web: Add credentialAllowList config option

ruffle-rs · Nov 9, 2023 · 94009e4 · 94009e4
1 parent fa7e7cc
commit 94009e4
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 2 deletions.
diff --git a/web/Cargo.toml b/web/Cargo.toml
@@ -68,5 +68,5 @@ features = [
     "ChannelMergerNode", "ChannelSplitterNode", "ClipboardEvent", "DataTransfer", "Element", "Event",
     "EventTarget", "GainNode", "Headers", "HtmlCanvasElement", "HtmlDocument", "HtmlElement", "HtmlFormElement",
     "HtmlInputElement", "HtmlTextAreaElement", "KeyboardEvent", "Location", "PointerEvent",
-    "Request", "RequestInit", "Response", "Storage", "WheelEvent", "Window",
+    "Request", "RequestInit", "Response", "Storage", "WheelEvent", "Window", "RequestCredentials"
 ]
diff --git a/web/packages/core/src/config.ts b/web/packages/core/src/config.ts
@@ -47,4 +47,5 @@ export const DEFAULT_CONFIG: Required<BaseLoadOptions> = {
     socketProxy: [],
     fontSources: [],
     defaultFonts: {},
+    credentialAllowList: [],
 };
diff --git a/web/packages/core/src/load-options.ts b/web/packages/core/src/load-options.ts
@@ -605,6 +605,24 @@ export interface BaseLoadOptions {
      * @default {}
      */
     defaultFonts?: DefaultFonts;
+
+    /**
+     * An array of origins that credentials may be sent to.
+     * Credentials are cookies, authorization headers, or TLS client certificates.
+     *
+     * Entries should include the protocol and host, for example `https://example.org` or `http://subdomain.example.org`.
+     *
+     * Cookies will always be sent to the same origin as the page the content was loaded on.
+     * If you configure this to send cookies to an origin but that origin does not configure CORS to allow it,
+     * then requests will start failing due to CORS.
+     * See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.
+     *
+     * This directly corresponds to https://developer.mozilla.org/en-US/docs/Web/API/fetch#credentials
+     * Every request will be `same-origin` unless specified here, in which case it will be `include`.
+     *
+     * @default []
+     */
+    credentialAllowList?: Array<string>;
 }
 
 /**

diff --git a/web/src/lib.rs b/web/src/lib.rs
@@ -302,6 +302,8 @@ struct Config {
     allow_networking: NetworkingAccessMode,
 
     socket_proxy: Vec<SocketProxy>,
+
+    credential_allow_list: Vec<String>,
 }
 
 /// Metadata about the playing SWF file to be passed back to JavaScript.
@@ -609,6 +611,7 @@ impl Ruffle {
             log_subscriber.clone(),
             config.open_url_mode,
             config.socket_proxy,
+            config.credential_allow_list,
         ));
 
         match window.local_storage() {

diff --git a/web/src/navigator.rs b/web/src/navigator.rs
@@ -23,7 +23,7 @@ use wasm_bindgen::JsCast;
 use wasm_bindgen_futures::{spawn_local, JsFuture};
 use web_sys::{
     window, Blob, BlobPropertyBag, HtmlFormElement, HtmlInputElement, Request as WebRequest,
-    RequestInit, Response as WebResponse,
+    RequestCredentials, RequestInit, Response as WebResponse,
 };
 
 pub struct WebNavigatorBackend {
@@ -34,8 +34,10 @@ pub struct WebNavigatorBackend {
     base_url: Option<Url>,
     open_url_mode: OpenURLMode,
     socket_proxies: Vec<SocketProxy>,
+    credential_allow_list: Vec<String>,
 }
 
+#[allow(clippy::too_many_arguments)]
 impl WebNavigatorBackend {
     pub fn new(
         allow_script_access: bool,
@@ -45,6 +47,7 @@ impl WebNavigatorBackend {
         log_subscriber: Arc<Layered<WASMLayer, Registry>>,
         open_url_mode: OpenURLMode,
         socket_proxies: Vec<SocketProxy>,
+        credential_allow_list: Vec<String>,
     ) -> Self {
         let window = web_sys::window().expect("window()");
 
@@ -87,6 +90,7 @@ impl WebNavigatorBackend {
             log_subscriber,
             open_url_mode,
             socket_proxies,
+            credential_allow_list,
         }
     }
 }
@@ -237,10 +241,25 @@ impl NavigatorBackend for WebNavigatorBackend {
             }
         };
 
+        let credentials = if let Some(host) = url.host_str() {
+            if self
+                .credential_allow_list
+                .iter()
+                .any(|allowed| allowed == &format!("{}://{}", url.scheme(), host))
+            {
+                RequestCredentials::Include
+            } else {
+                RequestCredentials::SameOrigin
+            }
+        } else {
+            RequestCredentials::SameOrigin
+        };
+
         Box::pin(async move {
             let mut init = RequestInit::new();
 
             init.method(&request.method().to_string());
+            init.credentials(credentials);
 
             if let Some((data, mime)) = request.body() {
                 let blob = Blob::new_with_buffer_source_sequence_and_options(