LibWeb: Implement 'create a potential-CORS request' algorithm

Author: https://github.com/srikavin
Commit: https://github.com/SerenityOS/serenity/commit/f7176463b5
Pull-request: https://github.com/SerenityOS/serenity/pull/17016
Reviewed-by: https://github.com/linusg

Userland/Libraries/LibWeb/CMakeLists.txt

@@ -172,6 +172,7 @@ set(SOURCES
     HTML/CanvasPattern.cpp
     HTML/CanvasRenderingContext2D.cpp
     HTML/CloseEvent.cpp
+    HTML/CORSSettingAttribute.cpp
     HTML/CrossOrigin/AbstractOperations.cpp
     HTML/CrossOrigin/Reporting.cpp
     HTML/DOMParser.cpp
@@ -282,6 +283,7 @@ set(SOURCES
     HTML/Path2D.cpp
     HTML/Plugin.cpp
     HTML/PluginArray.cpp
+    HTML/PotentialCORSRequest.cpp
     HTML/PromiseRejectionEvent.cpp
     HTML/RemoteBrowsingContext.cpp
     HTML/Scripting/ClassicScript.cpp

Userland/Libraries/LibWeb/HTML/AttributeNames.h

@@ -52,6 +52,7 @@ namespace AttributeNames {
     __ENUMERATE_HTML_ATTRIBUTE(contenteditable)            \
     __ENUMERATE_HTML_ATTRIBUTE(controls)                   \
     __ENUMERATE_HTML_ATTRIBUTE(coords)                     \
+    __ENUMERATE_HTML_ATTRIBUTE(crossorigin)                \
     __ENUMERATE_HTML_ATTRIBUTE(data)                       \
     __ENUMERATE_HTML_ATTRIBUTE(datetime)                   \
     __ENUMERATE_HTML_ATTRIBUTE(declare)                    \

Userland/Libraries/LibWeb/HTML/CORSSettingAttribute.cpp

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2023, Srikavin Ramkumar <me@srikavin.me>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/HTML/CORSSettingAttribute.h>
+
+namespace Web::HTML {
+
+// https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attributes
+CORSSettingAttribute cors_setting_attribute_from_keyword(Optional<String> const& keyword)
+{
+    if (!keyword.has_value()) {
+        // its missing value default is the No CORS state
+        return CORSSettingAttribute::NoCORS;
+    }
+    if (keyword->is_empty() || keyword->bytes_as_string_view().equals_ignoring_ascii_case("anonymous"sv)) {
+        return CORSSettingAttribute::Anonymous;
+    }
+    if (keyword->bytes_as_string_view().equals_ignoring_ascii_case("use-credentials"sv)) {
+        return CORSSettingAttribute::UseCredentials;
+    }
+
+    // The attribute's invalid value default is the Anonymous state
+    return CORSSettingAttribute::Anonymous;
+}
+
+}

Userland/Libraries/LibWeb/HTML/CORSSettingAttribute.h

@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2023, Srikavin Ramkumar <me@srikavin.me>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/Optional.h>
+#include <AK/String.h>
+
+namespace Web::HTML {
+
+// https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attribute
+enum class CORSSettingAttribute {
+    NoCORS,
+    Anonymous,
+    UseCredentials
+};
+
+[[nodiscard]] CORSSettingAttribute cors_setting_attribute_from_keyword(Optional<String> const& keyword);
+
+}

Userland/Libraries/LibWeb/HTML/PotentialCORSRequest.cpp

@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2023, Srikavin Ramkumar <me@srikavin.me>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibWeb/HTML/CORSSettingAttribute.h>
+#include <LibWeb/HTML/PotentialCORSRequest.h>
+
+namespace Web::HTML {
+
+// https://html.spec.whatwg.org/multipage/urls-and-fetching.html#create-a-potential-cors-request
+JS::NonnullGCPtr<Fetch::Infrastructure::Request>
+create_potential_CORS_request(JS::VM& vm, AK::URL const& url, Optional<Fetch::Infrastructure::Request::Destination> destination, CORSSettingAttribute cors_attribute_state, SameOriginFallbackFlag same_origin_fallback_flag)
+{
+    // 1. Let mode be "no-cors" if corsAttributeState is No CORS, and "cors" otherwise.
+    auto mode = cors_attribute_state == CORSSettingAttribute::NoCORS
+        ? Fetch::Infrastructure::Request::Mode::NoCORS
+        : Fetch::Infrastructure::Request::Mode::CORS;
+
+    // 2. If same-origin fallback flag is set and mode is "no-cors", set mode to "same-origin".
+    if (same_origin_fallback_flag == SameOriginFallbackFlag::Yes && mode == Fetch::Infrastructure::Request::Mode::NoCORS)
+        mode = Fetch::Infrastructure::Request::Mode::SameOrigin;
+
+    // 3. Let credentialsMode be "include".
+    auto credentials_mode = Fetch::Infrastructure::Request::CredentialsMode::Include;
+
+    // 4. If corsAttributeState is Anonymous, set credentialsMode to "same-origin".
+    if (cors_attribute_state == CORSSettingAttribute::Anonymous)
+        credentials_mode = Fetch::Infrastructure::Request::CredentialsMode::SameOrigin;
+
+    // 5. Let request be a new request whose URL is url, destination is destination, mode is mode, credentials mode is credentialsMode,
+    // and whose use-URL-credentials flag is set.
+    auto request = Fetch::Infrastructure::Request::create(vm);
+    request->set_url(url);
+    request->set_destination(destination);
+    request->set_mode(mode);
+    request->set_credentials_mode(credentials_mode);
+    request->set_use_url_credentials(true);
+
+    return request;
+}
+
+}

Userland/Libraries/LibWeb/HTML/PotentialCORSRequest.h

@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2023, Srikavin Ramkumar <me@srikavin.me>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/URL.h>
+#include <LibJS/Heap/GCPtr.h>
+#include <LibWeb/Fetch/Infrastructure/HTTP/Requests.h>
+#include <LibWeb/HTML/CORSSettingAttribute.h>
+
+namespace Web::HTML {
+
+enum class SameOriginFallbackFlag {
+    No,
+    Yes,
+};
+
+[[nodiscard]] JS::NonnullGCPtr<Fetch::Infrastructure::Request> create_potential_CORS_request(JS::VM&, const AK::URL&, Optional<Fetch::Infrastructure::Request::Destination>, CORSSettingAttribute, SameOriginFallbackFlag = SameOriginFallbackFlag::No);
+
+}