 (23:50 +0000)
committercdn@chromium.org <cdn@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Jan 2012 23:50:31 +0000 (23:50 +0000)
https://bugs.webkit.org/show_bug.cgi?id=77041

Reviewed by Alexey Proskuryakov.

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest):
* platform/SchemeRegistry.cpp:
(WebCore::CORSEnabledSchemes):
(WebCore):
(WebCore::SchemeRegistry::registerCORSEnabledScheme):
(WebCore::SchemeRegistry::isCORSEnabledScheme):
* platform/SchemeRegistry.h:
(SchemeRegistry):

Source/WebKit/chromium: Add API to register schemes which can be sent simple CORS requests.
https://bugs.webkit.org/show_bug.cgi?id=77041

Reviewed by Alexey Proskuryakov.

* public/WebSecurityPolicy.h:
(WebSecurityPolicy):
* src/WebSecurityPolicy.cpp:
(WebKit::WebSecurityPolicy::registerCORSEnabledScheme):
(WebKit):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@106057 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentThreadableLoader.cpp
Source/WebCore/platform/SchemeRegistry.cpp
Source/WebCore/platform/SchemeRegistry.h
Source/WebKit/chromium/ChangeLog
Source/WebKit/chromium/public/WebSecurityPolicy.h
Source/WebKit/chromium/src/WebSecurityPolicy.cpp

index 96223ef743422bb09e67d6cc0c8082997a629616..03b3721c58f06030564c793e9923940bef07e2ab 100644 (file)
@@ -1,3 +1,20 @@
+2012-01-25  Cris Neckar  <cdn@chromium.org>
+
+        Add a scheme registry for CORS requests. Allow simple CORS requests to be made to registered schemes.
+        https://bugs.webkit.org/show_bug.cgi?id=77041
+
+        Reviewed by Alexey Proskuryakov.
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest):
+        * platform/SchemeRegistry.cpp:
+        (WebCore::CORSEnabledSchemes):
+        (WebCore):
+        (WebCore::SchemeRegistry::registerCORSEnabledScheme):
+        (WebCore::SchemeRegistry::isCORSEnabledScheme):
+        * platform/SchemeRegistry.h:
+        (SchemeRegistry):
+
 2012-01-26  Noel Gordon  <noel.gordon@gmail.com>
 
         File extension for webp files is .webp
index 1527697b06deebf1ca2b56ed270e1f01fd0bd063..c357e80adbc600acbe8cca47b79bea346f9ce23f 100644 (file)
@@ -41,6 +41,7 @@
 #include "FrameLoader.h"
 #include "ResourceError.h"
 #include "ResourceRequest.h"
+#include "SchemeRegistry.h"
 #include "SecurityOrigin.h"
 #include "ThreadableLoaderClient.h"
 #include <wtf/Assertions.h>
@@ -115,9 +116,8 @@ void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const Resource
     ASSERT(m_options.preflightPolicy != ForcePreflight);
     ASSERT(m_options.preflightPolicy == PreventPreflight || isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()));
 
-    // Cross-origin requests are only defined for HTTP. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
-    // FIXME: Consider allowing simple CORS requests to non-HTTP URLs.
-    if (!request.url().protocolInHTTPFamily()) {
+    // Cross-origin requests are only allowed for HTTP and registered schemes. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
+    if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())) {
         m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, request.url().string(), "Cross origin requests are only supported for HTTP."));
         return;
     }
index 5cdeb33750a1cba0013cd1177d0093a67a00b42c..40b43b306d005857a53ffc9cf15f9ee56551b788 100644 (file)
@@ -25,6 +25,7 @@
  */
 #include "config.h"
 #include "SchemeRegistry.h"
+#include <wtf/MainThread.h>
 
 namespace WebCore {
 
@@ -152,6 +153,19 @@ static URLSchemesMap& schemesAllowingDatabaseAccessInPrivateBrowsing()
     return schemesAllowingDatabaseAccessInPrivateBrowsing;
 }
 
