7 files changed, 278 insertions, 14 deletions

diff --git a/components/net/fetch/methods.rs b/components/net/fetch/methods.rs
index 5aee648dc96..7cd93076185 100644
--- a/components/net/fetch/methods.rs
+++ b/components/net/fetch/methods.rs
@@ -9,6 +9,7 @@ use http_loader::{create_http_connector, obtain_response};
 use hyper::client::response::Response as HyperResponse;
 use hyper::header::{Accept, IfMatch, IfRange, IfUnmodifiedSince, Location};
 use hyper::header::{AcceptLanguage, ContentLength, ContentLanguage, HeaderView};
+use hyper::header::{AccessControlAllowCredentials, AccessControlAllowOrigin};
 use hyper::header::{Authorization, Basic, ContentEncoding, Encoding};
 use hyper::header::{ContentType, Header, Headers, IfModifiedSince, IfNoneMatch};
 use hyper::header::{QualityItem, q, qitem, Referer as RefererHeader, UserAgent};
@@ -27,7 +28,8 @@ use std::io::Read;
 use std::rc::Rc;
 use std::str::FromStr;
 use std::thread;
-use url::{Origin, Url, UrlParser};
+use url::idna::domain_to_ascii;
+use url::{Origin, Url, UrlParser, whatwg_scheme_type_mapper};
 use util::thread::spawn_named;
 
 pub fn fetch_async(request: Request, cors_flag: bool, listener: Box<AsyncFetchListener + Send>) {
@@ -729,12 +731,12 @@ fn http_network_or_cache_fetch(request: Rc<Request>,
 
             // Substep 1
             // TODO this substep
-            let cached_response: Option<Response> = None;
+            // let cached_response: Option<Response> = None;
 
             // Substep 2
-            if cached_response.is_none() {
-                return Response::network_error();
-            }
+            // if cached_response.is_none() {
+            //     return Response::network_error();
+            // }
 
             // Substep 3
 
@@ -860,10 +862,88 @@ fn preflight_fetch(request: Rc<Request>) -> Response {
 
 /// [CORS check](https://fetch.spec.whatwg.org#concept-cors-check)
 fn cors_check(request: Rc<Request>, response: &Response) -> Result<(), ()> {
-    // TODO: Implement CORS check spec
+
+    // Step 1
+    // let headers = request.headers.borrow();
+    let origin = response.headers.get::<AccessControlAllowOrigin>().cloned();
+
+    // Step 2
+    let origin = try!(origin.ok_or(()));
+
+    // Step 3
+    if request.credentials_mode != CredentialsMode::Include &&
+        origin == AccessControlAllowOrigin::Any {
+        return Ok(());
+    }
+
+    // Step 4
+    let origin = match origin {
+        AccessControlAllowOrigin::Value(origin) => origin,
+        // if it's Any or Null at this point, I see nothing to do but return Err(())
+        _ => return Err(())
+    };
+
+    // strings are already utf-8 encoded, so I don't need to re-encode origin for this step
+    match ascii_serialise_origin(&request.origin) {
+        Ok(request_origin) => {
+            if request_origin != origin {
+                return Err(());
+            }
+        },
+        _ => return Err(())
+    }
+
+    // Step 5
+    if request.credentials_mode != CredentialsMode::Include {
+        return Ok(());
+    }
+
+    // Step 6
+    let credentials = request.headers.borrow().get::<AccessControlAllowCredentials>().cloned();
+
+    // Step 7
+    if credentials.is_some() {
+        return Ok(());
+    }
+
+    // Step 8
     Err(())
 }
 
