diff options
| author | darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-20 08:14:39 +0000 |
|---|---|---|
| committer | darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-20 08:14:39 +0000 |
| commit | cd5b9a73feb4a4178973ccd571b277fcdd83e590 (patch) | |
| tree | 56dee2f3bc2065f4f44b39d3f8dbc25c568a2dde /net/http/http_response_headers.h | |
| parent | 5103a768ef9ba423590b7417baa3f1bda6daa829 (diff) | |
| download | chromium_src-cd5b9a73feb4a4178973ccd571b277fcdd83e590.zip chromium_src-cd5b9a73feb4a4178973ccd571b277fcdd83e590.tar.gz chromium_src-cd5b9a73feb4a4178973ccd571b277fcdd83e590.tar.bz2 | |
Add a flags to further control response header persistence. We use this to
filter out Set-Cookie and Set-Cookie2 response headers from being forwarded to
the renderer. This serves to prevent the renderer from having any access to
HttpOnly cookies, and it also prevents XMLHttpRequest consumers from being able
to read cookies in the HTTP response headers. This is consistent with changes
made to Firefox and WebKit.
Patch by marius.schilder@gmail.com
R=deanm,darin
Review URL: http://codereview.chromium.org/11264
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@5767 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/http/http_response_headers.h')
| -rw-r--r-- | net/http/http_response_headers.h | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/net/http/http_response_headers.h b/net/http/http_response_headers.h index 3edb070..ddd23ac 100644 --- a/net/http/http_response_headers.h +++ b/net/http/http_response_headers.h @@ -44,10 +44,18 @@ class HttpResponseHeaders : // be passed to the pickle's various Read* methods. HttpResponseHeaders(const Pickle& pickle, void** pickle_iter); - // Appends a representation of this object to the given pickle. If the - // for_cache argument is true, then non-cacheable headers will be pruned from - // the persisted version of the response headers. - void Persist(Pickle* pickle, bool for_cache); + // Persist options. + typedef int PersistOptions; + static const PersistOptions PERSIST_RAW = -1; // Raw, unparsed headers. + static const PersistOptions PERSIST_ALL = 0; // Parsed headers. + static const PersistOptions PERSIST_SANS_COOKIES = 1 << 0; + static const PersistOptions PERSIST_SANS_CHALLENGES = 1 << 1; + static const PersistOptions PERSIST_SANS_HOP_BY_HOP = 1 << 2; + static const PersistOptions PERSIST_SANS_NON_CACHEABLE = 1 << 3; + + // Appends a representation of this object to the given pickle. + // The options argument can be a combination of PersistOptions. + void Persist(Pickle* pickle, PersistOptions options); // Performs header merging as described in 13.5.3 of RFC 2616. void Update(const HttpResponseHeaders& new_headers); @@ -242,10 +250,20 @@ class HttpResponseHeaders : typedef base::hash_set<std::string> HeaderSet; - // Returns the values from any 'cache-control: no-cache="foo,bar"' headers as - // well as other known-to-be-transient header names. The header names are - // all lowercase to support fast lookup. - void GetTransientHeaders(HeaderSet* header_names) const; + // Adds the values from any 'cache-control: no-cache="foo,bar"' headers. + void AddNonCacheableHeaders(HeaderSet* header_names) const; + + // Adds the set of header names that contain cookie values. + static void AddSensitiveHeaders(HeaderSet* header_names); + + // Adds the set of rfc2616 hop-by-hop response headers. + static void AddHopByHopHeaders(HeaderSet* header_names); + + // Adds the set of challenge response headers. + static void AddChallengeHeaders(HeaderSet* header_names); + + // Adds the set of cookie response headers. + static void AddCookieHeaders(HeaderSet* header_names); // The members of this structure point into raw_headers_. struct ParsedHeader { |