From 19de6bb1cc74bfda42f9b93c0a2c8f76b57a4ce9 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sun, 12 Sep 2021 02:10:43 +0200
Subject: [PATCH] LibWeb+Browser: Add Debug menu action for toggling
 Same-Origin Policy

Sometimes it's useful to turn off the SOP for testing purposes.
Let's make that easy by having a Debug menu item for it. :^)
---
 Userland/Applications/Browser/BrowserWindow.cpp          | 9 +++++++++
 .../Libraries/LibWeb/HTML/BrowsingContextContainer.cpp   | 5 +++++
 Userland/Libraries/LibWeb/Page/Page.h                    | 5 +++++
 Userland/Libraries/LibWeb/XHR/XMLHttpRequest.cpp         | 7 ++++++-
 Userland/Services/WebContent/ClientConnection.cpp        | 4 ++++
 5 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/Userland/Applications/Browser/BrowserWindow.cpp b/Userland/Applications/Browser/BrowserWindow.cpp
index 8725279a5b..902da1d4b1 100644
--- a/Userland/Applications/Browser/BrowserWindow.cpp
+++ b/Userland/Applications/Browser/BrowserWindow.cpp
@@ -377,6 +377,15 @@ void BrowserWindow::build_menus()
     spoof_user_agent_menu.add_action(custom_user_agent);
     m_user_agent_spoof_actions.add_action(custom_user_agent);
 
+    debug_menu.add_separator();
+    auto same_origin_policy_action = GUI::Action::create_checkable(
+        "Enable Same &Origin Policy", [this](auto& action) {
+            active_tab().m_web_content_view->debug_request("same-origin-policy", action.is_checked() ? "on" : "off");
+        },
+        this);
+    same_origin_policy_action->set_checked(true);
+    debug_menu.add_action(same_origin_policy_action);
+
     auto& help_menu = add_menu("&Help");
     help_menu.add_action(WindowActions::the().about_action());
 }
diff --git a/Userland/Libraries/LibWeb/HTML/BrowsingContextContainer.cpp b/Userland/Libraries/LibWeb/HTML/BrowsingContextContainer.cpp
index f4fb6f1d01..5d7b826f07 100644
--- a/Userland/Libraries/LibWeb/HTML/BrowsingContextContainer.cpp
+++ b/Userland/Libraries/LibWeb/HTML/BrowsingContextContainer.cpp
@@ -9,6 +9,7 @@
 #include <LibWeb/HTML/BrowsingContextContainer.h>
 #include <LibWeb/Origin.h>
 #include <LibWeb/Page/BrowsingContext.h>
+#include <LibWeb/Page/Page.h>
 
 namespace Web::HTML {
 
@@ -43,6 +44,10 @@ Origin BrowsingContextContainer::content_origin() const
 
 bool BrowsingContextContainer::may_access_from_origin(const Origin& origin) const
 {
+    if (auto* page = document().page()) {
+        if (!page->is_same_origin_policy_enabled())
+            return true;
+    }
     return origin.is_same(content_origin());
 }
 
diff --git a/Userland/Libraries/LibWeb/Page/Page.h b/Userland/Libraries/LibWeb/Page/Page.h
index 120294b0d9..217b7bffd2 100644
--- a/Userland/Libraries/LibWeb/Page/Page.h
+++ b/Userland/Libraries/LibWeb/Page/Page.h
@@ -56,11 +56,16 @@ public:
     Gfx::Palette palette() const;
     Gfx::IntRect screen_rect() const;
 
+    bool is_same_origin_policy_enabled() const { return m_same_origin_policy_enabled; }
+    void set_same_origin_policy_enabled(bool b) { m_same_origin_policy_enabled = b; }
+
 private:
     PageClient& m_client;
 
     RefPtr<BrowsingContext> m_top_level_browsing_context;
     WeakPtr<BrowsingContext> m_focused_context;
+
+    bool m_same_origin_policy_enabled { true };
 };
 
 class PageClient {
diff --git a/Userland/Libraries/LibWeb/XHR/XMLHttpRequest.cpp b/Userland/Libraries/LibWeb/XHR/XMLHttpRequest.cpp
index 36fbec1182..ede8e8b4e6 100644
--- a/Userland/Libraries/LibWeb/XHR/XMLHttpRequest.cpp
+++ b/Userland/Libraries/LibWeb/XHR/XMLHttpRequest.cpp
@@ -18,6 +18,7 @@
 #include <LibWeb/HTML/EventNames.h>
 #include <LibWeb/Loader/ResourceLoader.h>
 #include <LibWeb/Origin.h>
+#include <LibWeb/Page/Page.h>
 #include <LibWeb/XHR/EventNames.h>
 #include <LibWeb/XHR/ProgressEvent.h>
 #include <LibWeb/XHR/XMLHttpRequest.h>
@@ -172,7 +173,11 @@ DOM::ExceptionOr<void> XMLHttpRequest::send()
     // TODO: Add support for preflight requests to support CORS requests
     Origin request_url_origin = Origin(request_url.protocol(), request_url.host(), request_url.port());
 
-    if (!m_window->associated_document().origin().is_same(request_url_origin)) {
+    bool should_enforce_same_origin_policy = true;
+    if (auto* page = m_window->page())
+        should_enforce_same_origin_policy = page->is_same_origin_policy_enabled();
+
+    if (should_enforce_same_origin_policy && !m_window->associated_document().origin().is_same(request_url_origin)) {
         dbgln("XHR failed to load: Same-Origin Policy violation: {} may not load {}", m_window->associated_document().url(), request_url);
         auto weak_this = make_weak_ptr();
         if (!weak_this)
diff --git a/Userland/Services/WebContent/ClientConnection.cpp b/Userland/Services/WebContent/ClientConnection.cpp
index 6c3b708d86..e3c48c5d01 100644
--- a/Userland/Services/WebContent/ClientConnection.cpp
+++ b/Userland/Services/WebContent/ClientConnection.cpp
@@ -207,6 +207,10 @@ void ClientConnection::debug_request(const String& request, const String& argume
     if (request == "spoof-user-agent") {
         Web::ResourceLoader::the().set_user_agent(argument);
     }
+
+    if (request == "same-origin-policy") {
+        m_page_host->page().set_same_origin_policy_enabled(argument == "on");
+    }
 }
 
 void ClientConnection::get_source()