mirror of
https://github.com/SerenityOS/serenity.git
synced 2025-01-23 09:51:57 -05:00
LibWeb: Enforce Same-Origin Policy (SOP) for XMLHttpRequest requests
`DOM::XMLHttpRequest` now checks if the requested URL has the same `Origin` as the requesting `Document`. If the requested URL is in violation of SOP the request is rejected and an "error" `DOM::Event` is dispatched.
This commit is contained in:
parent
4007ba5137
commit
3482b9b937
1 changed files with 17 additions and 0 deletions
|
@ -35,6 +35,7 @@
|
|||
#include <LibWeb/DOM/Window.h>
|
||||
#include <LibWeb/DOM/XMLHttpRequest.h>
|
||||
#include <LibWeb/Loader/ResourceLoader.h>
|
||||
#include <LibWeb/Origin.h>
|
||||
|
||||
namespace Web {
|
||||
|
||||
|
@ -70,6 +71,22 @@ void XMLHttpRequest::open(const String& method, const String& url)
|
|||
|
||||
void XMLHttpRequest::send()
|
||||
{
|
||||
URL request_url = m_window->document().complete_url(m_url);
|
||||
dbg() << "XHR send from " << m_window->document().url() << " to " << request_url;
|
||||
|
||||
// TODO: Add support for preflight requests to support CORS requests
|
||||
Origin request_url_origin = Origin(request_url.protocol(), request_url.host(), request_url.port());
|
||||
|
||||
if (!m_window->document().origin().is_same(request_url_origin)) {
|
||||
dbg() << "XHR failed to load: Same-Origin Policy violation: " << m_window->document().url() << " may not load " << request_url;
|
||||
auto weak_this = make_weak_ptr();
|
||||
if (!weak_this)
|
||||
return;
|
||||
const_cast<XMLHttpRequest&>(*weak_this).set_ready_state(ReadyState::Done);
|
||||
const_cast<XMLHttpRequest&>(*weak_this).dispatch_event(DOM::Event::create("error"));
|
||||
return;
|
||||
}
|
||||
|
||||
// FIXME: in order to properly set ReadyState::HeadersReceived and ReadyState::Loading,
|
||||
// we need to make ResourceLoader give us more detailed updates than just "done" and "error".
|
||||
ResourceLoader::the().load(
|
||||
|
|
Loading…
Add table
Reference in a new issue