+/// [ASCII serialisation of an origin](https://html.spec.whatwg.org/multipage/#ascii-serialisation-of-an-origin)
+fn ascii_serialise_origin(origin: &Origin) -> Result<String, ()> {
+
+    let result = match *origin {
+
+        // Step 1
+        Origin::UID(_) => "null".to_owned(),
+
+        // Step 2
+        Origin::Tuple(ref scheme, ref host, ref port) => {
+
+            // Step 3
+            // this step is handled by the format!()s later in the function
+
+            // Step 4
+            // TODO throw a SecurityError in a meaningful way
+            // let host = host.as_str();
+            let host = try!(domain_to_ascii(host.serialize().as_str()).or(Err(())));
+
+            // Step 5
+            let default_port = whatwg_scheme_type_mapper(scheme).default_port();
+
+            if Some(*port) == default_port {
+                format!("{}://{}", scheme, host)
+            } else {
+                format!("{}://{}{}", scheme, host, port)
+            }
+        }
+    };
+
+    // Step 6
+    Ok(result)
+}
+
 fn global_user_agent() -> String {
     // TODO have a better useragent string
     const USER_AGENT_STRING: &'static str = "Servo";
diff --git a/components/net/fetch/response.rs b/components/net/fetch/response.rs
index 63b28de350d..ddb65a8e5e1 100644
--- a/components/net/fetch/response.rs
+++ b/components/net/fetch/response.rs
@@ -69,8 +69,8 @@ impl ResponseMethods for Response {
 
                 let headers = old_headers.iter().filter(|header| {
                     match &*header.name().to_ascii_lowercase() {
-                        "cache-control" | "content-language" |
-                        "content-type" | "expires" | "last-modified" | "Pragma" => true,
+                        "cache-control" | "content-language" | "content-type" |
+                        "expires" | "last-modified" | "pragma" => true,
                         "set-cookie" | "set-cookie2" => false,
                         header => {
                             let result =
@@ -88,12 +88,14 @@ impl ResponseMethods for Response {
                 response.headers = Headers::new();
                 response.status = None;
                 response.body = RefCell::new(ResponseBody::Empty);
+                response.cache_state = CacheState::None;
             },
 
             ResponseType::OpaqueRedirect => {
                 response.headers = Headers::new();
                 response.status = None;
                 response.body = RefCell::new(ResponseBody::Empty);
+                response.cache_state = CacheState::None;
             }
         }
 
diff --git a/components/net_traits/response.rs b/components/net_traits/response.rs
index 25eeedb4252..c5de613a635 100644
--- a/components/net_traits/response.rs
+++ b/components/net_traits/response.rs
@@ -31,7 +31,7 @@ pub enum TerminationReason {
 
 /// The response body can still be pushed to after fetch
 /// This provides a way to store unfinished response bodies
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub enum ResponseBody {
     Empty, // XXXManishearth is this necessary, or is Done(vec![]) enough?
     Receiving(Vec<u8>),
@@ -39,7 +39,7 @@ pub enum ResponseBody {
 }
 
 /// [Cache state](https://fetch.spec.whatwg.org/#concept-response-cache-state)
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub enum CacheState {
     None,
     Local,
diff --git a/components/servo/Cargo.lock b/components/servo/Cargo.lock
index ea50fcb800a..3a0dcd23484 100644
--- a/components/servo/Cargo.lock
+++ b/components/servo/Cargo.lock
@@ -1247,6 +1247,7 @@ dependencies = [
  "net_traits 0.0.1",
  "plugins 0.0.1",
  "time 0.1.34 (registry+https://github.com/rust-lang/crates.io-index)",
+ "unicase 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "url 0.5.4 (registry+https://github.com/rust-lang/crates.io-index)",
  "util 0.0.1",
 ]
diff --git a/tests/unit/net/Cargo.toml b/tests/unit/net/Cargo.toml
index eb585685388..4df64f8cb8c 100644
--- a/tests/unit/net/Cargo.toml
+++ b/tests/unit/net/Cargo.toml
@@ -35,3 +35,4 @@ hyper = "0.7"
 url = {version = "0.5.4", features = ["heap_size"]}
 time = "0.1"
 flate2 = "0.2.0"
+unicase = "1.0"
diff --git a/tests/unit/net/fetch.rs b/tests/unit/net/fetch.rs
index 50c60b7bd31..a54866ce865 100644
--- a/tests/unit/net/fetch.rs
+++ b/tests/unit/net/fetch.rs
@@ -2,16 +2,21 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-use hyper::header::{Location};
+use hyper::header::{AccessControlAllowHeaders, AccessControlAllowOrigin};
+use hyper::header::{CacheControl, ContentLanguage, ContentType, Expires, LastModified};
+use hyper::header::{Headers, HttpDate, Location, SetCookie, Pragma};
 use hyper::server::{Handler, Listening, Server};
 use hyper::server::{Request as HyperRequest, Response as HyperResponse};
 use hyper::status::StatusCode;
 use hyper::uri::RequestUri;
 use net::fetch::methods::fetch;
-use net_traits::request::{Context, Referer, Request};
-use net_traits::response::{Response, ResponseBody, ResponseType};
+use net_traits::request::{Context, RedirectMode, Referer, Request, RequestMode};
+use net_traits::response::{CacheState, Response, ResponseBody, ResponseType};
+use std::cell::Cell;
 use std::rc::Rc;
-use url::Url;
+use time::{self, Duration};
+use unicase::UniCase;
+use url::{Origin, OpaqueOrigin, Url};
 
