This patch modifies the Android KitKat release (version 4.4) so that the Cross-Origin Resource Sharing (CORS) web browsing functionality can be disabled at runtime to avoid the associated severe security and privacy risks. The web browsers to be used also need to be modified by applying additional patches, so that they are able to control the new CORS settings (patches are included here to tackle the default Android browser and other two selected ones). external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java | 84 ++++++++++ external/chromium_org/android_webview/native/aw_settings.cc | 9 + external/chromium_org/content/public/common/common_param_traits_macros.h | 3 external/chromium_org/content/renderer/web_preferences.cc | 4 external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp | 21 ++ external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in | 3 external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp | 13 + external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp | 16 + external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp | 15 + external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h | 3 external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp | 62 +++++++ external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h | 34 ++++ external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk | 1 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk | 1 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk | 1 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk | 1 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk | 1 external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk | 1 external/chromium_org/third_party/WebKit/public/web/WebSettings.h | 3 external/chromium_org/webkit/common/webpreferences.cc | 3 external/chromium_org/webkit/common/webpreferences.h | 3 frameworks/base/core/java/android/webkit/WebSettings.java | 51 ++++++ 22 files changed, 332 insertions(+), 1 deletion(-) diff -pruN a/external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java b/external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java --- a/external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java 2017-12-06 14:44:28.758823578 +0100 +++ b/external/chromium_org/android_webview/java/src/org/chromium/android_webview/AwSettings.java 2017-12-09 17:55:55.772716933 +0100 @@ -71,6 +71,9 @@ public class AwSettings { private boolean mJavaScriptEnabled = false; private boolean mAllowUniversalAccessFromFileURLs = false; private boolean mAllowFileAccessFromFileURLs = false; + private boolean mDisableCORS = false; + private boolean mEnableCORSSameDomain = true; + private boolean mDisableCORSRedirection = false; private boolean mJavaScriptCanOpenWindowsAutomatically = false; private boolean mSupportMultipleWindows = false; private PluginState mPluginState = PluginState.OFF; @@ -892,6 +895,42 @@ public class AwSettings { } /** + * See {@link android.webkit.WebSettings#setDisableCORS}. + */ + public void setDisableCORS(boolean flag) { + synchronized (mAwSettingsLock) { + if (mDisableCORS != flag) { + mDisableCORS = flag; + mEventHandler.updateWebkitPreferencesLocked(); + } + } + } + + /** + * See {@link android.webkit.WebSettings#setEnableCORSSameDomain}. + */ + public void setEnableCORSSameDomain(boolean flag) { + synchronized (mAwSettingsLock) { + if (mEnableCORSSameDomain != flag) { + mEnableCORSSameDomain = flag; + mEventHandler.updateWebkitPreferencesLocked(); + } + } + } + + /** + * See {@link android.webkit.WebSettings#setDisableCORSRedirection}. + */ + public void setDisableCORSRedirection(boolean flag) { + synchronized (mAwSettingsLock) { + if (mDisableCORSRedirection != flag) { + mDisableCORSRedirection = flag; + mEventHandler.updateWebkitPreferencesLocked(); + } + } + } + + /** * See {@link android.webkit.WebSettings#setLoadsImagesAutomatically}. */ public void setLoadsImagesAutomatically(boolean flag) { @@ -991,6 +1030,51 @@ public class AwSettings { } /** + * See {@link android.webkit.WebSettings#getDisableCORS}. + */ + public boolean getDisableCORS() { + synchronized (mAwSettingsLock) { + return mDisableCORS; + } + } + + @CalledByNative + private boolean getDisableCORSLocked() { + assert Thread.holdsLock(mAwSettingsLock); + return mDisableCORS; + } + + /** + * See {@link android.webkit.WebSettings#getEnableCORSSameDomain}. + */ + public boolean getEnableCORSSameDomain() { + synchronized (mAwSettingsLock) { + return mEnableCORSSameDomain; + } + } + + @CalledByNative + private boolean getEnableCORSSameDomainLocked() { + assert Thread.holdsLock(mAwSettingsLock); + return mEnableCORSSameDomain; + } + + /** + * See {@link android.webkit.WebSettings#getDisableCORSRedirection}. + */ + public boolean getDisableCORSRedirection() { + synchronized (mAwSettingsLock) { + return mDisableCORSRedirection; + } + } + + @CalledByNative + private boolean getDisableCORSRedirectionLocked() { + assert Thread.holdsLock(mAwSettingsLock); + return mDisableCORSRedirection; + } + + /** * See {@link android.webkit.WebSettings#setPluginsEnabled}. */ public void setPluginsEnabled(boolean flag) { diff -pruN a/external/chromium_org/android_webview/native/aw_settings.cc b/external/chromium_org/android_webview/native/aw_settings.cc --- a/external/chromium_org/android_webview/native/aw_settings.cc 2017-11-24 05:28:28.242415892 +0100 +++ b/external/chromium_org/android_webview/native/aw_settings.cc 2017-12-09 17:57:13.161716617 +0100 @@ -274,6 +274,15 @@ void AwSettings::PopulateWebPreferencesL web_prefs->allow_file_access_from_file_urls = Java_AwSettings_getAllowFileAccessFromFileURLsLocked(env, obj); + web_prefs->disable_cors = + Java_AwSettings_getDisableCORSLocked(env, obj); + + web_prefs->enable_cors_same_domain = + Java_AwSettings_getEnableCORSSameDomainLocked(env, obj); + + web_prefs->disable_cors_redirection = + Java_AwSettings_getDisableCORSRedirectionLocked(env, obj); + web_prefs->javascript_can_open_windows_automatically = Java_AwSettings_getJavaScriptCanOpenWindowsAutomaticallyLocked(env, obj); diff -pruN a/external/chromium_org/content/public/common/common_param_traits_macros.h b/external/chromium_org/content/public/common/common_param_traits_macros.h --- a/external/chromium_org/content/public/common/common_param_traits_macros.h 2017-11-24 05:29:42.423415589 +0100 +++ b/external/chromium_org/content/public/common/common_param_traits_macros.h 2017-12-09 00:52:02.984968088 +0100 @@ -112,6 +112,9 @@ IPC_STRUCT_TRAITS_BEGIN(WebPreferences) IPC_STRUCT_TRAITS_MEMBER(is_online) IPC_STRUCT_TRAITS_MEMBER(allow_universal_access_from_file_urls) IPC_STRUCT_TRAITS_MEMBER(allow_file_access_from_file_urls) + IPC_STRUCT_TRAITS_MEMBER(disable_cors) + IPC_STRUCT_TRAITS_MEMBER(enable_cors_same_domain) + IPC_STRUCT_TRAITS_MEMBER(disable_cors_redirection) IPC_STRUCT_TRAITS_MEMBER(webaudio_enabled) IPC_STRUCT_TRAITS_MEMBER(experimental_webgl_enabled) IPC_STRUCT_TRAITS_MEMBER(experimental_websocket_enabled) diff -pruN a/external/chromium_org/content/renderer/web_preferences.cc b/external/chromium_org/content/renderer/web_preferences.cc --- a/external/chromium_org/content/renderer/web_preferences.cc 2017-11-24 05:29:43.652415584 +0100 +++ b/external/chromium_org/content/renderer/web_preferences.cc 2017-12-07 02:16:25.619653846 +0100 @@ -177,6 +177,10 @@ void ApplyWebPreferences(const WebPrefer settings->setAllowFileAccessFromFileURLs( prefs.allow_file_access_from_file_urls); + settings->setDisableCORS(prefs.disable_cors); + settings->setEnableCORSSameDomain(prefs.enable_cors_same_domain); + settings->setDisableCORSRedirection(prefs.disable_cors_redirection); + // Enable the web audio API if requested on the command line. settings->setWebAudioEnabled(prefs.webaudio_enabled); diff -pruN a/external/chromium_org/third_party/WebKit/public/web/WebSettings.h b/external/chromium_org/third_party/WebKit/public/web/WebSettings.h --- a/external/chromium_org/third_party/WebKit/public/web/WebSettings.h 2017-12-05 15:16:14.065937762 +0100 +++ b/external/chromium_org/third_party/WebKit/public/web/WebSettings.h 2017-11-25 00:12:44.100304803 +0100 @@ -75,6 +75,9 @@ public: virtual void setAcceleratedFiltersEnabled(bool) = 0; virtual void setAllowDisplayOfInsecureContent(bool) = 0; virtual void setAllowFileAccessFromFileURLs(bool) = 0; + virtual void setDisableCORS(bool) = 0; + virtual void