Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1424)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp

Issue 1196423003: Improve console log message for CORS failure (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Rebase, Addressed #9 Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/open-in-body-onload-sync-to-invalid-redirect-response-handling-expected.txt ('k') | third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp » ('j') | third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp
diff --git a/third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp b/third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp
index 77f5867bb4ae7d7a6c439f0a60173162f53ddc14..1c0539cd9e60ae1b2829ddc625d279b1b3e85855 100644
--- a/third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp
+++ b/third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp
@@ -268,12 +268,12 @@ bool CrossOriginAccessControl::isLegalRedirectLocation(const KURL& requestURL, S
{
// CORS restrictions imposed on Location: URL -- http://www.w3.org/TR/cors/#redirect-steps (steps 2 + 3.)
if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(requestURL.protocol())) {
- errorDescription = "The request was redirected to a URL ('" + requestURL.getString() + "') which has a disallowed scheme for cross-origin requests.";
+ errorDescription = "Redirect location '" + requestURL.getString() + "' has a disallowed scheme for cross-origin requests.";
return false;
}
if (!(requestURL.user().isEmpty() && requestURL.pass().isEmpty())) {
- errorDescription = "The request was redirected to a URL ('" + requestURL.getString() + "') containing userinfo, which is disallowed for cross-origin requests.";
+ errorDescription = "Redirect location '" + requestURL.getString() + "' contains userinfo, which is disallowed for cross-origin requests.";
return false;
}
@@ -294,25 +294,24 @@ bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, Re
String errorDescription;
// Steps 3 & 4 - check if scheme and other URL restrictions hold.
- bool allowRedirect = isLegalRedirectLocation(newURL, errorDescription);
- if (allowRedirect) {
- // Step 5: perform resource sharing access check.
- allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription, newRequest.requestContext());
- if (allowRedirect) {
- RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
- // Step 6: if the request URL origin is not same origin as the original URL's,
- // set the source origin to a globally unique identifier.
- if (!originalOrigin->canRequest(newURL)) {
- options.securityOrigin = SecurityOrigin::createUnique();
- securityOrigin = options.securityOrigin.get();
- }
- }
+ if (!isLegalRedirectLocation(newURL, errorDescription)) {
+ errorMessage = "Redirect from '" + originalURL.getString() + "' has been blocked by CORS policy: " + errorDescription;
+ return false;
}
- if (!allowRedirect) {
- const String& originalOrigin = SecurityOrigin::create(originalURL)->toString();
- errorMessage = "Redirect at origin '" + originalOrigin + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription;
+
+ // Step 5: perform resource sharing access check.
+ if (!passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription, newRequest.requestContext())) {
+ errorMessage = "Redirect from '" + originalURL.getString() + "' has been blocked by CORS policy: Redirect response does not pass CORS check: '" + errorDescription;
sof 2016/07/27 11:51:03 I'll leave it up to you to make a final decision,
tyoshino (SeeGerritForStatus) 2016/07/28 12:23:05 Hmm, ok. Removed.
return false;
}
+
+ RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
+ // Step 6: if the request URL origin is not same origin as the original URL's,
+ // set the source origin to a globally unique identifier.
+ if (!originalOrigin->canRequest(newURL)) {
+ options.securityOrigin = SecurityOrigin::createUnique();
+ securityOrigin = options.securityOrigin.get();
+ }
}
if (redirectCrossOrigin) {
// If now to a different origin, update/set Origin:.
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/open-in-body-onload-sync-to-invalid-redirect-response-handling-expected.txt ('k') | third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp » ('j') | third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698