LibWeb+Browser: Add Debug menu action for toggling Same-Origin Policy

Sometimes it's useful to turn off the SOP for testing purposes. Let's make that easy by having a Debug menu item for it. :^)
2025-07-26 20:27:34 +00:00 · 2021-09-12 02:10:43 +02:00 · 2021-09-12 02:10:43 +02:00 · 19de6bb1cc
commit 19de6bb1cc
parent c181494b19
5 changed files with 29 additions and 1 deletions
--- a/Userland/Libraries/LibWeb/HTML/BrowsingContextContainer.cpp
+++ b/Userland/Libraries/LibWeb/HTML/BrowsingContextContainer.cpp
@ -9,6 +9,7 @@
 #include <LibWeb/HTML/BrowsingContextContainer.h>
 #include <LibWeb/Origin.h>
 #include <LibWeb/Page/BrowsingContext.h>
+#include <LibWeb/Page/Page.h>

 namespace Web::HTML {

@ -43,6 +44,10 @@ Origin BrowsingContextContainer::content_origin() const

 bool BrowsingContextContainer::may_access_from_origin(const Origin& origin) const
 {
+    if (auto* page = document().page()) {
+        if (!page->is_same_origin_policy_enabled())
+            return true;
+    }
    return origin.is_same(content_origin());
 }

--- a/Userland/Libraries/LibWeb/Page/Page.h
+++ b/Userland/Libraries/LibWeb/Page/Page.h
@ -56,11 +56,16 @@ public:
    Gfx::Palette palette() const;
    Gfx::IntRect screen_rect() const;

+    bool is_same_origin_policy_enabled() const { return m_same_origin_policy_enabled; }
+    void set_same_origin_policy_enabled(bool b) { m_same_origin_policy_enabled = b; }
+
 private:
    PageClient& m_client;

    RefPtr<BrowsingContext> m_top_level_browsing_context;
    WeakPtr<BrowsingContext> m_focused_context;
+
+    bool m_same_origin_policy_enabled { true };
 };

 class PageClient {
--- a/Userland/Libraries/LibWeb/XHR/XMLHttpRequest.cpp
+++ b/Userland/Libraries/LibWeb/XHR/XMLHttpRequest.cpp
@ -18,6 +18,7 @@
 #include <LibWeb/HTML/EventNames.h>
 #include <LibWeb/Loader/ResourceLoader.h>
 #include <LibWeb/Origin.h>
+#include <LibWeb/Page/Page.h>
 #include <LibWeb/XHR/EventNames.h>
 #include <LibWeb/XHR/ProgressEvent.h>
 #include <LibWeb/XHR/XMLHttpRequest.h>
@ -172,7 +173,11 @@ DOM::ExceptionOr<void> XMLHttpRequest::send()
    // TODO: Add support for preflight requests to support CORS requests
    Origin request_url_origin = Origin(request_url.protocol(), request_url.host(), request_url.port());

-    if (!m_window->associated_document().origin().is_same(request_url_origin)) {
+    bool should_enforce_same_origin_policy = true;
+    if (auto* page = m_window->page())
+        should_enforce_same_origin_policy = page->is_same_origin_policy_enabled();
+
+    if (should_enforce_same_origin_policy && !m_window->associated_document().origin().is_same(request_url_origin)) {
        dbgln("XHR failed to load: Same-Origin Policy violation: {} may not load {}", m_window->associated_document().url(), request_url);
        auto weak_this = make_weak_ptr();
        if (!weak_this)