npm - react-native-windows - Versions diffs - 0.72.30 → 0.72.32 - Mend

react-native-windows 0.72.30 → 0.72.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/PropertySheets/Generated/PackageVersion.g.props +3 -3
package/Shared/Networking/OriginPolicyHttpFilter.cpp +46 -38
package/Shared/Networking/OriginPolicyHttpFilter.h +17 -19
package/Shared/Networking/WinRTHttpResource.cpp +2 -4
package/package.json +1 -1

package/PropertySheets/Generated/PackageVersion.g.props CHANGED Viewed

@@ -10,11 +10,11 @@
 -->
 <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <ReactNativeWindowsVersion>0.72.30</ReactNativeWindowsVersion>
+    <ReactNativeWindowsVersion>0.72.32</ReactNativeWindowsVersion>
     <ReactNativeWindowsMajor>0</ReactNativeWindowsMajor>
     <ReactNativeWindowsMinor>72</ReactNativeWindowsMinor>
-    <ReactNativeWindowsPatch>30</ReactNativeWindowsPatch>
+    <ReactNativeWindowsPatch>32</ReactNativeWindowsPatch>
     <ReactNativeWindowsCanary>false</ReactNativeWindowsCanary>
-    <ReactNativeWindowsCommitId>26ed970fceeb6617477a575238c746aadf4a6a12</ReactNativeWindowsCommitId>
+    <ReactNativeWindowsCommitId>5e396ba8c0e2b687eeb194d52c595cf217c7f280</ReactNativeWindowsCommitId>
   </PropertyGroup>
 </Project>

