Introduce "navigate" mode in Requests

third_party/WebKit/Source/modules/fetch/FetchManager.cpp

Index: third_party/WebKit/Source/modules/fetch/FetchManager.cpp
diff --git a/third_party/WebKit/Source/modules/fetch/FetchManager.cpp b/third_party/WebKit/Source/modules/fetch/FetchManager.cpp
index edfd1021abdd8e3092f832246100ad115a3cf2cd..ba4eb25de732bf9414daed7e62f7fdd44ee67643 100644
--- a/third_party/WebKit/Source/modules/fetch/FetchManager.cpp
+++ b/third_party/WebKit/Source/modules/fetch/FetchManager.cpp
@@ -209,6 +209,9 @@ void FetchManager::Loader::didReceiveResponse(unsigned long, const ResourceRespo
     // origin.
     if (!SecurityOrigin::create(response.url())->isSameSchemeHostPort(m_request->origin().get())) {
         switch (m_request->mode()) {
+        case WebURLRequest::FetchRequestModeNavigate:
+            m_request->setResponseTainting(FetchRequestData::OpaqueTainting);

[horo, 2015/10/14 10:05:31]

I think this should be "ASSERT_NOT_REACHED();".

The request mode can't be "navigate" here.
The redirect mode of "navigate" request must be "manual".
When the redirect mode is manual, DocumentThreadableLoader doesn't follow the
redirect response.
So the origin of response url must be same as the request's origin.

[shiva.jm, 2015/10/14 10:59:06]

Done, had same opinion in patchset2, but miss read from git hub discussions.
shall we maintain the order of request mode enums in Request.idl same as enum
FetchRequestMode as in WebURLRequest.h ?

[hiroshige, 2015/10/15 06:37:03]

horo@,
What poses this limitation?
The current Fetch spec text doesn't seem to do.

[horo, 2015/10/15 11:43:05]

"navigate" request is created only while "Navigating across documents". 
https://html.spec.whatwg.org/multipage/browsers.html#navigating-across-documents
https://github.com/whatwg/html/commit/80f052b44f3842084221b1104d1fecb02228699a

+            break;
         case WebURLRequest::FetchRequestModeSameOrigin:
             ASSERT_NOT_REACHED();
             break;
@@ -381,6 +384,13 @@ void FetchManager::Loader::start()
         return;
     }
 
+    // "- |request|'s mode is |navigate|"
+    if (m_request->mode() == WebURLRequest::FetchRequestModeNavigate) {
+        // "The result of performing a basic fetch using |request|."
+        performBasicFetch();
+        return;
+    }
+
     // "- |request|'s mode is |same-origin|"
     if (m_request->mode() == WebURLRequest::FetchRequestModeSameOrigin) {
         // "A network error."
@@ -535,6 +545,9 @@ void FetchManager::Loader::performHTTPFetch(bool corsFlag, bool corsPreflightFla
     if (corsPreflightFlag)
         threadableLoaderOptions.preflightPolicy = ForcePreflight;
     switch (m_request->mode()) {
+    case WebURLRequest::FetchRequestModeNavigate:
+        threadableLoaderOptions.crossOriginRequestPolicy = AllowCrossOriginRequests;

[horo, 2015/10/14 10:05:31]

We don't need to allow cross origin requests.
This should be DenyCrossOriginRequests.

[shiva.jm, 2015/10/14 10:59:06]

Done, had same opinion in patchset2, but miss read from git hub discussions.

[hiroshige, 2015/10/15 06:37:03]

horo@,
I want to clarify why this should be DenyCrossOriginRequests here.
The Fetch spec seems to allow cross-origin requests.

[horo, 2015/10/15 11:43:05]

"navigate" request is only available in ServiceWorker.
The request url's origin must be same as the SW's origin.
The request's redirect mode is "manual".
So we don't need to allow cross origin requests.

[yhirano, 2015/10/16 18:15:53]

(to: horo@)
I feel it confusing. How about
 - using AllowCrossOriginRequests,
 - adding an assertion checking that the request url's origin is this origin,
 - adding an assertion about the redirect mode and
 - adding comments?

[horo, 2015/10/19 04:08:13]

Yes, we should have comments.
But I think we should use DenyCrossOriginRequests here to reduce the security
risk.
ASSERT() doesn't work in release build.
So if there are any bugs in handling the request and the response, severe
security accident could happen.

+        break;
     case WebURLRequest::FetchRequestModeSameOrigin:
         threadableLoaderOptions.crossOriginRequestPolicy = DenyCrossOriginRequests;
         break;