Set credentials mode "same-origin" when crossOrigin=anonymous is set.

Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attributes

So the request which is sent to the server for "<img src='./test.png' crossOrigin='anonymous'>" must contain cookies, because it is a same origin request.
And if a Service Worker intercept the request, the fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png" crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue enum.
But String value and ResourceLoaderOptions are still used only for passing the crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES

BUG=486689, 563328
Committed: https://crrev.com/92358044fff21ee6cf6d89842b801c072145c432
Cr-Commit-Position: refs/heads/master@{#364641}

[horo, 2015-12-02 08:25:20]

Description was changed from

==========
[WIP]Use CrossOriginAttributeValue

BUG=
==========

to

==========
[WIP]Use CrossOriginAttributeValue

BUG=486689,563328
==========

[horo, 2015-12-02 08:29:22]

Description was changed from

==========
[WIP]Use CrossOriginAttributeValue

BUG=486689,563328
==========

to

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

BUG=486689,563328
==========

[horo, 2015-12-03 11:14:49]

Description was changed from

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

BUG=486689,563328
==========

to

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.


BUG=486689,563328
==========

[horo, 2015-12-04 03:13:55]

Description was changed from

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.


BUG=486689,563328
==========

to

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
  corsEnabled: NO
- CrossOriginAttributeAnonymous:
  corsEnabled: YES
  allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise No.
  credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
  corsEnabled: YES
  allowCredentials: YES
  credentialsRequested: YES



BUG=486689,563328
==========

[horo, 2015-12-04 03:14:19]

Description was changed from

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
  corsEnabled: NO
- CrossOriginAttributeAnonymous:
  corsEnabled: YES
  allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise No.
  credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
  corsEnabled: YES
  allowCredentials: YES
  credentialsRequested: YES



BUG=486689,563328
==========

to

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise No.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES



BUG=486689,563328
==========

[horo, 2015-12-04 03:25:09]

Description was changed from

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise No.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES



BUG=486689,563328
==========

to

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES



BUG=486689,563328
==========

[horo, 2015-12-04 04:01:30]

Patchset #1 (id:1) has been deleted

[horo, 2015-12-04 04:02:02]

Patchset #1 (id:20001) has been deleted

[horo, 2015-12-04 04:02:25]

Patchset #1 (id:40001) has been deleted

[horo, 2015-12-04 04:02:34]

Patchset #1 (id:60001) has been deleted

[horo, 2015-12-04 04:02:43]

Description was changed from

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES



BUG=486689,563328
==========

to

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES

BUG=486689,563328
==========

[horo, 2015-12-04 04:03:17]

Description was changed from

==========
[WIP] Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES

BUG=486689,563328
==========

to

==========
Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES

BUG=486689,563328
==========

[horo, 2015-12-04 04:05:06]

horo@chromium.org changed reviewers:
+ tyoshino@chromium.org

[horo, 2015-12-04 04:05:07]

tyoshino@
Could you please review this?

[tyoshino (SeeGerritForStatus), 2015-12-07 08:49:55]

nice clean up

https://codereview.chromium.org/1487343002/diff/120001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/css/CSSImageValue.h (right):

https://codereview.chromium.org/1487343002/diff/120001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/css/CSSImageValue.h:25: #include
"core/fetch/ResourceFetcher.h"
remove?

[horo, 2015-12-07 09:25:06]

https://codereview.chromium.org/1487343002/diff/120001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/css/CSSImageValue.h (right):

https://codereview.chromium.org/1487343002/diff/120001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/css/CSSImageValue.h:25: #include
"core/fetch/ResourceFetcher.h"
On 2015/12/07 08:49:54, tyoshino wrote:
> remove?

Done.
Moved to CSSImageValue.cpp

[tyoshino (SeeGerritForStatus), 2015-12-07 10:28:30]

https://codereview.chromium.org/1487343002/diff/140001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp (left):

https://codereview.chromium.org/1487343002/diff/140001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp:69:
request.setFetchCredentialsMode(allowCredentials == AllowStoredCredentials ?
WebURLRequest::FetchCredentialsModeInclude :
WebURLRequest::FetchCredentialsModeOmit);
This method is used by DocumentThreadableLoader, too. Is it fine?

