Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(830)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/loader/DocumentThreadableLoader.cpp

Issue 1300083002: Add suggestion to use "no-cors" with Fetch fails CORS check. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Update case where header is present but not for the correct origin. Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« Source/core/fetch/CrossOriginAccessControl.h ('K') | « Source/core/fetch/Resource.cpp ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
3 * Copyright (C) 2013, Intel Corporation 3 * Copyright (C) 2013, Intel Corporation
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are 6 * modification, are permitted provided that the following conditions are
7 * met: 7 * met:
8 * 8 *
9 * * Redistributions of source code must retain the above copyright 9 * * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
(...skipping 349 matching lines...) Expand 10 before | Expand all | Expand 10 after
360 String accessControlErrorDescription; 360 String accessControlErrorDescription;
361 361
362 // Non-simple cross origin requests (both preflight and actual one) are 362 // Non-simple cross origin requests (both preflight and actual one) are
363 // not allowed to follow redirect. 363 // not allowed to follow redirect.
364 if (m_crossOriginNonSimpleRequest) { 364 if (m_crossOriginNonSimpleRequest) {
365 accessControlErrorDescription = "The request was redirected to '"+ r equest.url().string() + "', which is disallowed for cross-origin requests that r equire preflight."; 365 accessControlErrorDescription = "The request was redirected to '"+ r equest.url().string() + "', which is disallowed for cross-origin requests that r equire preflight.";
366 } else { 366 } else {
367 // The redirect response must pass the access control check if the 367 // The redirect response must pass the access control check if the
368 // original request was not same-origin. 368 // original request was not same-origin.
369 allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(re quest.url(), accessControlErrorDescription) 369 allowRedirect = CrossOriginAccessControl::isLegalRedirectLocation(re quest.url(), accessControlErrorDescription)
370 && (m_sameOriginRequest || passesAccessControlCheck(redirectResp onse, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescripti on)); 370 && (m_sameOriginRequest || passesAccessControlCheck(redirectResp onse, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescripti on, m_requestContext));
371 } 371 }
372 372
373 if (allowRedirect) { 373 if (allowRedirect) {
374 // FIXME: consider combining this with CORS redirect handling perfor med by 374 // FIXME: consider combining this with CORS redirect handling perfor med by
375 // CrossOriginAccessControl::handleRedirect(). 375 // CrossOriginAccessControl::handleRedirect().
376 clearResource(); 376 clearResource();
377 377
378 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redir ectResponse.url()); 378 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(redir ectResponse.url());
379 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(reques t.url()); 379 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::create(reques t.url());
380 // If the original request wasn't same-origin, then if the request U RL origin is not same origin with the original URL origin, 380 // If the original request wasn't same-origin, then if the request U RL origin is not same origin with the original URL origin,
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after
449 if (handle) 449 if (handle)
450 m_isUsingDataConsumerHandle = true; 450 m_isUsingDataConsumerHandle = true;
451 451
452 handleResponse(resource->identifier(), response, handle); 452 handleResponse(resource->identifier(), response, handle);
453 } 453 }
454 454
455 void DocumentThreadableLoader::handlePreflightResponse(const ResourceResponse& r esponse) 455 void DocumentThreadableLoader::handlePreflightResponse(const ResourceResponse& r esponse)
456 { 456 {
457 String accessControlErrorDescription; 457 String accessControlErrorDescription;
458 458
459 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securit yOrigin(), accessControlErrorDescription)) { 459 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securit yOrigin(), accessControlErrorDescription, m_requestContext)) {
460 handlePreflightFailure(response.url().string(), "Response to preflight r equest doesn't pass access control check: " + accessControlErrorDescription); 460 handlePreflightFailure(response.url().string(), "Response to preflight r equest doesn't pass access control check: " + accessControlErrorDescription);
461 return; 461 return;
462 } 462 }
463 463
464 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) { 464 if (!passesPreflightStatusCheck(response, accessControlErrorDescription)) {
465 handlePreflightFailure(response.url().string(), accessControlErrorDescri ption); 465 handlePreflightFailure(response.url().string(), accessControlErrorDescri ption);
466 return; 466 return;
467 } 467 }
468 468
469 OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new C rossOriginPreflightResultCacheItem(effectiveAllowCredentials())); 469 OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult = adoptPtr(new C rossOriginPreflightResultCacheItem(effectiveAllowCredentials()));
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after
523 // response may come here (wasFetchedViaServiceWorker() returns false) since 523 // response may come here (wasFetchedViaServiceWorker() returns false) since
524 // such a request doesn't have to go through the CORS algorithm by calling 524 // such a request doesn't have to go through the CORS algorithm by calling
525 // loadFallbackRequestForServiceWorker(). 525 // loadFallbackRequestForServiceWorker().
526 // FIXME: We should use |m_sameOriginRequest| when we will support 526 // FIXME: We should use |m_sameOriginRequest| when we will support
527 // Suborigins (crbug.com/336894) for Service Worker. 527 // Suborigins (crbug.com/336894) for Service Worker.
528 ASSERT(!m_fallbackRequestForServiceWorker || securityOrigin()->canRequest(m_ fallbackRequestForServiceWorker->url())); 528 ASSERT(!m_fallbackRequestForServiceWorker || securityOrigin()->canRequest(m_ fallbackRequestForServiceWorker->url()));
529 m_fallbackRequestForServiceWorker = nullptr; 529 m_fallbackRequestForServiceWorker = nullptr;
530 530
531 if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessC ontrol) { 531 if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessC ontrol) {
532 String accessControlErrorDescription; 532 String accessControlErrorDescription;
533 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), sec urityOrigin(), accessControlErrorDescription)) { 533 if (!passesAccessControlCheck(response, effectiveAllowCredentials(), sec urityOrigin(), accessControlErrorDescription, m_requestContext)) {
534 reportResponseReceived(identifier, response); 534 reportResponseReceived(identifier, response);
535 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, response.url().string(), accessControlErrorDescription)); 535 m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkIn ternal, 0, response.url().string(), accessControlErrorDescription));
536 return; 536 return;
537 } 537 }
538 } 538 }
539 539
540 m_client->didReceiveResponse(identifier, response, handle); 540 m_client->didReceiveResponse(identifier, response, handle);
541 } 541 }
542 542
543 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*, const char * data, size_t size) 543 void DocumentThreadableLoader::setSerializedCachedMetadata(Resource*, const char * data, size_t size)
(...skipping 194 matching lines...) Expand 10 before | Expand all | Expand 10 after
738 return DoNotAllowStoredCredentials; 738 return DoNotAllowStoredCredentials;
739 return m_resourceLoaderOptions.allowCredentials; 739 return m_resourceLoaderOptions.allowCredentials;
740 } 740 }
741 741
742 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const 742 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
743 { 743 {
744 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin (); 744 return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin ();
745 } 745 }
746 746
747 } // namespace blink 747 } // namespace blink
OLDNEW
« Source/core/fetch/CrossOriginAccessControl.h ('K') | « Source/core/fetch/Resource.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698