package/Shared/Networking/OriginPolicyHttpFilter.cpp CHANGED Viewed

@@ -16,6 +16,7 @@
 #include <regex>
 using std::set;
+using std::string;
 using std::wstring;
 using winrt::hresult_error;
@@ -37,22 +38,26 @@ namespace Microsoft::React::Networking {
 #pragma region OriginPolicyHttpFilter
-#pragma region ConstWcharComparer
+#pragma region CaseInsensitiveComparer
-bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, const wchar_t *b) const {
+bool OriginPolicyHttpFilter::CaseInsensitiveComparer::operator()(const wchar_t *a, const wchar_t *b) const {
   return _wcsicmp(a, b) < 0;
 }
-#pragma endregion ConstWcharComparer
+bool OriginPolicyHttpFilter::CaseInsensitiveComparer::operator()(const wstring &a, const wstring &b) const {
+  return _wcsicmp(a.c_str(), b.c_str()) < 0;
+}
+#pragma endregion CaseInsensitiveComparer
 // https://fetch.spec.whatwg.org/#forbidden-method
-/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::ConstWcharComparer> OriginPolicyHttpFilter::s_forbiddenMethods =
-    {L"CONNECT", L"TRACE", L"TRACK"};
+/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::CaseInsensitiveComparer>
+    OriginPolicyHttpFilter::s_forbiddenMethods = {L"CONNECT", L"TRACE", L"TRACK"};
-/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::ConstWcharComparer>
+/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::CaseInsensitiveComparer>
     OriginPolicyHttpFilter::s_simpleCorsMethods = {L"GET", L"HEAD", L"POST"};
-/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::ConstWcharComparer>
+/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::CaseInsensitiveComparer>
     OriginPolicyHttpFilter::s_simpleCorsRequestHeaderNames = {
         L"Accept",
         L"Accept-Language",
@@ -64,11 +69,11 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
         L"Viewport-Width",
         L"Width"};
-/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::ConstWcharComparer>
+/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::CaseInsensitiveComparer>
     OriginPolicyHttpFilter::s_simpleCorsResponseHeaderNames =
         {L"Cache-Control", L"Content-Language", L"Content-Type", L"Expires", L"Last-Modified", L"Pragma"};
-/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::ConstWcharComparer>
+/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::CaseInsensitiveComparer>
     OriginPolicyHttpFilter::s_simpleCorsContentTypeValues = {
         L"application/x-www-form-urlencoded",
         L"multipart/form-data",
@@ -76,7 +81,7 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
 // https://fetch.spec.whatwg.org/#forbidden-header-name
 // Chromium still bans "User-Agent" due to https://crbug.com/571722
-/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::ConstWcharComparer>
+/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::CaseInsensitiveComparer>
     OriginPolicyHttpFilter::s_corsForbiddenRequestHeaderNames = {
         L"Accept-Charset",
         L"Accept-Encoding",
@@ -99,24 +104,15 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
         L"Upgrade",
         L"Via"};
-/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::ConstWcharComparer>
+/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::CaseInsensitiveComparer>
     OriginPolicyHttpFilter::s_cookieSettingResponseHeaders = {
         L"Set-Cookie",
         L"Set-Cookie2", // Deprecated by the spec, but probably still used
 };
-/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::ConstWcharComparer>
+/*static*/ set<const wchar_t *, OriginPolicyHttpFilter::CaseInsensitiveComparer>
     OriginPolicyHttpFilter::s_corsForbiddenRequestHeaderNamePrefixes = {L"Proxy-", L"Sec-"};
-/*static*/ Uri OriginPolicyHttpFilter::s_origin{nullptr};
-/*static*/ void OriginPolicyHttpFilter::SetStaticOrigin(std::string &&url) {
-  if (!url.empty())
-    s_origin = Uri{to_hstring(url)};
-  else
-    s_origin = nullptr;
-}
