Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(76)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

Issue 1487343002: Set credentials mode "same-origin" when crossOrigin=anonymous is set. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: set credentials mode in DocumentThreadableLoader::makeCrossOriginAccessRequest() Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html ('K') | « third_party/WebKit/Source/core/html/parser/PreloadRequest.cpp ('k') | third_party/WebKit/Source/core/loader/ImageLoader.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
3 * Copyright (C) 2013, Intel Corporation 3 * Copyright (C) 2013, Intel Corporation
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are 6 * modification, are permitted provided that the following conditions are
7 * met: 7 * met:
8 * 8 *
9 * * Redistributions of source code must retain the above copyright 9 * * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after
249 } 249 }
250 250
251 // We use isSimpleOrForbiddenRequest() here since |request| may have been 251 // We use isSimpleOrForbiddenRequest() here since |request| may have been
252 // modified in the process of loading (not from the user's input). For 252 // modified in the process of loading (not from the user's input). For
253 // example, referrer. We need to accept them. For security, we must reject 253 // example, referrer. We need to accept them. For security, we must reject
254 // forbidden headers/methods at the point we accept user's input. Not here. 254 // forbidden headers/methods at the point we accept user's input. Not here.
255 if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleO rForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_option s.preflightPolicy == PreventPreflight) { 255 if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleO rForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_option s.preflightPolicy == PreventPreflight) {
256 ResourceRequest crossOriginRequest(request); 256 ResourceRequest crossOriginRequest(request);
257 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions); 257 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
258 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe ctiveAllowCredentials()); 258 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe ctiveAllowCredentials());
259 // We update the credentials mode according to effectiveAllowCredentials () here for backward compatibility. But this is not correct.
260 // FIXME: We should set it in the caller of DocumentThreadableLoader.
261 crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() = = AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRe quest::FetchCredentialsModeOmit);
259 loadRequest(crossOriginRequest, crossOriginOptions); 262 loadRequest(crossOriginRequest, crossOriginOptions);
260 } else { 263 } else {
261 m_crossOriginNonSimpleRequest = true; 264 m_crossOriginNonSimpleRequest = true;
262 265
263 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request)); 266 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceReques t(request));
264 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource LoaderOptions(m_resourceLoaderOptions)); 267 OwnPtr<ResourceLoaderOptions> crossOriginOptions = adoptPtr(new Resource LoaderOptions(m_resourceLoaderOptions));
265 // Do not set the Origin header for preflight requests. 268 // Do not set the Origin header for preflight requests.
266 updateRequestForAccessControl(*crossOriginRequest, 0, effectiveAllowCred entials()); 269 updateRequestForAccessControl(*crossOriginRequest, 0, effectiveAllowCred entials());
270 // We update the credentials mode according to effectiveAllowCredentials () here for backward compatibility. But this is not correct.
271 // FIXME: We should set it in the caller of DocumentThreadableLoader.
272 crossOriginRequest->setFetchCredentialsMode(effectiveAllowCredentials() == AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLR equest::FetchCredentialsModeOmit);
267 m_actualRequest = crossOriginRequest.release(); 273 m_actualRequest = crossOriginRequest.release();
268 m_actualOptions = crossOriginOptions.release(); 274 m_actualOptions = crossOriginOptions.release();
269 275
270 bool shouldForcePreflight = InspectorInstrumentation::shouldForceCORSPre flight(m_document); 276 bool shouldForcePreflight = InspectorInstrumentation::shouldForceCORSPre flight(m_document);
271 bool canSkipPreflight = CrossOriginPreflightResultCache::shared().canSki pPreflight(securityOrigin()->toString(), m_actualRequest->url(), effectiveAllowC redentials(), m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields() ); 277 bool canSkipPreflight = CrossOriginPreflightResultCache::shared().canSki pPreflight(securityOrigin()->toString(), m_actualRequest->url(), effectiveAllowC redentials(), m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields() );
272 if (canSkipPreflight && !shouldForcePreflight) { 278 if (canSkipPreflight && !shouldForcePreflight) {
273 loadActualRequest(); 279 loadActualRequest();
274 } else { 280 } else {
275 ResourceRequest preflightRequest = createAccessControlPreflightReque st(*m_actualRequest, securityOrigin()); 281 ResourceRequest preflightRequest = createAccessControlPreflightReque st(*m_actualRequest, securityOrigin());
276 // Create a ResourceLoaderOptions for preflight. 282 // Create a ResourceLoaderOptions for preflight.
(...skipping 605 matching lines...) Expand 10 before | Expand all | Expand 10 after
882 return m_securityOrigin ? m_securityOrigin.get() : document().securityOrigin (); 888 return m_securityOrigin ? m_securityOrigin.get() : document().securityOrigin ();
883 } 889 }
884 890
885 Document& DocumentThreadableLoader::document() const 891 Document& DocumentThreadableLoader::document() const
886 { 892 {
887 ASSERT(m_document); 893 ASSERT(m_document);
888 return *m_document; 894 return *m_document;
889 } 895 }
890 896
891 } // namespace blink 897 } // namespace blink
OLDNEW
« third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-cookies.html ('K') | « third_party/WebKit/Source/core/html/parser/PreloadRequest.cpp ('k') | third_party/WebKit/Source/core/loader/ImageLoader.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698