2022-10-23 18:36:31 +02:00
|
|
|
|
/*
|
2023-03-02 23:26:35 +00:00
|
|
|
|
* Copyright (c) 2022-2023, Linus Groh <linusg@serenityos.org>
|
2022-10-23 18:36:31 +02:00
|
|
|
|
*
|
|
|
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
|
|
|
|
*/
|
|
|
|
|
|
2024-02-11 19:48:56 +13:00
|
|
|
|
#include <LibWeb/DOMURL/DOMURL.h>
|
2022-10-23 18:36:31 +02:00
|
|
|
|
#include <LibWeb/Fetch/Fetching/Checks.h>
|
|
|
|
|
#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
|
|
|
|
|
#include <LibWeb/Fetch/Infrastructure/HTTP/Responses.h>
|
|
|
|
|
|
|
|
|
|
namespace Web::Fetch::Fetching {
|
|
|
|
|
|
|
|
|
|
// https://fetch.spec.whatwg.org/#concept-cors-check
|
2024-04-26 13:35:10 -04:00
|
|
|
|
bool cors_check(Infrastructure::Request const& request, Infrastructure::Response const& response)
|
2022-10-23 18:36:31 +02:00
|
|
|
|
{
|
|
|
|
|
// 1. Let origin be the result of getting `Access-Control-Allow-Origin` from response’s header list.
|
2024-04-26 13:24:20 -04:00
|
|
|
|
auto origin = response.header_list()->get("Access-Control-Allow-Origin"sv.bytes());
|
2022-10-23 18:36:31 +02:00
|
|
|
|
|
|
|
|
|
// 2. If origin is null, then return failure.
|
|
|
|
|
// NOTE: Null is not `null`.
|
|
|
|
|
if (!origin.has_value())
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// 3. If request’s credentials mode is not "include" and origin is `*`, then return success.
|
|
|
|
|
if (request.credentials_mode() != Infrastructure::Request::CredentialsMode::Include && origin->span() == "*"sv.bytes())
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// 4. If the result of byte-serializing a request origin with request is not origin, then return failure.
|
2024-04-26 13:35:10 -04:00
|
|
|
|
if (request.byte_serialize_origin() != *origin)
|
2022-10-23 18:36:31 +02:00
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// 5. If request’s credentials mode is not "include", then return success.
|
|
|
|
|
if (request.credentials_mode() != Infrastructure::Request::CredentialsMode::Include)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// 6. Let credentials be the result of getting `Access-Control-Allow-Credentials` from response’s header list.
|
2024-04-26 13:24:20 -04:00
|
|
|
|
auto credentials = response.header_list()->get("Access-Control-Allow-Credentials"sv.bytes());
|
2022-10-23 18:36:31 +02:00
|
|
|
|
|
|
|
|
|
// 7. If credentials is `true`, then return success.
|
|
|
|
|
if (credentials.has_value() && credentials->span() == "true"sv.bytes())
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// 8. Return failure.
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// https://fetch.spec.whatwg.org/#concept-tao-check
|
2024-04-26 13:35:10 -04:00
|
|
|
|
bool tao_check(Infrastructure::Request const& request, Infrastructure::Response const& response)
|
2022-10-23 18:36:31 +02:00
|
|
|
|
{
|
|
|
|
|
// 1. If request’s timing allow failed flag is set, then return failure.
|
|
|
|
|
if (request.timing_allow_failed())
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
// 2. Let values be the result of getting, decoding, and splitting `Timing-Allow-Origin` from response’s header list.
|
2024-04-26 13:24:20 -04:00
|
|
|
|
auto values = response.header_list()->get_decode_and_split("Timing-Allow-Origin"sv.bytes());
|
2022-10-23 18:36:31 +02:00
|
|
|
|
|
|
|
|
|
// 3. If values contains "*", then return success.
|
2023-08-22 19:23:32 +02:00
|
|
|
|
if (values.has_value() && values->contains_slow("*"sv))
|
2022-10-23 18:36:31 +02:00
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// 4. If values contains the result of serializing a request origin with request, then return success.
|
2024-04-26 13:35:10 -04:00
|
|
|
|
if (values.has_value() && values->contains_slow(request.serialize_origin()))
|
2022-10-23 18:36:31 +02:00
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// 5. If request’s mode is "navigate" and request’s current URL’s origin is not same origin with request’s origin, then return failure.
|
|
|
|
|
// NOTE: This is necessary for navigations of a nested browsing context. There, request’s origin would be the
|
|
|
|
|
// container document’s origin and the TAO check would return failure. Since navigation timing never
|
|
|
|
|
// validates the results of the TAO check, the nested document would still have access to the full timing
|
|
|
|
|
// information, but the container document would not.
|
|
|
|
|
if (request.mode() == Infrastructure::Request::Mode::Navigate
|
2024-10-05 15:33:34 +13:00
|
|
|
|
&& request.origin().has<URL::Origin>()
|
2024-10-05 17:03:51 +13:00
|
|
|
|
&& !request.current_url().origin().is_same_origin(request.origin().get<URL::Origin>())) {
|
2022-10-23 18:36:31 +02:00
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 6. If request’s response tainting is "basic", then return success.
|
|
|
|
|
if (request.response_tainting() == Infrastructure::Request::ResponseTainting::Basic)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
// 7. Return failure.
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|