Improve console log message for CORS failure

Source/core/fetch/CrossOriginAccessControl.cpp

Index: Source/core/fetch/CrossOriginAccessControl.cpp
diff --git a/Source/core/fetch/CrossOriginAccessControl.cpp b/Source/core/fetch/CrossOriginAccessControl.cpp
index 5efd898b70132d80c4e7f613293176f682a75d2a..3efd9cf957d278bd7c1afa2a9127fc8a239787ee 100644
--- a/Source/core/fetch/CrossOriginAccessControl.cpp
+++ b/Source/core/fetch/CrossOriginAccessControl.cpp
@@ -182,7 +182,7 @@ bool passesPreflightStatusCheck(const ResourceResponse& response, String& errorD
     //   http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
     // https://crbug.com/452394
     if (response.httpStatusCode() < 200 || response.httpStatusCode() >= 300) {
-        errorDescription = "Invalid HTTP status code " + String::number(response.httpStatusCode());
+        errorDescription = "Response for preflight has invalid HTTP status code " + String::number(response.httpStatusCode());

[tyoshino (SeeGerritForStatus), 2015/06/30 05:30:08]

Split this change into https://codereview.chromium.org/1219693006/

         return false;
     }
 
@@ -216,13 +216,13 @@ bool CrossOriginAccessControl::isLegalRedirectLocation(const KURL& requestURL, S
     return true;
 }
 
-bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, ResourceRequest& request, const ResourceResponse& redirectResponse, StoredCredentials withCredentials, ResourceLoaderOptions& options, String& errorMessage)
+bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, ResourceRequest& newRequest, const ResourceResponse& redirectResponse, StoredCredentials withCredentials, ResourceLoaderOptions& options, String& errorMessage)
 {
     // http://www.w3.org/TR/cors/#redirect-steps terminology:
     const KURL& originalURL = redirectResponse.url();
-    const KURL& requestURL = request.url();
+    const KURL& newURL = newRequest.url();
 
-    bool redirectCrossOrigin = !securityOrigin->canRequest(requestURL);
+    bool redirectCrossOrigin = !securityOrigin->canRequest(newURL);
 
     // Same-origin request URLs that redirect are allowed without checking access.
     if (!securityOrigin->canRequest(originalURL)) {
@@ -230,30 +230,28 @@ bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, Re
         String errorDescription;
 
         // Steps 3 & 4 - check if scheme and other URL restrictions hold.
-        bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescription);
-        if (allowRedirect) {
-            // Step 5: perform resource sharing access check.
-            allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription);
-            if (allowRedirect) {
-                RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
-                // Step 6: if the request URL origin is not same origin as the original URL's,
-                // set the source origin to a globally unique identifier.
-                if (!originalOrigin->canRequest(requestURL)) {
-                    options.securityOrigin = SecurityOrigin::createUnique();
-                    securityOrigin = options.securityOrigin.get();
-                }
-            }
-        }
-        if (!allowRedirect) {
+        if (!isLegalRedirectLocation(newURL, errorDescription))

[sof, 2015/06/25 11:24:18]

This generated a console error message before containing the source origin, but
doesn't now. Wouldn't it be helpful to include that?

[tyoshino (SeeGerritForStatus), 2016/07/22 12:46:45]

Good catch. Reverted.

+            return false;
+
+        // Step 5: perform resource sharing access check.
+        if (!passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription)) {
             const String& originalOrigin = SecurityOrigin::create(originalURL)->toString();
             errorMessage = "Redirect at origin '" + originalOrigin + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription;
             return false;
         }
+
+        RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
+        // Step 6: if the request URL origin is not same origin as the original URL's,
+        // set the source origin to a globally unique identifier.
+        if (!originalOrigin->canRequest(newURL)) {
+            options.securityOrigin = SecurityOrigin::createUnique();
+            securityOrigin = options.securityOrigin.get();
+        }
     }
     if (redirectCrossOrigin) {
         // If now to a different origin, update/set Origin:.
-        request.clearHTTPOrigin();
-        request.setHTTPOrigin(securityOrigin->toAtomicString());
+        newRequest.clearHTTPOrigin();
+        newRequest.setHTTPOrigin(securityOrigin->toAtomicString());

[sof, 2015/06/25 11:24:18]

(This doesn't actually do what's intended, btw.)

         // If the user didn't request credentials in the first place, update our
         // state so we neither request them nor expect they must be allowed.
         if (options.credentialsRequested == ClientDidNotRequestCredentials)