 // TODO write a struct that impls Handler for storing test values
 
@@ -76,6 +81,180 @@ fn test_fetch_response_body_matches_const_message() {
     };
 }
 
+#[test]
+fn test_fetch_response_is_basic_filtered() {
+
+    static MESSAGE: &'static [u8] = b"";
+    let handler = move |_: HyperRequest, mut response: HyperResponse| {
+
+        response.headers_mut().set(SetCookie(vec![]));
+        // this header is obsoleted, so hyper doesn't implement it, but it's still covered by the spec
+        response.headers_mut().set_raw("Set-Cookie2", vec![]);
+
+        response.send(MESSAGE).unwrap();
+    };
+    let (mut server, url) = make_server(handler);
+
+    let origin = url.origin();
+    let mut request = Request::new(url, Context::Fetch, origin, false);
+    request.referer = Referer::NoReferer;
+    let wrapped_request = Rc::new(request);
+
+    let fetch_response = fetch(wrapped_request, false);
+    let _ = server.close();
+
+    assert!(!Response::is_network_error(&fetch_response));
+    assert_eq!(fetch_response.response_type, ResponseType::Basic);
+
+    let headers = fetch_response.headers;
+    assert!(!headers.has::<SetCookie>());
+    assert!(headers.get_raw("Set-Cookie2").is_none());
+}
+
+#[test]
+fn test_fetch_response_is_cors_filtered() {
+
+    static MESSAGE: &'static [u8] = b"";
+    let handler = move |_: HyperRequest, mut response: HyperResponse| {
+
+        // this is mandatory for the Cors Check to pass
+        // TODO test using different url encodings with this value ie. punycode
+        response.headers_mut().set(AccessControlAllowOrigin::Any);
+
+        // these are the headers that should be kept after filtering
+        response.headers_mut().set(CacheControl(vec![]));
+        response.headers_mut().set(ContentLanguage(vec![]));
+        response.headers_mut().set(ContentType::html());
+        response.headers_mut().set(Expires(HttpDate(time::now() + Duration::days(1))));
+        response.headers_mut().set(LastModified(HttpDate(time::now())));
+        response.headers_mut().set(Pragma::NoCache);
+
+        // these headers should not be kept after filtering, even though they are given a pass
+        response.headers_mut().set(SetCookie(vec![]));
+        response.headers_mut().set_raw("Set-Cookie2", vec![]);
+        response.headers_mut().set(
+            AccessControlAllowHeaders(vec![
+                UniCase("set-cookie".to_owned()),
+                UniCase("set-cookie2".to_owned())
+            ])
+        );
+
+        response.send(MESSAGE).unwrap();
+    };
+    let (mut server, url) = make_server(handler);
+
+    // an origin mis-match will stop it from defaulting to a basic filtered response
+    let origin = Origin::UID(OpaqueOrigin::new());
+    let mut request = Request::new(url, Context::Fetch, origin, false);
+    request.referer = Referer::NoReferer;
+    request.mode = RequestMode::CORSMode;
+    let wrapped_request = Rc::new(request);
+
+    let fetch_response = fetch(wrapped_request, false);
+    let _ = server.close();
+
+    assert!(!Response::is_network_error(&fetch_response));
+    assert_eq!(fetch_response.response_type, ResponseType::CORS);
+
+    let headers = fetch_response.headers;
+    assert!(headers.has::<CacheControl>());
+    assert!(headers.has::<ContentLanguage>());
+    assert!(headers.has::<ContentType>());
+    assert!(headers.has::<Expires>());
+    assert!(headers.has::<LastModified>());
+    assert!(headers.has::<Pragma>());
+
+    assert!(!headers.has::<AccessControlAllowOrigin>());
+    assert!(!headers.has::<SetCookie>());
