diff options
| author | mkwst@chromium.org <mkwst@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-02-05 18:10:28 +0000 |
|---|---|---|
| committer | mkwst@chromium.org <mkwst@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-02-05 18:10:28 +0000 |
| commit | 3d5aebc76e593b10bc871a67dd62b9ab12b9519b (patch) | |
| tree | d0c43218ebf80f936f5372484a5d907425565e9c /net | |
| parent | 181cccfe58e14dd2c260674a4ed1a01fdfe654a7 (diff) | |
| download | chromium_src-3d5aebc76e593b10bc871a67dd62b9ab12b9519b.zip chromium_src-3d5aebc76e593b10bc871a67dd62b9ab12b9519b.tar.gz chromium_src-3d5aebc76e593b10bc871a67dd62b9ab12b9519b.tar.bz2 | |
Add to the list of HTTP headers that don't overwrite in 304 responses.
Entity headers, such as those prefixed by 'Content-', 'X-WebKit-', and
'X-Content-', should only be accepted on the original response, not on 304
responses for the same resource.
This patch adds some specific headers ('X-XSS-Protection', 'X-Frame-Options'),
and adds support for prefixes we should ignore on these response.
BUG=174301
Review URL: https://chromiumcodereview.appspot.com/12224008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@180724 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/http/http_response_headers.cc | 25 | ||||
| -rw-r--r-- | net/http/http_response_headers_unittest.cc | 34 |
2 files changed, 50 insertions, 9 deletions
diff --git a/net/http/http_response_headers.cc b/net/http/http_response_headers.cc index 4cbe03c..824cfd0 100644 --- a/net/http/http_response_headers.cc +++ b/net/http/http_response_headers.cc @@ -78,16 +78,18 @@ const char* const kNonUpdatedHeaders[] = { "trailer", "transfer-encoding", "upgrade", - // these should never change: - "content-location", - "content-md5", "etag", - // assume cache-control: no-transform - "content-encoding", - "content-range", - "content-type", - // some broken microsoft servers send 'content-length: 0' with 304s - "content-length" + "x-frame-options", + "x-xss-protection", +}; + +// Some header prefixes mean "Don't copy this header from a 304 response.". +// Rather than listing all the relevant headers, we can consolidate them into +// this list: +const char* const kNonUpdatedHeaderPrefixes[] = { + "content-", + "x-content-", + "x-webkit-" }; bool ShouldUpdateHeader(const std::string::const_iterator& name_begin, @@ -96,6 +98,11 @@ bool ShouldUpdateHeader(const std::string::const_iterator& name_begin, if (LowerCaseEqualsASCII(name_begin, name_end, kNonUpdatedHeaders[i])) return false; } + for (size_t i = 0; i < arraysize(kNonUpdatedHeaderPrefixes); ++i) { + if (StartsWithASCII(std::string(name_begin, name_end), + kNonUpdatedHeaderPrefixes[i], false)) + return false; + } return true; } diff --git a/net/http/http_response_headers_unittest.cc b/net/http/http_response_headers_unittest.cc index 28d97dd..fde98b5 100644 --- a/net/http/http_response_headers_unittest.cc +++ b/net/http/http_response_headers_unittest.cc @@ -922,6 +922,40 @@ TEST(HttpResponseHeadersTest, Update) { "Cache-control: max-age=10001\n" "Content-Length: 450\n" }, + { "HTTP/1.1 200 OK\n" + "X-Frame-Options: DENY\n", + + "HTTP/1/1 304 Not Modified\n" + "X-Frame-Options: ALLOW\n", + + "HTTP/1.1 200 OK\n" + "X-Frame-Options: DENY\n", + }, + { "HTTP/1.1 200 OK\n" + "X-WebKit-CSP: default-src 'none'\n", + + "HTTP/1/1 304 Not Modified\n" + "X-WebKit-CSP: default-src *\n", + + "HTTP/1.1 200 OK\n" + "X-WebKit-CSP: default-src 'none'\n", + }, + { "HTTP/1.1 200 OK\n" + "X-XSS-Protection: 1\n", + + "HTTP/1/1 304 Not Modified\n" + "X-XSS-Protection: 0\n", + + "HTTP/1.1 200 OK\n" + "X-XSS-Protection: 1\n", + }, + { "HTTP/1.1 200 OK\n", + + "HTTP/1/1 304 Not Modified\n" + "X-Content-Type-Options: nosniff\n", + + "HTTP/1.1 200 OK\n" + }, }; for (size_t i = 0; i < ARRAYSIZE_UNSAFE(tests); ++i) { |