[horo, 2015-12-08 05:46:43]

Patchset #5 (id:160001) has been deleted

[horo, 2015-12-08 05:49:28]

https://codereview.chromium.org/1487343002/diff/140001/third_party/WebKit/Sou...
File third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp (left):

https://codereview.chromium.org/1487343002/diff/140001/third_party/WebKit/Sou...
third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp:69:
request.setFetchCredentialsMode(allowCredentials == AllowStoredCredentials ?
WebURLRequest::FetchCredentialsModeInclude :
WebURLRequest::FetchCredentialsModeOmit);
On 2015/12/07 10:28:30, tyoshino wrote:
> This method is used by DocumentThreadableLoader, too. Is it fine?

Changed DocumentThreadableLoader::makeCrossOriginAccessRequest() and added FIXME
comment.

[tyoshino (SeeGerritForStatus), 2015-12-08 11:30:32]

lgtm!

https://codereview.chromium.org/1487343002/diff/180001/third_party/WebKit/Lay...
File
third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html
(right):

https://codereview.chromium.org/1487343002/diff/180001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html:31:
document.cookie="TestCookie=same";
put spaces around the first =

https://codereview.chromium.org/1487343002/diff/180001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html:37:
return fetch(new Request(REMOTE_RESOURCES_PATH + '/set-cookie.php?' +
redundant /

https://codereview.chromium.org/1487343002/diff/180001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html:46:
'NoCORS must contain cookies.'),
which -> for which

or

which -> whose

or

which -> with
setting is -> setting set to


same below

[horo, 2015-12-09 02:29:34]

Thank you!

https://codereview.chromium.org/1487343002/diff/180001/third_party/WebKit/Lay...
File
third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html
(right):

https://codereview.chromium.org/1487343002/diff/180001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html:31:
document.cookie="TestCookie=same";
On 2015/12/08 11:30:31, tyoshino wrote:
> put spaces around the first =

Done.

https://codereview.chromium.org/1487343002/diff/180001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html:37:
return fetch(new Request(REMOTE_RESOURCES_PATH + '/set-cookie.php?' +
On 2015/12/08 11:30:31, tyoshino wrote:
> redundant /

Done.

https://codereview.chromium.org/1487343002/diff/180001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html:46:
'NoCORS must contain cookies.'),
On 2015/12/08 11:30:31, tyoshino wrote:
> which -> for which
> 
> or
> 
> which -> whose
> 
> or
> 
> which -> with
> setting is -> setting set to
> 
> 
> same below

Done.

[horo, 2015-12-09 02:30:09]

mkwst@
Could you please review this?

[horo, 2015-12-09 08:57:50]

horo@chromium.org changed reviewers:
+ mkwst@chromium.org

[horo, 2015-12-09 08:57:51]

mkwst@
Could you please reivew this?

[Mike West, 2015-12-09 10:18:54]

On 2015/12/09 at 08:57:51, horo wrote:
> mkwst@
> Could you please reivew this?

I agree that this is an accurate representation of the HTML spec, and the code
change looks good to me.

Does this align our behavior with other browsers? It surprises me that
"anonymous" doesn't really mean "anonymous", and that we're leaving developers
without a declarative mechanism of requesting data from their own origins
without getting/setting cookies.

If this change brings us into line with Firefox or Edge, great. LGTM.

If we'd be leading the pack, then I think it might be worth rethinking the
definition rather than landing this patch. :)

[horo, 2015-12-10 08:01:42]

On 2015/12/09 10:18:54, Mike West wrote:
> On 2015/12/09 at 08:57:51, horo wrote:
> > mkwst@
> > Could you please reivew this?
> 
> I agree that this is an accurate representation of the HTML spec, and the code
> change looks good to me.
> 
> Does this align our behavior with other browsers? It surprises me that
> "anonymous" doesn't really mean "anonymous", and that we're leaving developers
> without a declarative mechanism of requesting data from their own origins
> without getting/setting cookies.
> 
> If this change brings us into line with Firefox or Edge, great. LGTM.
> 
> If we'd be leading the pack, then I think it might be worth rethinking the
> definition rather than landing this patch. :)

Firefox/37.0 sends cookies for same-origin request for a resource whose CORS
setting is Anonymous.
So img-crossorigin-cookies.html test passes in Firefox.