 /*static*/ bool OriginPolicyHttpFilter::IsSameOrigin(Uri const &u1, Uri const &u2) noexcept {
   return (u1 && u2) && u1.SchemeName() == u2.SchemeName() && u1.Host() == u2.Host() && u1.Port() == u2.Port();
 }
@@ -154,8 +150,16 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
   return s_simpleCorsMethods.find(request.Method().ToString().c_str()) != s_simpleCorsMethods.cend();
 }
-/*static*/ Uri OriginPolicyHttpFilter::GetOrigin(Uri const &uri) noexcept {
-  return Uri{uri.SchemeName() + L"://" + uri.Host() + L":" + to_hstring(uri.Port())};
+/*static*/ const hstring OriginPolicyHttpFilter::GetOrigin(Uri const &uri) noexcept {
+  auto const &scheme = uri.SchemeName();
+  auto port = uri.Port();
+  hstring result = scheme + L"://" + uri.Host();
+  if (!(port == 80 && scheme == L"http") && !(port == 443 && scheme == L"https")) {
+    result = result + L":" + to_hstring(port);
+  }
+  return result;
 }
 /*static*/ bool OriginPolicyHttpFilter::AreSafeRequestHeaders(
@@ -293,7 +297,7 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
 }
 /*static*/ OriginPolicyHttpFilter::AccessControlValues OriginPolicyHttpFilter::ExtractAccessControlValues(
-    winrt::Windows::Foundation::Collections::IMap<hstring, hstring> const &headers) {
+    IMap<hstring, hstring> const &headers) {
   using std::wregex;
   using std::wsregex_token_iterator;
@@ -373,10 +377,14 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
   }
 }
-OriginPolicyHttpFilter::OriginPolicyHttpFilter(IHttpFilter const &innerFilter) : m_innerFilter{innerFilter} {}
+OriginPolicyHttpFilter::OriginPolicyHttpFilter(string &&origin, IHttpFilter const &innerFilter)
+    : m_origin{nullptr}, m_innerFilter{innerFilter} {
+  if (!origin.empty())
+    m_origin = Uri{to_hstring(origin)};
+}
-OriginPolicyHttpFilter::OriginPolicyHttpFilter()
-    : OriginPolicyHttpFilter(winrt::Windows::Web::Http::Filters::HttpBaseProtocolFilter{}) {}
+OriginPolicyHttpFilter::OriginPolicyHttpFilter(string &&origin)
+    : OriginPolicyHttpFilter(std::move(origin), winrt::Windows::Web::Http::Filters::HttpBaseProtocolFilter{}) {}
 OriginPolicy OriginPolicyHttpFilter::ValidateRequest(HttpRequestMessage const &request) {
   auto effectiveOriginPolicy =
@@ -386,17 +394,17 @@ OriginPolicy OriginPolicyHttpFilter::ValidateRequest(HttpRequestMessage const &r
       return effectiveOriginPolicy;
     case OriginPolicy::SameOrigin:
-      if (!IsSameOrigin(s_origin, request.RequestUri()))
+      if (!IsSameOrigin(m_origin, request.RequestUri()))
         throw hresult_error{E_INVALIDARG, L"SOP (same-origin policy) is enforced"};
       break;
     case OriginPolicy::SimpleCrossOriginResourceSharing:
       // Check for disallowed mixed content
       if (GetRuntimeOptionBool("Http.BlockMixedContentSimpleCors") &&
-          s_origin.SchemeName() != request.RequestUri().SchemeName())
+          m_origin.SchemeName() != request.RequestUri().SchemeName())
         throw hresult_error{E_INVALIDARG, L"The origin and request URLs must have the same scheme"};
-      if (IsSameOrigin(s_origin, request.RequestUri()))
+      if (IsSameOrigin(m_origin, request.RequestUri()))
         // Same origin. Therefore, skip Cross-Origin handling.
         effectiveOriginPolicy = OriginPolicy::SameOrigin;
       else if (!IsSimpleCorsRequest(request))
@@ -412,7 +420,7 @@ OriginPolicy OriginPolicyHttpFilter::ValidateRequest(HttpRequestMessage const &r
       // Example: On the Edge browser, an XHR request with the "Host" header set gets rejected as unsafe.
       // https://fetch.spec.whatwg.org/#forbidden-header-name
-      if (s_origin.SchemeName() != request.RequestUri().SchemeName())
+      if (m_origin.SchemeName() != request.RequestUri().SchemeName())
         throw hresult_error{E_INVALIDARG, L"The origin and request URLs must have the same scheme"};
       if (!AreSafeRequestHeaders(request.Headers()))
