Add suggestion to use "no-cors" with Fetch fails CORS check.

Source/core/fetch/CrossOriginAccessControl.cpp

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 111 matching lines @@
     // console error messages for responses containing no access
     // control headers.
     return statusCode >= 400;
 }
 
 static String buildAccessControlFailureMessage(const String& detail, SecurityOrigin* securityOrigin)
 {
     return detail + " Origin '" + securityOrigin->toString() + "' is therefore not allowed access.";
 }
 
-bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
+bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription, WebURLRequest::RequestContext context)
 {
     AtomicallyInitializedStaticReference(AtomicString, allowOriginHeaderName, (new AtomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral)));
     AtomicallyInitializedStaticReference(AtomicString, allowCredentialsHeaderName, (new AtomicString("access-control-allow-credentials", AtomicString::ConstructFromLiteral)));
 
     int statusCode = response.httpStatusCode();
 
     if (!statusCode) {
         errorDescription = buildAccessControlFailureMessage("Invalid response.", securityOrigin);
         return false;
     }
 
     const AtomicString& allowOriginHeaderValue = response.httpHeaderField(allowOriginHeaderName);
     if (allowOriginHeaderValue == starAtom) {
         // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
         // even with Access-Control-Allow-Credentials set to true.
         if (includeCredentials == DoNotAllowStoredCredentials)
             return true;
         if (response.isHTTP()) {
             errorDescription = buildAccessControlFailureMessage("A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true.", securityOrigin);
             return false;
         }
     } else if (allowOriginHeaderValue != securityOrigin->toAtomicString()) {
         if (allowOriginHeaderValue.isNull()) {
             errorDescription = buildAccessControlFailureMessage("No 'Access-Control-Allow-Origin' header is present on the requested resource.", securityOrigin);
 
             if (isInterestingStatusCode(statusCode))
                 errorDescription.append(" The response had HTTP status code " + String::number(statusCode) + ".");
 
+            if (context == WebURLRequest::RequestContextFetch)
+                errorDescription.append(" If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.");
+
             return false;
         }
 
         String detail;
         if (allowOriginHeaderValue.string().find(isOriginSeparator, 0) != kNotFound) {
             detail = "The 'Access-Control-Allow-Origin' header contains multiple values '" + allowOriginHeaderValue + "', but only one is allowed.";
         } else {
             KURL headerOrigin(KURL(), allowOriginHeaderValue);
             if (!headerOrigin.isValid())
                 detail = "The 'Access-Control-Allow-Origin' header contains the invalid value '" + allowOriginHeaderValue + "'.";
             else
                 detail = "The 'Access-Control-Allow-Origin' header has a value '" + allowOriginHeaderValue + "' that is not equal to the supplied origin.";
         }
         errorDescription = buildAccessControlFailureMessage(detail, securityOrigin);
+        if (context == WebURLRequest::RequestContextFetch)
+            errorDescription.append(" Either change the header or use the 'no-cors' mode with fetch to get an opaque response.");

[tyoshino (SeeGerritForStatus), 2015/09/07 08:41:07]

Please update the text after "or" here as well. For example,

" Have the server send the header with a valid value, or if an opaque response
serves your needs, set the request's mode to 'no-cors' to fetch the resource
with CORS disabled."

The suggestions made here are for two different things (CORS enabled to get a
non-opaque, CORS disabled to get an opaque). Simply connecting them with "either
... or ..." doesn't sound so good.

[jeremyarcher, 2015/09/07 08:47:28]

Good eyes! I've made the patch.

         return false;
     }
 
     if (includeCredentials == AllowStoredCredentials) {
         const AtomicString& allowCredentialsHeaderValue = response.httpHeaderField(allowCredentialsHeaderName);
         if (allowCredentialsHeaderValue != "true") {
             errorDescription = buildAccessControlFailureMessage("Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is '" + allowCredentialsHeaderValue + "'. It must be 'true' to allow credentials.", securityOrigin);
             return false;
         }
     }
@@ skipping 54 matching lines @@
 
     // Same-origin request URLs that redirect are allowed without checking access.
     if (!securityOrigin->canRequest(originalURL)) {
         // Follow http://www.w3.org/TR/cors/#redirect-steps
         String errorDescription;
 
         // Steps 3 & 4 - check if scheme and other URL restrictions hold.
         bool allowRedirect = isLegalRedirectLocation(newURL, errorDescription);
         if (allowRedirect) {
             // Step 5: perform resource sharing access check.
-            allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription);
+            allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription, newRequest.requestContext());
             if (allowRedirect) {
                 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
                 // Step 6: if the request URL origin is not same origin as the original URL's,
                 // set the source origin to a globally unique identifier.
                 if (!originalOrigin->canRequest(newURL)) {
                     options.securityOrigin = SecurityOrigin::createUnique();
                     securityOrigin = options.securityOrigin.get();
                 }
             }
         }
         if (!allowRedirect) {
             const String& originalOrigin = SecurityOrigin::create(originalURL)->toString();
             errorMessage = "Redirect at origin '" + originalOrigin + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription;
             return false;
         }
     }
     if (redirectCrossOrigin) {
         // If now to a different origin, update/set Origin:.
         newRequest.clearHTTPOrigin();
         newRequest.setHTTPOrigin(securityOrigin->toAtomicString());
         // If the user didn't request credentials in the first place, update our
         // state so we neither request them nor expect they must be allowed.
         if (options.credentialsRequested == ClientDidNotRequestCredentials)
             options.allowCredentials = DoNotAllowStoredCredentials;
     }
     return true;
 }
 
 } // namespace blink