But Edge/13.10586 doesn't send.

[horo, 2015-12-10 08:02:28]

The CQ bit was checked by horo@chromium.org

[horo, 2015-12-10 08:02:28]

The patchset sent to the CQ was uploaded after l-g-t-m from
tyoshino@chromium.org
Link to the patchset: https://codereview.chromium.org/1487343002/#ps200001
(title: "incorporated tyoshino's comment")

[commit-bot: I haz the power, 2015-12-10 08:03:31]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1487343002/200001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1487343002/200001

[commit-bot: I haz the power, 2015-12-10 08:59:17]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2015-12-10 08:59:18]

Try jobs failed on following builders:
  linux_chromium_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[horo, 2015-12-11 02:57:39]

The CQ bit was checked by horo@chromium.org

[commit-bot: I haz the power, 2015-12-11 02:58:15]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1487343002/200001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1487343002/200001

[commit-bot: I haz the power, 2015-12-11 03:05:42]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2015-12-11 03:05:43]

Try jobs failed on following builders:
  chromium_presubmit on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presub...)
  linux_chromium_chromeos_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  linux_chromium_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[horo, 2015-12-11 03:43:07]

Patchset #7 (id:220001) has been deleted

[horo, 2015-12-11 03:44:51]

The CQ bit was checked by horo@chromium.org

[horo, 2015-12-11 03:44:51]

The patchset sent to the CQ was uploaded after l-g-t-m from
tyoshino@chromium.org, mkwst@chromium.org
Link to the patchset: https://codereview.chromium.org/1487343002/#ps240001
(title: "rebase")

[commit-bot: I haz the power, 2015-12-11 03:45:49]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1487343002/240001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1487343002/240001

[commit-bot: I haz the power, 2015-12-11 07:15:40]

Description was changed from

==========
Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES

BUG=486689,563328
==========

to

==========
Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES

BUG=486689,563328
==========

[commit-bot: I haz the power, 2015-12-11 07:15:42]

Committed patchset #7 (id:240001)

[commit-bot: I haz the power, 2015-12-11 07:16:23]

Description was changed from

==========
Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES

BUG=486689,563328
==========

to

==========
Set credentials mode "same-origin" when crossOrigin=anonymous is set.

According to the HTML spec, the fetch credentials mode for resources which
crossOrigin is "anonymous" must be "same-origin".
https://html.spec.whatwg.org/multipage/infrastructure.html#cors-settings-attr...

So the request which is sent to the server for "<img src='./test.png'
crossOrigin='anonymous'>" must contain cookies, because it is a same origin
request.
And if a Service Worker intercept the request, the
fetchevent.request.credentials must be "same-origin".
But Chrome doesn't send cookies for <img src="./test.png"
crossOrigin="anonymous">.
And fetchevent.request.credentials is "omit".

This CL fix this problem.
(https://codereview.chromium.org/1267023004 introduced a workaround only for
WebFonts.)

https://codereview.chromium.org/1135203002 introduced CrossOriginAttributeValue
enum.
But String value and ResourceLoaderOptions are still used only for passing the
crossOrigin value.
So this CL change those code to use the enum value.

- CrossOriginAttributeNotSet:
    corsEnabled: NO
- CrossOriginAttributeAnonymous:
    corsEnabled: YES
    allowCredentials: YES if the request URL origin is same as the document's
origin. Otherwise NO.
    credentialsRequested: NO
- CrossOriginAttributeUseCredentials:
    corsEnabled: YES
    allowCredentials: YES
    credentialsRequested: YES

BUG=486689,563328

Committed: https://crrev.com/92358044fff21ee6cf6d89842b801c072145c432
Cr-Commit-Position: refs/heads/master@{#364641}
==========

[commit-bot: I haz the power, 2015-12-11 07:16:25]

Patchset 7 (id:??) landed as
https://crrev.com/92358044fff21ee6cf6d89842b801c072145c432
Cr-Commit-Position: refs/heads/master@{#364641}