@@ -421,7 +429,7 @@ OriginPolicy OriginPolicyHttpFilter::ValidateRequest(HttpRequestMessage const &r
       if (s_forbiddenMethods.find(request.Method().ToString().c_str()) != s_forbiddenMethods.cend())
         throw hresult_error{E_INVALIDARG, L"Request method not allowed in cross-origin resource sharing"};
-      if (IsSameOrigin(s_origin, request.RequestUri()))
+      if (IsSameOrigin(m_origin, request.RequestUri()))
         effectiveOriginPolicy = OriginPolicy::SameOrigin;
       else if (IsSimpleCorsRequest(request))
         effectiveOriginPolicy = OriginPolicy::SimpleCrossOriginResourceSharing;
@@ -458,7 +466,7 @@ void OriginPolicyHttpFilter::ValidateAllowOrigin(
   // 4.10.4 - Mismatched allow origin
   auto taintedOriginProp = props.TryLookup(L"TaintedOrigin");
   auto taintedOrigin = taintedOriginProp && winrt::unbox_value<bool>(taintedOriginProp);
-  auto origin = taintedOrigin ? nullptr : s_origin;
+  auto origin = taintedOrigin ? nullptr : m_origin;
   if (allowedOrigin.empty() || !IsSameOrigin(origin, Uri{allowedOrigin})) {
     hstring errorMessage;
     if (allowedOrigin.empty())
@@ -589,7 +597,7 @@ void OriginPolicyHttpFilter::ValidateResponse(HttpResponseMessage const &respons
       bool originAllowed = false;
       for (const auto &header : response.Headers()) {
         if (boost::iequals(header.Key(), L"Access-Control-Allow-Origin")) {
-          originAllowed |= L"*" == header.Value() || s_origin == Uri{header.Value()};
+          originAllowed |= L"*" == header.Value() || m_origin == Uri{header.Value()};
         }
       }
@@ -677,7 +685,7 @@ ResponseOperation OriginPolicyHttpFilter::SendPreflightAsync(HttpRequestMessage
   }
   preflightRequest.Headers().Insert(L"Access-Control-Request-Headers", headerNames);
-  preflightRequest.Headers().Insert(L"Origin", s_origin.AbsoluteCanonicalUri());
+  preflightRequest.Headers().Insert(L"Origin", GetOrigin(m_origin));
   preflightRequest.Headers().Insert(L"Sec-Fetch-Mode", L"CORS");
   co_return {co_await m_innerFilter.SendRequestAsync(preflightRequest)};
@@ -694,7 +702,7 @@ bool OriginPolicyHttpFilter::OnRedirecting(
   // origin=http://a.com. Since the origin matches the URL, the request is authorized at http://a.com, but it actually
   // allows http://b.com to bypass the CORS check at http://a.com since the redirected URL is from http://b.com.
   if (!IsSameOrigin(response.Headers().Location(), request.RequestUri()) &&
-      !IsSameOrigin(s_origin, request.RequestUri())) {
+      !IsSameOrigin(m_origin, request.RequestUri())) {
     // By masking the origin field in the request header, we make it impossible for the server to set a single value for
     // the access-control-allow-origin header. It means, the only way to support redirect is that server allows access
     // from all sites through wildcard.
@@ -726,7 +734,7 @@ ResponseOperation OriginPolicyHttpFilter::SendRequestAsync(HttpRequestMessage co
   // Allow only HTTP or HTTPS schemes
   if (GetRuntimeOptionBool("Http.StrictScheme") && coRequest.RequestUri().SchemeName() != L"https" &&
       coRequest.RequestUri().SchemeName() != L"http")
-    throw hresult_error{E_INVALIDARG, L"Invalid URL scheme: [" + s_origin.SchemeName() + L"]"};
+    throw hresult_error{E_INVALIDARG, L"Invalid URL scheme: [" + m_origin.SchemeName() + L"]"};
   if (!GetRuntimeOptionBool("Http.OmitCredentials")) {
     coRequest.Properties().Lookup(L"RequestArgs").as<RequestArgs>()->WithCredentials = false;
@@ -763,7 +771,7 @@ ResponseOperation OriginPolicyHttpFilter::SendRequestAsync(HttpRequestMessage co
     if (originPolicy == OriginPolicy::SimpleCrossOriginResourceSharing ||
         originPolicy == OriginPolicy::CrossOriginResourceSharing) {
-      coRequest.Headers().Insert(L"Origin", s_origin.AbsoluteCanonicalUri());
+      coRequest.Headers().Insert(L"Origin", GetOrigin(m_origin));
     }
     auto response = co_await m_innerFilter.SendRequestAsync(coRequest);