+    assert!(headers.get_raw("Set-Cookie2").is_none());
+}
+
+#[test]
+fn test_fetch_response_is_opaque_filtered() {
+
+    static MESSAGE: &'static [u8] = b"";
+    let handler = move |_: HyperRequest, response: HyperResponse| {
+        response.send(MESSAGE).unwrap();
+    };
+    let (mut server, url) = make_server(handler);
+
+    // an origin mis-match will fall through to an Opaque filtered response
+    let origin = Origin::UID(OpaqueOrigin::new());
+    let mut request = Request::new(url, Context::Fetch, origin, false);
+    request.referer = Referer::NoReferer;
+    let wrapped_request = Rc::new(request);
+
+    let fetch_response = fetch(wrapped_request, false);
+    let _ = server.close();
+
+    assert!(!Response::is_network_error(&fetch_response));
+    assert_eq!(fetch_response.response_type, ResponseType::Opaque);
+
+    assert!(fetch_response.url_list.into_inner().len() == 0);
+    assert!(fetch_response.url.is_none());
+    // this also asserts that status message is "the empty byte sequence"
+    assert!(fetch_response.status.is_none());
+    assert_eq!(fetch_response.headers, Headers::new());
+    match fetch_response.body.into_inner() {
+        ResponseBody::Empty => { },
+        _ => panic!()
+    }
+    match fetch_response.cache_state {
+        CacheState::None => { },
+        _ => panic!()
+    }
+}
+
+#[test]
+fn test_fetch_response_is_opaque_redirect_filtered() {
+
+    static MESSAGE: &'static [u8] = b"";
+    let handler = move |request: HyperRequest, mut response: HyperResponse| {
+
+        let redirects = match request.uri {
+            RequestUri::AbsolutePath(url) =>
+                url.split("/").collect::<String>().parse::<u32>().unwrap_or(0),
+            RequestUri::AbsoluteUri(url) =>
+                url.path().unwrap().last().unwrap().split("/").collect::<String>().parse::<u32>().unwrap_or(0),
+            _ => panic!()
+        };
+
+        if redirects == 1 {
+            response.send(MESSAGE).unwrap();
+        } else {
+            *response.status_mut() = StatusCode::Found;
+            let url = format!("{}", 1);
+            response.headers_mut().set(Location(url.to_owned()));
+        }
+    };
+
+    let (mut server, url) = make_server(handler);
+
+    let origin = url.origin();
+    let mut request = Request::new(url, Context::Fetch, origin, false);
+    request.referer = Referer::NoReferer;
+    request.redirect_mode = Cell::new(RedirectMode::Manual);
+    let wrapped_request = Rc::new(request);
+
+    let fetch_response = fetch(wrapped_request, false);
+    let _ = server.close();
+
+    assert!(!Response::is_network_error(&fetch_response));
+    assert_eq!(fetch_response.response_type, ResponseType::OpaqueRedirect);
+
+    // this also asserts that status message is "the empty byte sequence"
+    assert!(fetch_response.status.is_none());
+    assert_eq!(fetch_response.headers, Headers::new());
+    match fetch_response.body.into_inner() {
+        ResponseBody::Empty => { },
+        _ => panic!()
+    }
+    match fetch_response.cache_state {
+        CacheState::None => { },
+        _ => panic!()
+    }
+}
+
 fn test_fetch_redirect_count(message: &'static [u8], redirect_cap: u32) -> Response {
 
     let handler = move |request: HyperRequest, mut response: HyperResponse| {
diff --git a/tests/unit/net/lib.rs b/tests/unit/net/lib.rs
index 1e4d522b789..ee62fa2a40a 100644
--- a/tests/unit/net/lib.rs
+++ b/tests/unit/net/lib.rs
@@ -14,6 +14,7 @@ extern crate msg;
 extern crate net;
 extern crate net_traits;
 extern crate time;
+extern crate unicase;
 extern crate url;
 extern crate util;