+static URLSchemesMap& CORSEnabledSchemes()
+{
+    ASSERT(isMainThread());
+    DEFINE_STATIC_LOCAL(URLSchemesMap, CORSEnabledSchemes, ());
+
+    if (CORSEnabledSchemes.isEmpty()) {
+        CORSEnabledSchemes.add("http");
+        CORSEnabledSchemes.add("https");
+    }
+
+    return CORSEnabledSchemes;
+}
+
 bool SchemeRegistry::shouldTreatURLSchemeAsLocal(const String& scheme)
 {
     if (scheme.isEmpty())
@@ -273,4 +287,16 @@ bool SchemeRegistry::allowsDatabaseAccessInPrivateBrowsing(const String& scheme)
     return schemesAllowingDatabaseAccessInPrivateBrowsing().contains(scheme);
 }
 
+void SchemeRegistry::registerURLSchemeAsCORSEnabled(const String& scheme)
+{
+    CORSEnabledSchemes().add(scheme);
+}
+
+bool SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(const String& scheme)
+{
+    if (scheme.isEmpty())
+        return false;
+    return CORSEnabledSchemes().contains(scheme);
+}
+
 } // namespace WebCore
index 04f1bf8645472380d824fcdbd7ddf80aec47862e..9b08e0a4155105bab0326d6492e660ddbe7b8966 100644 (file)
@@ -78,6 +78,10 @@ public:
     static bool allowsLocalStorageAccessInPrivateBrowsing(const String& scheme);
     static void registerURLSchemeAsAllowingDatabaseAccessInPrivateBrowsing(const String& scheme);
     static bool allowsDatabaseAccessInPrivateBrowsing(const String& scheme);
+
+    // Allow non-HTTP schemes to be registered to allow CORS requests.
+    static void registerURLSchemeAsCORSEnabled(const String& scheme);
+    static bool shouldTreatURLSchemeAsCORSEnabled(const String& scheme);
 };
 
 } // namespace WebCore
index ebc193db6cb36233f670bde26784e7b31b7f61a5..6baf787d9521545ac7fe553684dfc58fbe32307a 100644 (file)
@@ -1,3 +1,16 @@
+2012-01-25  Cris Neckar  <cdn@chromium.org>
+
+        Add API to register schemes which can be sent simple CORS requests.
+        https://bugs.webkit.org/show_bug.cgi?id=77041
+
+        Reviewed by Alexey Proskuryakov.
+
+        * public/WebSecurityPolicy.h:
+        (WebSecurityPolicy):
+        * src/WebSecurityPolicy.cpp:
+        (WebKit::WebSecurityPolicy::registerCORSEnabledScheme):
+        (WebKit):
+
 2012-01-10  James Robinson  <jamesr@chromium.org>
 
         [chromium] Add enter/exitRunLoop to WebThread API
index 4063f91cc11efb06a38a549a4d041ff4b5689fc3..466d98684ff27c97036073af4e622569b408bedf 100644 (file)
@@ -61,6 +61,9 @@ public:
     // included by an HTTPS page.
     WEBKIT_EXPORT static void registerURLSchemeAsSecure(const WebString&);
 
+    // Registers a non-HTTP URL scheme which can be sent CORS requests. 
+    WEBKIT_EXPORT static void registerURLSchemeAsCORSEnabled(const WebString&);
+
     // Support for whitelisting access to origins beyond the same-origin policy.
     WEBKIT_EXPORT static void addOriginAccessWhitelistEntry(
         const WebURL& sourceOrigin, const WebString& destinationProtocol,
index 39f5e2770bf5070fb591892a7055c6a6d210005b..01162779e9d3a8e568cb74d4724ca7b3a7ae9c91 100644 (file)
@@ -63,6 +63,11 @@ void WebSecurityPolicy::registerURLSchemeAsSecure(const WebString& scheme)
     SchemeRegistry::registerURLSchemeAsSecure(scheme);
 }
 
+void WebSecurityPolicy::registerURLSchemeAsCORSEnabled(const WebString& scheme)
+{
+    SchemeRegistry::registerURLSchemeAsCORSEnabled(scheme);
+}
+
 void WebSecurityPolicy::addOriginAccessWhitelistEntry(
     const WebURL& sourceOrigin,
     const WebString& destinationProtocol,