package/Shared/Networking/OriginPolicyHttpFilter.h CHANGED Viewed

@@ -22,42 +22,40 @@ class OriginPolicyHttpFilter
     : public winrt::
           implements<OriginPolicyHttpFilter, winrt::Windows::Web::Http::Filters::IHttpFilter, IRedirectEventSource> {
  public:
-  struct ConstWcharComparer {
+  struct CaseInsensitiveComparer {
     bool operator()(const wchar_t *, const wchar_t *) const;
+    bool operator()(const std::wstring &, const std::wstring &) const;
   };
  private:
-  static std::set<const wchar_t *, ConstWcharComparer> s_forbiddenMethods;
-  static std::set<const wchar_t *, ConstWcharComparer> s_simpleCorsMethods;
-  static std::set<const wchar_t *, ConstWcharComparer> s_simpleCorsRequestHeaderNames;
-  static std::set<const wchar_t *, ConstWcharComparer> s_simpleCorsResponseHeaderNames;
-  static std::set<const wchar_t *, ConstWcharComparer> s_simpleCorsContentTypeValues;
-  static std::set<const wchar_t *, ConstWcharComparer> s_corsForbiddenRequestHeaderNames;
-  static std::set<const wchar_t *, ConstWcharComparer> s_corsForbiddenRequestHeaderNamePrefixes;
-  static std::set<const wchar_t *, ConstWcharComparer> s_cookieSettingResponseHeaders;
-  // NOTE: Assumes static origin through owning client/resource/module/(React) instance's lifetime.
-  static winrt::Windows::Foundation::Uri s_origin;
+  static std::set<const wchar_t *, CaseInsensitiveComparer> s_forbiddenMethods;
+  static std::set<const wchar_t *, CaseInsensitiveComparer> s_simpleCorsMethods;
+  static std::set<const wchar_t *, CaseInsensitiveComparer> s_simpleCorsRequestHeaderNames;
+  static std::set<const wchar_t *, CaseInsensitiveComparer> s_simpleCorsResponseHeaderNames;
+  static std::set<const wchar_t *, CaseInsensitiveComparer> s_simpleCorsContentTypeValues;
+  static std::set<const wchar_t *, CaseInsensitiveComparer> s_corsForbiddenRequestHeaderNames;
+  static std::set<const wchar_t *, CaseInsensitiveComparer> s_corsForbiddenRequestHeaderNamePrefixes;
+  static std::set<const wchar_t *, CaseInsensitiveComparer> s_cookieSettingResponseHeaders;
   struct AccessControlValues {
     winrt::hstring AllowedOrigin;
     winrt::hstring AllowedCredentials;
-    std::set<std::wstring> AllowedHeaders;
+    std::set<std::wstring, CaseInsensitiveComparer> AllowedHeaders;
     std::set<std::wstring> AllowedMethods;
-    std::set<std::wstring> ExposedHeaders;
+    std::set<std::wstring, CaseInsensitiveComparer> ExposedHeaders;
     size_t MaxAge;
   };
+  winrt::Windows::Foundation::Uri m_origin;
   winrt::Windows::Web::Http::Filters::IHttpFilter m_innerFilter;
  public:
-  static void SetStaticOrigin(std::string &&url);
   static bool IsSameOrigin(
       winrt::Windows::Foundation::Uri const &u1,
       winrt::Windows::Foundation::Uri const &u2) noexcept;
-  static winrt::Windows::Foundation::Uri GetOrigin(winrt::Windows::Foundation::Uri const &uri) noexcept;
+  static const winrt::hstring GetOrigin(winrt::Windows::Foundation::Uri const &uri) noexcept;
   static bool IsSimpleCorsRequest(winrt::Windows::Web::Http::HttpRequestMessage const &request) noexcept;
@@ -79,9 +77,9 @@ class OriginPolicyHttpFilter
       winrt::Windows::Web::Http::HttpResponseMessage const &response,
       bool removeAll);
-  OriginPolicyHttpFilter(winrt::Windows::Web::Http::Filters::IHttpFilter const &innerFilter);
+  OriginPolicyHttpFilter(std::string &&origin, winrt::Windows::Web::Http::Filters::IHttpFilter const &innerFilter);
-  OriginPolicyHttpFilter();
+  OriginPolicyHttpFilter(std::string &&origin);
   OriginPolicy ValidateRequest(winrt::Windows::Web::Http::HttpRequestMessage const &request);

package/Shared/Networking/WinRTHttpResource.cpp CHANGED Viewed

@@ -641,8 +641,7 @@ void WinRTHttpResource::AddResponseHandler(shared_ptr<IResponseHandler> response
 #pragma region IHttpResource
-/*static*/ shared_ptr<IHttpResource> IHttpResource::Make(
-    winrt::Windows::Foundation::IInspectable const &inspectableProperties) noexcept {
+/*static*/ shared_ptr<IHttpResource> IHttpResource::Make(IInspectable const &inspectableProperties) noexcept {
   using namespace winrt::Microsoft::ReactNative;
   using winrt::Windows::Web::Http::HttpClient;
@@ -653,8 +652,7 @@ void WinRTHttpResource::AddResponseHandler(shared_ptr<IResponseHandler> response
     client = HttpClient{redirFilter};
   } else {
     auto globalOrigin = GetRuntimeOptionString("Http.GlobalOrigin");
-    OriginPolicyHttpFilter::SetStaticOrigin(std::move(globalOrigin));
-    auto opFilter = winrt::make<OriginPolicyHttpFilter>(redirFilter);
+    auto opFilter = winrt::make<OriginPolicyHttpFilter>(std::move(globalOrigin), redirFilter);
     redirFilter.as<RedirectHttpFilter>()->SetRedirectSource(opFilter.as<IRedirectEventSource>());
     client = HttpClient{opFilter};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "react-native-windows",
-  "version": "0.72.30",
+  "version": "0.72.32",
   "license": "MIT",
   "repository": {
     "type": "git",