setEnableCORSSameDomain(bool) = 0; + virtual void setDisableCORSRedirection(bool) = 0; virtual void setAllowCustomScrollbarInMainFrame(bool) = 0; virtual void setAllowRunningOfInsecureContent(bool) = 0; virtual void setAllowScriptsToCloseWindows(bool) = 0; diff -pruN a/external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp b/external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp --- a/external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp 2017-12-05 15:23:04.093936085 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp 2017-12-11 23:53:34.836776064 +0100 @@ -64,6 +64,7 @@ #include "platform/weborigin/SecurityPolicy.h" #include "public/platform/Platform.h" #include "public/platform/WebURL.h" +#include "wtf/InternetDomain.h" #include "wtf/text/CString.h" #include "wtf/text/WTFString.h" @@ -442,6 +443,23 @@ bool ResourceFetcher::canRequest(Resourc return 0; } + bool disableCORS = (frame() && frame()->settings() && frame()->settings()->disableCORS()); + bool enableCORSSameDomain = (frame() && frame()->settings() && frame()->settings()->enableCORSSameDomain()); + + if (frame() && frame()->document() && disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topDomain(url.host()); + String documentDomain = topDomain(frame()->document()->url().host()); + if (!equalIgnoringCase(requestDomain, documentDomain) && type != Resource::MainResource) { + WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource Resource blocked by Cross-Origin Resource Sharing policy"); + return 0; + } + } else if (!equalIgnoringCase(url.host(), frame()->document()->url().host()) && type != Resource::MainResource) { + WTF_LOG(ResourceLoading, "ResourceFetcher::requestResource Resource blocked by Cross-Origin Resource Sharing policy"); + return 0; + } + } + // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->script().shouldBypassMainWorldContentSecurityPolicy()) || (options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy); @@ -609,7 +627,8 @@ ResourcePtr ResourceFetcher::r const RevalidationPolicy policy = determineRevalidationPolicy(type, request.mutableResourceRequest(), request.forPreload(), resource.get(), request.defer()); switch (policy) { case Reload: - memoryCache()->remove(resource.get()); + if (resource) + memoryCache()->remove(resource.get()); // Fall through case Load: resource = loadResource(type, request, request.charset()); diff -pruN a/external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in b/external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in --- a/external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in 2017-12-05 15:15:37.453937911 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/core/frame/Settings.in 2017-11-24 23:52:35.012297032 +0100 @@ -66,6 +66,9 @@ caretBrowsingEnabled initial=false localStorageEnabled initial=false allowUniversalAccessFromFileURLs initial=true allowFileAccessFromFileURLs initial=true +disableCORS initial=false +enableCORSSameDomain initial=true +disableCORSRedirection initial=false javaScriptCanOpenWindowsAutomatically initial=false supportsMultipleWindows initial=true javaScriptCanAccessClipboard initial=false diff -pruN a/external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp --- a/external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp 2017-11-24 05:31:16.307415205 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/core/loader/DocumentLoader.cpp 2017-12-12 22:01:53.209450235 +0100 @@ -61,6 +61,7 @@ #include "public/platform/Platform.h" #include "public/platform/WebMimeRegistry.h" #include "wtf/Assertions.h" +#include "wtf/InternetDomain.h" #include "wtf/text/WTFString.h" namespace WebCore { @@ -417,6 +418,18 @@ void DocumentLoader::willSendRequest(Res return; } + bool disableCORSRedirection = (frame() && frame()->settings() && frame()->settings()->disableCORSRedirection()); + if (frame() && frame()->document() && disableCORSRedirection) { + if (!redirectResponse.url().host().isEmpty()) { + String redirectDomain = topDomain(redirectResponse.url().host()); + String documentDomain = topDomain(frame()->document()->url().host()); + if (!equalIgnoringCase(redirectDomain, documentDomain)) { + cancelMainResourceLoad(ResourceError::cancelledError(newRequest.url())); + return; + } + } + } + ASSERT(timing()->fetchStart()); if (!redirectResponse.isNull()) { // If the redirecting url is not allowed to display content from the target origin, diff -pruN a/external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp b/external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp --- a/external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp 2017-12-05 15:15:50.773937857 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/core/loader/LinkLoader.cpp 2017-12-08 16:34:43.952090078 +0100 @@ -40,6 +40,8 @@ #include "core/loader/PrerenderHandle.h" #include "core/frame/Settings.h" #include "platform/network/DNS.h" +#include "wtf/InternetDomain.h" +#include "wtf/text/WTFString.h" namespace WebCore { @@ -100,6 +102,20 @@ void LinkLoader::didSendDOMContentLoaded bool LinkLoader::loadLink(const LinkRelAttribute& relAttribute, const String& type, const KURL& href, Document& document) { + bool disableCORS = (document.settings() && document.settings()->disableCORS()); + bool enableCORSSameDomain = (document.settings() && document.settings()->enableCORSSameDomain()); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topDomain(href.host()); + String documentDomain = topDomain(document.url().host()); + if (!documentDomain.isEmpty() && !equalIgnoringCase(requestDomain, documentDomain)) + return false; + } else if (!document.url().host().isEmpty() && href.host() != document.url().host()) { + return false; + } + } + if (relAttribute.isDNSPrefetch()) { Settings* settings = document.settings(); // FIXME: The href attribute of the link element can be in "//hostname" form, and we shouldn't attempt diff -pruN a/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp b/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp --- a/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp 2017-12-05 15:14:52.178938096 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.cpp 2017-12-09 16:51:49.369732659 +0100 @@ -367,6 +367,21 @@ void WebSettingsImpl::setAllowFileAccess m_settings->setAllowFileAccessFromFileURLs(allow); } +void WebSettingsImpl::setDisableCORS(bool disabled) +{ + m_settings->setDisableCORS(disabled); +} + +void WebSettingsImpl::setEnableCORSSameDomain(bool enabled) +{ + m_settings->setEnableCORSSameDomain(enabled); +} + +void WebSettingsImpl::setDisableCORSRedirection(bool disabled) +{ + m_settings->setDisableCORSRedirection(disabled); +} + void WebSettingsImpl::setTouchDragDropEnabled(bool enabled) { m_settings->setTouchDragDropEnabled(enabled); diff -pruN a/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h b/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h --- a/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h 2017-12-05 15:15:11.140938019 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/web/WebSettingsImpl.h 2017-11-24 23:56:31.641298553 +0100 @@ -68,6 +68,9 @@ public: virtual void setAcceleratedFiltersEnabled(bool); virtual void setAllowDisplayOfInsecureContent(bool); virtual void setAllowFileAccessFromFileURLs(bool); + virtual void setDisableCORS(bool); + virtual void setEnableCORSSameDomain(bool); + virtual void setDisableCORSRedirection(bool); virtual void setAllowCustomScrollbarInMainFrame(bool); virtual void setAllowRunningOfInsecureContent(bool); virtual void setAllowScriptsToCloseWindows(bool); diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp b/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp --- a/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp 1970-01-01 01:00:00.000000000 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.cpp 2017-12-09 00:30:42.445973323 +0100 @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2017 Guido Trentalancia (guido@trentalancia.com) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#include "config.h" +#include "InternetDomain.h" + +#include "wtf/text/StringBuilder.h" +#include "wtf/Vector.h" + +#if OS(WIN) +#include +#endif + +using namespace WTF; + +namespace WTF { + +String topDomain(const String& domain) +{ + size_t size; + Vector domainVector; + + domain.split('.', domainVector); + size = domainVector.size(); + + if (!size) + return String(""); + + if (size >= 3) { + domainVector.reverse(); + domainVector.shrink(2); + domainVector.reverse(); + size = domainVector.size(); + } + + StringBuilder stringBuilder; + for (size_t i = 0; i < size; ++i) { + stringBuilder.append(domainVector[i]); + if (i < size - 1) + stringBuilder.append('.'); + } + + return stringBuilder.toString(); +} + +} // namespace WTF diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h b/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h --- a/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h 1970-01-01 01:00:00.000000000 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/wtf/InternetDomain.h 2017-12-09 00:31:03.684973236 +0100 @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2017 Guido Trentalancia (guido@trentalancia.com) + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#ifndef InternetDomain_h +#define InternetDomain_h + +#include +#include +#include "wtf/text/WTFString.h" +#include "wtf/WTFExport.h" + +namespace WTF { + +WTF_EXPORT String topDomain(const String& domain); + +} // namespace WTF + +#endif // InternetDomain_h diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk --- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk 2017-12-05 15:43:27.057931085 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-arm.mk 2017-12-05 15:45:59.676930461 +0100 @@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \ third_party/WebKit/Source/wtf/GregorianDateTime.cpp \ third_party/WebKit/Source/wtf/HashTable.cpp \ third_party/WebKit/Source/wtf/InstanceCounter.cpp \ + third_party/WebKit/Source/wtf/InternetDomain.cpp \ third_party/WebKit/Source/wtf/MainThread.cpp \ third_party/WebKit/Source/wtf/NullPtr.cpp \ third_party/WebKit/Source/wtf/NumberOfCores.cpp \ diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk --- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk 2017-12-05 15:43:49.163930995 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-mips.mk 2017-12-05 15:46:14.698930400 +0100 @@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \ third_party/WebKit/Source/wtf/GregorianDateTime.cpp \ third_party/WebKit/Source/wtf/HashTable.cpp \ third_party/WebKit/Source/wtf/InstanceCounter.cpp \ + third_party/WebKit/Source/wtf/InternetDomain.cpp \ third_party/WebKit/Source/wtf/MainThread.cpp \ third_party/WebKit/Source/wtf/NullPtr.cpp \ third_party/WebKit/Source/wtf/NumberOfCores.cpp \ diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk --- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk 2017-12-05 15:43:54.973930971 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.darwin-x86.mk 2017-12-05 15:46:26.012930354 +0100 @@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \ third_party/WebKit/Source/wtf/GregorianDateTime.cpp \ third_party/WebKit/Source/wtf/HashTable.cpp \ third_party/WebKit/Source/wtf/InstanceCounter.cpp \ + third_party/WebKit/Source/wtf/InternetDomain.cpp \ third_party/WebKit/Source/wtf/MainThread.cpp \ third_party/WebKit/Source/wtf/NullPtr.cpp \ third_party/WebKit/Source/wtf/NumberOfCores.cpp \ diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk --- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk 2017-12-05 15:43:34.995931053 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-arm.mk 2017-12-05 15:45:17.331930635 +0100 @@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \ third_party/WebKit/Source/wtf/GregorianDateTime.cpp \ third_party/WebKit/Source/wtf/HashTable.cpp \ third_party/WebKit/Source/wtf/InstanceCounter.cpp \ + third_party/WebKit/Source/wtf/InternetDomain.cpp \ third_party/WebKit/Source/wtf/MainThread.cpp \ third_party/WebKit/Source/wtf/NullPtr.cpp \ third_party/WebKit/Source/wtf/NumberOfCores.cpp \ diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk --- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk 2017-12-05 15:43:41.554931026 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-mips.mk 2017-12-05 15:45:40.593930539 +0100 @@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \ third_party/WebKit/Source/wtf/GregorianDateTime.cpp \ third_party/WebKit/Source/wtf/HashTable.cpp \ third_party/WebKit/Source/wtf/InstanceCounter.cpp \ + third_party/WebKit/Source/wtf/InternetDomain.cpp \ third_party/WebKit/Source/wtf/MainThread.cpp \ third_party/WebKit/Source/wtf/NullPtr.cpp \ third_party/WebKit/Source/wtf/NumberOfCores.cpp \ diff -pruN a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk --- a/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk 2017-12-05 15:43:17.384931125 +0100 +++ b/external/chromium_org/third_party/WebKit/Source/wtf/wtf.target.linux-x86.mk 2017-12-05 15:44:51.975930738 +0100 @@ -68,6 +68,7 @@ LOCAL_SRC_FILES := \ third_party/WebKit/Source/wtf/GregorianDateTime.cpp \ third_party/WebKit/Source/wtf/HashTable.cpp \ third_party/WebKit/Source/wtf/InstanceCounter.cpp \ + third_party/WebKit/Source/wtf/InternetDomain.cpp \ third_party/WebKit/Source/wtf/MainThread.cpp \ third_party/WebKit/Source/wtf/NullPtr.cpp \ third_party/WebKit/Source/wtf/NumberOfCores.cpp \ diff -pruN a/external/chromium_org/webkit/common/webpreferences.cc b/external/chromium_org/webkit/common/webpreferences.cc --- a/external/chromium_org/webkit/common/webpreferences.cc 2017-11-24 05:30:46.791415326 +0100 +++ b/external/chromium_org/webkit/common/webpreferences.cc 2017-12-07 02:45:00.745646834 +0100 @@ -45,6 +45,9 @@ WebPreferences::WebPreferences() is_online(true), allow_universal_access_from_file_urls(false), allow_file_access_from_file_urls(false), + disable_cors(false), + enable_cors_same_domain(true), + disable_cors_redirection(false), webaudio_enabled(false), experimental_webgl_enabled(false), flash_3d_enabled(true), diff -pruN a/external/chromium_org/webkit/common/webpreferences.h b/external/chromium_org/webkit/common/webpreferences.h --- a/external/chromium_org/webkit/common/webpreferences.h 2017-11-24 05:30:46.791415326 +0100 +++ b/external/chromium_org/webkit/common/webpreferences.h 2017-12-07 02:45:42.095646665 +0100 @@ -93,6 +93,9 @@ struct WEBKIT_COMMON_EXPORT WebPreferenc bool is_online; bool allow_universal_access_from_file_urls; bool allow_file_access_from_file_urls; + bool disable_cors; + bool enable_cors_same_domain; + bool disable_cors_redirection; bool webaudio_enabled; bool experimental_webgl_enabled; bool flash_3d_enabled; diff -pru a/frameworks/base/core/java/android/webkit/WebSettings.java b/frameworks/base/core/java/android/webkit/WebSettings.java --- a/frameworks/base/core/java/android/webkit/WebSettings.java 2017-11-24 05:55:02.811409373 +0100 +++ b/frameworks/base/core/java/android/webkit/WebSettings.java 2017-12-09 00:43:24.155970209 +0100 @@ -1018,6 +1018,27 @@ public abstract class WebSettings { public abstract void setAllowFileAccessFromFileURLs(boolean flag); /** + * Sets whether CORS is disabled. The default is false. + */ + public synchronized void setDisableCORS(boolean flag) { + throw new MustOverrideException(); + } + + /** + * Sets whether CORS within the same domain is enabled. The default is true. + */ + public synchronized void setEnableCORSSameDomain(boolean flag) { + throw new MustOverrideException(); + } + + /** + * Sets whether CORS Redirection is disabled. The default is false. + */ + public synchronized void setDisableCORSRedirection(boolean flag) { + throw new MustOverrideException(); + } + + /** * Sets whether the WebView should enable plugins. The default is false. * * @param flag true if plugins should be enabled @@ -1245,6 +1266,36 @@ public abstract class WebSettings { public abstract boolean getAllowFileAccessFromFileURLs(); /** + * Gets whether CORS is disabled + * + * @return whether CORS is disabled + * @see #setDisableCORS + */ + public synchronized boolean getDisableCORS() { + throw new MustOverrideException(); + } + + /** + * Gets whether CORS within the same domain is enabled + * + * @return whether CORS within the same domain is enabled + * @see #setEnableCORSSameDomain + */ + public synchronized boolean getEnableCORSSameDomain() { + throw new MustOverrideException(); + } + + /** + * Gets whether CORS Redirection is disabled + * + * @return whether CORS Redirection is disabled + * @see #setDisableCORSRedirection + */ + public synchronized boolean getDisableCORSRedirection() { + throw new MustOverrideException(); + } + + /** * Gets whether plugins are enabled. * * @return true if plugins are enabled