+2010-04-07 Sebastien Pouliot <sebastien@ximian.com>
+
+ * BaseDomainPolicy.cs: Abstract-fy IsAllowed(WebRequest) and
+ remove abstract IsAllowed(Uri,string[]) since it cannot provide
+ enough information for the client access policy.
+ * ClientAccessPolicy.cs: Replace IsAllowed(Uri,string[]) with
+ IsAllowed(WebRequest) and add logic for AllowAnyMethod
+ * ClientAccessPolicyParser.cs: Read "http-methods" attribute (new
+ in SL3) and set the new AllowAnyMethod property if the value is
+ "*" (the only legal value if the attribute is present).
+ * FlashCrossDomainPolicy.cs: Add IsAllowed(WebRequest) since it's
+ not part of BaseDomainPolicy anymore.
+
2010-04-06 Sebastien Pouliot <sebastien@ximian.com>
* ClientAccessPolicyParser.cs: Don't forget "http-request-headers"
foreach (AccessPolicy policy in AccessPolicyList) {
// does something allow our URI in this policy ?
foreach (AllowFrom af in policy.AllowedServices) {
- if (af.IsAllowed (ApplicationUri, null)) {
+ if (af.IsAllowed (ApplicationUri, null, null)) {
// if so, is our request port allowed ?
if (policy.PortAllowed (endpoint.Port))
return true;
return true;
}
- public override bool IsAllowed (Uri uri, params string [] headerKeys)
+ public override bool IsAllowed (WebRequest request)
+ {
+ return IsAllowed (request.RequestUri, request.Method, request.Headers.AllKeys);
+ }
+
+ public bool IsAllowed (Uri uri, string method, params string [] headerKeys)
{
// at this stage the URI has removed the "offending" characters so we need to look at the original
if (!CheckOriginalPath (uri))
// does something allow our URI in this policy ?
foreach (AllowFrom af in policy.AllowedServices) {
// is the application (XAP) URI allowed by the policy ?
- if (af.IsAllowed (ApplicationUri, headerKeys)) {
+ if (af.IsAllowed (ApplicationUri, method, headerKeys)) {
foreach (GrantTo gt in policy.GrantedResources) {
// is the requested access to the Uri granted under this policy ?
if (gt.IsGranted (uri))
public Headers HttpRequestHeaders { get; private set; }
+ public bool AllowAnyMethod { get; set; }
+
public string Scheme { get; internal set; }
- public bool IsAllowed (Uri uri, string [] headerKeys)
+ public bool IsAllowed (Uri uri, string method, string [] headerKeys)
{
// check headers
if (!HttpRequestHeaders.IsAllowed (headerKeys))
return false;
}
}
+ // check methods
+ if (!AllowAnyMethod) {
+ // if not all methods are allowed (*) then only GET and POST request are possible
+ // further restriction exists in the Client http stack
+ if ((String.Compare (method, "GET", StringComparison.OrdinalIgnoreCase) != 0) &&
+ (String.Compare (method, "POST", StringComparison.OrdinalIgnoreCase) != 0)) {
+ return false;
+ }
+ }
+
// check domains
if (AllowAnyDomain)
return true;
return;
}
+ bool valid = true;
string headers = null;
+ string methods = null; // new in SL3
if (reader.HasAttributes) {
int n = reader.AttributeCount;
headers = reader.GetAttribute ("http-request-headers");
if (headers != null)
n--;
- if (n != 0)
- return;
+ methods = reader.GetAttribute ("http-methods");
+ if (methods != null)
+ n--;
+ valid = (n == 0);
}
- bool valid = true;
var v = new AllowFrom ();
v.HttpRequestHeaders.SetHeaders (headers);
+ v.AllowAnyMethod = (methods == "*"); // only legal value defined, otherwise restricted to GET and POST
reader.ReadStartElement ("allow-from", String.Empty);
for (reader.MoveToContent (); reader.NodeType != XmlNodeType.EndElement; reader.MoveToContent ()) {
if (reader.NodeType != XmlNodeType.Element)