Remove redundant XHR method/header validation. This is done byAssociatedURLLoader now.

BUG=none
TEST=ui_tests,nacl_integration

Review URL: http://codereview.chromium.org/8359009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108801 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 18 insertions, 127 deletions

diff --git a/webkit/plugins/ppapi/ppb_url_loader_impl.cc b/webkit/plugins/ppapi/ppb_url_loader_impl.cc
index ee1a1a0..505ec7c 100644
--- a/webkit/plugins/ppapi/ppb_url_loader_impl.cc
+++ b/webkit/plugins/ppapi/ppb_url_loader_impl.cc
@@ -130,16 +130,18 @@ int32_t PPB_URLLoader_Impl::Open(PP_Resource request_id,
   request_data_ = request->GetData();
 
   WebURLLoaderOptions options;
+  options.allowCredentials = request_data_.allow_credentials;
   if (has_universal_access_) {
-    // Universal access allows cross-origin requests and sends credentials.
     options.crossOriginRequestPolicy =
         WebURLLoaderOptions::CrossOriginRequestPolicyAllow;
-    options.allowCredentials = true;
-  } else if (request_data_.allow_cross_origin_requests) {
-    // Otherwise, allow cross-origin requests with access control.
-    options.crossOriginRequestPolicy =
-        WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
-    options.allowCredentials = request_data_.allow_credentials;
+  } else {
+    // All other HTTP requests are untrusted.
+    options.untrustedHTTP = true;
+    if (request_data_.allow_cross_origin_requests) {
+      // Allow cross-origin requests with access control.
+      options.crossOriginRequestPolicy =
+          WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
+    }
   }
 
   is_asynchronous_load_suspended_ = false;
diff --git a/webkit/plugins/ppapi/ppb_url_request_info_impl.cc b/webkit/plugins/ppapi/ppb_url_request_info_impl.cc
index 198a17d..d2dc9b3 100644
--- a/webkit/plugins/ppapi/ppb_url_request_info_impl.cc
+++ b/webkit/plugins/ppapi/ppb_url_request_info_impl.cc
@@ -43,33 +43,6 @@ namespace {
 const int32_t kDefaultPrefetchBufferUpperThreshold = 100 * 1000 * 1000;
 const int32_t kDefaultPrefetchBufferLowerThreshold = 50 * 1000 * 1000;
 
-bool IsValidToken(const std::string& token) {
-  size_t length = token.size();
-  if (length == 0)
-    return false;
-
-  for (size_t i = 0; i < length; i++) {
-    char c = token[i];
-    if (c >= 127 || c <= 32)
-      return false;
-    if (c == '(' || c == ')' || c == '<' || c == '>' || c == '@' ||
-        c == ',' || c == ';' || c == ':' || c == '\\' || c == '\"' ||
-        c == '/' || c == '[' || c == ']' || c == '?' || c == '=' ||
-        c == '{' || c == '}')
-      return false;
-  }
-  return true;
-}
-
-bool AreValidHeaders(const std::string& headers) {
-  net::HttpUtil::HeadersIterator it(headers.begin(), headers.end(), "\n");
-  while (it.GetNext()) {
-    if (!net::HttpUtil::IsSafeHeader(it.name()))
-      return false;
-  }
-  return true;
-}
-
 }  // namespace
 
 
@@ -132,13 +105,11 @@ bool PPB_URLRequestInfo_Impl::ToWebURLRequest(WebFrame* frame,
     dest->setHTTPBody(http_body);
   }
 
-  if (data().has_custom_referrer_url) {
-    if (!data().custom_referrer_url.empty())
-      frame->setReferrerForRequest(*dest, GURL(data().custom_referrer_url));
-  } else if (!data().allow_cross_origin_requests) {
-    // Use default, except for cross-origin requests, since 'referer' is not
-    // whitelisted and will cause the request to fail.
-    frame->setReferrerForRequest(*dest, WebURL());
+  // Add the "Referer" header if there is a custom referrer. Such requests
+  // require universal access. For all other requests, "Referer" will be set
+  // after header security checks are done in AssociatedURLLoader.
+  if (data().has_custom_referrer_url && !data().custom_referrer_url.empty()) {
+    frame->setReferrerForRequest(*dest, GURL(data().custom_referrer_url));
   }
 
   if (data().has_custom_content_transfer_encoding) {
@@ -160,17 +131,6 @@ bool PPB_URLRequestInfo_Impl::RequiresUniversalAccess() const {
 }
 
 bool PPB_URLRequestInfo_Impl::ValidateData() {
-  // Method should either be empty or a valid one.
-  if (!data().method.empty()) {
-    std::string canonicalized = ValidateMethod(data().method);
-    if (canonicalized.empty())
-      return false;
-    data().method = canonicalized;
-  }
-
-  if (!AreValidHeaders(data().headers))
-    return false;
-
   // Get the Resource objects for any file refs with only host resource (this
   // is the state of the request as it comes off IPC).
   for (size_t i = 0; i < data().body.size(); ++i) {
diff --git a/webkit/plugins/ppapi/ppb_url_request_info_impl.h b/webkit/plugins/ppapi/ppb_url_request_info_impl.h
index a534002..65937c9 100644
--- a/webkit/plugins/ppapi/ppb_url_request_info_impl.h
+++ b/webkit/plugins/ppapi/ppb_url_request_info_impl.h
@@ -37,8 +37,9 @@ class PPB_URLRequestInfo_Impl : public ::ppapi::URLRequestInfoImpl {
  private:
   friend class URLRequestInfoTest;
 
