| Index: Source/core/fetch/CrossOriginAccessControl.cpp
|
| diff --git a/Source/core/fetch/CrossOriginAccessControl.cpp b/Source/core/fetch/CrossOriginAccessControl.cpp
|
| index facfe26710166dfc10dc6b3ed726201528625284..825e90c8c663df46f0d382422f5d95113eab1683 100644
|
| --- a/Source/core/fetch/CrossOriginAccessControl.cpp
|
| +++ b/Source/core/fetch/CrossOriginAccessControl.cpp
|
| @@ -129,7 +129,7 @@ static String buildAccessControlFailureMessage(const String& detail, SecurityOri
|
| return detail + " Origin '" + securityOrigin->toString() + "' is therefore not allowed access.";
|
| }
|
|
|
| -bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
|
| +bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription, WebURLRequest::RequestContext context)
|
| {
|
| AtomicallyInitializedStaticReference(AtomicString, allowOriginHeaderName, (new AtomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral)));
|
| AtomicallyInitializedStaticReference(AtomicString, allowCredentialsHeaderName, (new AtomicString("access-control-allow-credentials", AtomicString::ConstructFromLiteral)));
|
| @@ -158,6 +158,9 @@ bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential
|
| if (isInterestingStatusCode(statusCode))
|
| errorDescription.append(" The response had HTTP status code " + String::number(statusCode) + ".");
|
|
|
| + if (context == WebURLRequest::RequestContextFetch)
|
| + errorDescription.append(" If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.");
|
| +
|
| return false;
|
| }
|
|
|
| @@ -172,6 +175,8 @@ bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential
|
| detail = "The 'Access-Control-Allow-Origin' header has a value '" + allowOriginHeaderValue + "' that is not equal to the supplied origin.";
|
| }
|
| errorDescription = buildAccessControlFailureMessage(detail, securityOrigin);
|
| + if (context == WebURLRequest::RequestContextFetch)
|
| + errorDescription.append(" Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.");
|
| return false;
|
| }
|
|
|
| @@ -246,7 +251,7 @@ bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, Re
|
| bool allowRedirect = isLegalRedirectLocation(newURL, errorDescription);
|
| if (allowRedirect) {
|
| // Step 5: perform resource sharing access check.
|
| - allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription);
|
| + allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription, newRequest.requestContext());
|
| if (allowRedirect) {
|
| RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
|
| // Step 6: if the request URL origin is not same origin as the original URL's,
|
|
|
Chromium Code Reviews
Issue 1300083002:
Add suggestion to use "no-cors" with Fetch fails CORS check. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master