1
0

http-server.h 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
  1. #ifndef HTTP_SERVER
  2. #define HTTP_SERVER
  3. #include <stdlib.h>
  4. #include <string.h>
  5. #include <stdio.h>
  6. #include <time.h>
  7. #include <locale.h>
  8. #include <stdint.h>
  9. // turn on the header debug message, prints only http header response
  10. //#define PRINT_RESPONSE_HEADER
  11. #ifdef ENABLE_CORS_SUPER_FUN_TIME
  12. /* Cross-Origin Resource Sharing was thought up by some people at Tellme
  13. * Networks around 2004. In 2007 Msft bought Tellme Networks for a little
  14. * under a billion dollars and then fired everyone five years later.
  15. * The WebApps Working Group at W3C thought, hey, this idea sounds pretty
  16. * good and added it as a "W3C Recommendation" in 2009. Slowly browsers
  17. * started incorporating the idea into their browsers and now when a page
  18. * requests a resource to a different origin (protocol, domain or port)
  19. * the request is blocked. The idea was supposedly put in place protect
  20. * users. My opinion is that it is a half measure that helps make the
  21. * Internet a much more dangerous place.
  22. * The idea is that a browser will prevent a javascript virtual machine
  23. * from doing something that might allow an adversarial program in another
  24. * javascript virtual machine to misuse credentials that were originally
  25. * intended for the primary application.
  26. * This is fine, well at least the idea of stopping the adversarial
  27. * application, but what browsers consider an adversarial program and the
  28. * sweeping implementation is ridiculous. And then there are the
  29. * exceptions, any server can turn off the protection, including any
  30. * man-in-the-middle server, the extra fun part is the user has no control
  31. * and has no way to determine if the protection is active. Yay!
  32. * It seems to me that CORS was really meant as cheap way for crap
  33. * companies to limit the number of customer complaint issues that could
  34. * crop up when they make bad decisions to load adversarial code into
  35. * customers browsers. The benefit, from the perspective of a one of these
  36. * companies: "I want to load some advertisements into your browser, but I
  37. * do not know if they are safe, they should be able to run arbitrary code
  38. * on your machine because they pay me more for this capability. I have no
  39. * way of controlling the advertiser's code so I made a deal with the major
  40. * browser manufacturers to blcok the possibility of incurring any cost to
  41. * me by preventing them from accessing resources on my servers." -- This
  42. * was all good and fine until they realized they had shot themselves in
  43. * the foot. Sometimes they wanted to run arbitrary code against any
  44. * server, but the foot was already shot. So they added an exception, the
  45. * Access-Control-Allow-Origin header. Any server that sends this header
  46. * can control the CORS policy on the remote browser.
  47. *
  48. * Use the Access-Control-Allow-Origin header so that the client browser
  49. * will ignore checking restrictions on the specified origin when
  50. * checking it's CORS policy. An asterisk represents any origin, otherwise
  51. * just specify URL eg: protocol://domain.com:{port}
  52. */
  53. #define CORS_ANY "*"
  54. // replace with whatever URL will be making requests of this server
  55. #define CORS_URL CORS_ANY
  56. #define CORS_ACCEPT_HEADER "Access-Control-Allow-Origin: " CORS_URL "\r\n"
  57. #define OPTIONAL_CORS_HEADER CORS_ACCEPT_HEADER
  58. #else
  59. #define OPTIONAL_CORS_HEADER ""
  60. #endif
  61. // The HTTP/1.1 Semantics and Content RFC has a fixed length date format
  62. #define RFC7231_DATE_LENGTH 29
  63. /* Typical header from Apache 2 with mod_php on Ubuntu:
  64. *
  65. * HTTP/1.1 200 OK
  66. * Date: Tue, 11 Aug 2020 15:29:59 GMT
  67. * Server: Apache/2.2.22 (Ubuntu)
  68. * X-Powered-By: PHP/5.3.10-1ubuntu3.26
  69. * Vary: Accept-Encoding
  70. * Content-Encoding: gzip
  71. * Content-Length: 2385
  72. * Keep-Alive: timeout=5, max=100
  73. * Connection: Keep-Alive
  74. * Content-Type: text/html
  75. */
  76. #define TYPICAL_HEADER \
  77. "HTTP/1.1 200 OK\r\n" \
  78. "Date: %s\r\n" \
  79. "Server: Ookaak\r\n" \
  80. "Content-Length: %d\r\n" \
  81. OPTIONAL_CORS_HEADER \
  82. "Content-Type: text/html\r\n" \
  83. "\r\n"
  84. /* keep track of the number of substitutions that are made in the
  85. * TYPICAL_HEADER so that later on the length of the header can be
  86. * determined
  87. * 1 (Date header %s)
  88. * + 1 (Content-Length header %d)
  89. * -------
  90. * 2 (number of substitutions)
  91. */
  92. #define TYPICAL_HEADER_FORMAT_SUBSTITUTIONS 2
  93. char * responseHeader(int docLen, int *outLen);
  94. // example use for response header
  95. char *httpEcho(char *s, int len, int *limit);
  96. uint16_t intLen(uint16_t i);
  97. #endif