stash-put.py (1923B)
1 from wptserve.utils import isomorphic_decode 2 3 def should_be_treated_as_same_origin_request(request): 4 """Tells whether request should be treated as same-origin request.""" 5 # In both of the following cases, allow to proceed with handling to simulate 6 # 'no-cors' mode: response is sent, but browser will make it opaque. 7 if request.GET.first(b'mode') == b'no-cors': 8 return True 9 10 # We can't rely on the Origin header field of a fetch request, as it is only 11 # present for 'cors' mode or methods other than 'GET'/'HEAD' (i.e. present for 12 # 'POST'). See https://fetch.spec.whatwg.org/#http-origin 13 assert 'frame_origin ' in request.GET 14 frame_origin = request.GET.first(b'frame_origin').decode('utf-8') 15 host_origin = request.url_parts.scheme + '://' + request.url_parts.netloc 16 return frame_origin == host_origin 17 18 def main(request, response): 19 if request.method == u'OPTIONS': 20 # CORS preflight 21 response.headers.set(b'Access-Control-Allow-Origin', b'*') 22 response.headers.set(b'Access-Control-Allow-Methods', b'*') 23 response.headers.set(b'Access-Control-Allow-Headers', b'*') 24 return 'done' 25 26 if b'disallow_cross_origin' not in request.GET: 27 response.headers.set(b'Access-Control-Allow-Origin', b'*') 28 elif not should_be_treated_as_same_origin_request(request): 29 # As simple requests will not trigger preflight, we have to manually block 30 # cors requests before making any changes to storage. 31 # https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests 32 # https://fetch.spec.whatwg.org/#cors-preflight-fetch 33 return 'not stashing for cors request' 34 35 url_dir = u'/'.join(request.url_parts.path.split(u'/')[:-1]) + u'/' 36 key = request.GET.first(b'key') 37 value = request.GET.first(b'value') 38 # value here must be a text string. It will be json.dump()'ed in stash-take.py. 39 request.server.stash.put(key, isomorphic_decode(value), url_dir) 40 41 return 'done'