-  // Checks that the request data is valid and does some canonicalization of
-  // it. Returns false on failure
+  // Checks that the request data is valid. Returns false on failure. Note that
+  // method and header validation is done by the URL loader when the request is
+  // opened, and any access errors are returned asynchronously.
   bool ValidateData();
 
   // Appends the file ref given the Resource pointer associated with it to the
diff --git a/webkit/plugins/ppapi/url_request_info_unittest.cc b/webkit/plugins/ppapi/url_request_info_unittest.cc
index 70c9613..664dd53 100644
--- a/webkit/plugins/ppapi/url_request_info_unittest.cc
+++ b/webkit/plugins/ppapi/url_request_info_unittest.cc
@@ -131,8 +131,6 @@ TEST_F(URLRequestInfoTest, GetInterface) {
   EXPECT_TRUE(request_info->SetProperty);
   EXPECT_TRUE(request_info->AppendDataToBody);
   EXPECT_TRUE(request_info->AppendFileToBody);
-  EXPECT_TRUE(request_info->Create);
-  EXPECT_TRUE(request_info->Create);
 }
 
 TEST_F(URLRequestInfoTest, AsURLRequestInfo) {
@@ -236,35 +234,9 @@ TEST_F(URLRequestInfoTest, SetMethod) {
   EXPECT_TRUE(SetStringProperty(
       PP_URLREQUESTPROPERTY_METHOD, "POST"));
   EXPECT_TRUE(IsExpected(GetMethod(), "POST"));
-
-  // Test that method names are converted to upper case.
-  EXPECT_TRUE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "get"));
-  EXPECT_TRUE(IsExpected(GetMethod(), "GET"));
-  EXPECT_TRUE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "post"));
-  EXPECT_TRUE(IsExpected(GetMethod(), "POST"));
 }
 
-TEST_F(URLRequestInfoTest, SetInvalidMethod) {
-  EXPECT_FALSE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "CONNECT"));
-  EXPECT_FALSE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "connect"));
-  EXPECT_FALSE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "TRACE"));
-  EXPECT_FALSE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "trace"));
-  EXPECT_FALSE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "TRACK"));
-  EXPECT_FALSE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "track"));
-
-  EXPECT_FALSE(SetStringProperty(
-      PP_URLREQUESTPROPERTY_METHOD, "POST\x0d\x0ax-csrf-token:\x20test1234"));
-}
-
-TEST_F(URLRequestInfoTest, SetValidHeaders) {
+TEST_F(URLRequestInfoTest, SetHeaders) {
   // Test default header field.
   EXPECT_TRUE(IsExpected(
       GetHeaderValue("foo"), ""));
@@ -282,50 +254,6 @@ TEST_F(URLRequestInfoTest, SetValidHeaders) {
       GetHeaderValue("bar"), "baz"));
 }
 
-TEST_F(URLRequestInfoTest, SetInvalidHeaders) {
-  const char* const kForbiddenHeaderFields[] = {
-    "accept-charset",
-    "accept-encoding",
-    "connection",
-    "content-length",
-    "cookie",
-    "cookie2",
-    "content-transfer-encoding",
-    "date",
-    "expect",
-    "host",
-    "keep-alive",
-    "origin",
-    "referer",
-    "te",
-    "trailer",
-    "transfer-encoding",
-    "upgrade",
-    "user-agent",
-    "via",
-
-    "proxy-foo",  // Test for any header starting with proxy- or sec-.
-    "sec-foo",
-  };
-
-  // Test that no forbidden header fields can be set.
-  for (size_t i = 0; i < arraysize(kForbiddenHeaderFields); ++i) {
-    std::string headers(kForbiddenHeaderFields[i]);
-    headers.append(": foo");
-    SetStringProperty(
-        PP_URLREQUESTPROPERTY_HEADERS, headers.c_str());
-    EXPECT_TRUE(IsNullOrEmpty(GetHeaderValue(kForbiddenHeaderFields[i])));
-  }
-
-  // Test that forbidden header can't be set in various ways.
-  SetStringProperty(PP_URLREQUESTPROPERTY_HEADERS, "cookie : foo");
-  EXPECT_TRUE(IsNullOrEmpty(GetHeaderValue("cookie")));
-
-  // Test that forbidden header can't be set with an allowed one.
-  SetStringProperty(PP_URLREQUESTPROPERTY_HEADERS, "foo: bar\ncookie: foo");
-  EXPECT_TRUE(IsNullOrEmpty(GetHeaderValue("cookie")));
-}
-
 // TODO(bbudge) Unit tests for AppendDataToBody, AppendFileToBody.
 
 }  // namespace ppapi