Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(791)

Unified Diff: Source/core/fetch/CrossOriginAccessControl.cpp

Issue 1300083002: Add suggestion to use "no-cors" with Fetch fails CORS check. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Update case where header is present but not for the correct origin. Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: Source/core/fetch/CrossOriginAccessControl.cpp
diff --git a/Source/core/fetch/CrossOriginAccessControl.cpp b/Source/core/fetch/CrossOriginAccessControl.cpp
index facfe26710166dfc10dc6b3ed726201528625284..825e90c8c663df46f0d382422f5d95113eab1683 100644
--- a/Source/core/fetch/CrossOriginAccessControl.cpp
+++ b/Source/core/fetch/CrossOriginAccessControl.cpp
@@ -129,7 +129,7 @@ static String buildAccessControlFailureMessage(const String& detail, SecurityOri
return detail + " Origin '" + securityOrigin->toString() + "' is therefore not allowed access.";
}
-bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
+bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription, WebURLRequest::RequestContext context)
{
AtomicallyInitializedStaticReference(AtomicString, allowOriginHeaderName, (new AtomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral)));
AtomicallyInitializedStaticReference(AtomicString, allowCredentialsHeaderName, (new AtomicString("access-control-allow-credentials", AtomicString::ConstructFromLiteral)));
@@ -158,6 +158,9 @@ bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential
if (isInterestingStatusCode(statusCode))
errorDescription.append(" The response had HTTP status code " + String::number(statusCode) + ".");
+ if (context == WebURLRequest::RequestContextFetch)
+ errorDescription.append(" If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.");
+
return false;
}
@@ -172,6 +175,8 @@ bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential
detail = "The 'Access-Control-Allow-Origin' header has a value '" + allowOriginHeaderValue + "' that is not equal to the supplied origin.";
}
errorDescription = buildAccessControlFailureMessage(detail, securityOrigin);
+ if (context == WebURLRequest::RequestContextFetch)
+ errorDescription.append(" Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.");
return false;
}
@@ -246,7 +251,7 @@ bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, Re
bool allowRedirect = isLegalRedirectLocation(newURL, errorDescription);
if (allowRedirect) {
// Step 5: perform resource sharing access check.
- allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription);
+ allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription, newRequest.requestContext());
if (allowRedirect) {
RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
// Step 6: if the request URL origin is not same origin as the original URL's,

Powered by Google App Engine
This is Rietveld 408576698