void WebAssociatedURLLoaderImpl::ClientAdapter::didReceiveResponse(
unsigned long,
const ResourceResponse& response,
std::unique_ptr<WebDataConsumerHandle> handle) {
ALLOW_UNUSED_LOCAL(handle);
DCHECK(!handle);
if (!m_client)
return;
if (m_options.exposeAllResponseHeaders ||
m_options.crossOriginRequestPolicy !=
WebAssociatedURLLoaderOptions::
CrossOriginRequestPolicyUseAccessControl) {
// Use the original ResourceResponse.
m_client->didReceiveResponse(WrappedResourceResponse(response));
return;
}
HTTPHeaderSet exposedHeaders;
extractCorsExposedHeaderNamesList(response, exposedHeaders);
HTTPHeaderSet blockedHeaders;
for (const auto& header : response.httpHeaderFields()) {
if (FetchUtils::isForbiddenResponseHeaderName(header.key) ||
(!isOnAccessControlResponseHeaderWhitelist(header.key) &&
!exposedHeaders.contains(header.key)))
blockedHeaders.add(header.key);
}
if (blockedHeaders.isEmpty()) {
// Use the original ResourceResponse.
m_client->didReceiveResponse(WrappedResourceResponse(response));
return;
}
// If there are blocked headers, copy the response so we can remove them.
WebURLResponse validatedResponse = WrappedResourceResponse(response);
for (const auto& header : blockedHeaders)
validatedResponse.clearHTTPHeaderField(header);
m_client->didReceiveResponse(validatedResponse);
}
