Set credentials mode "same-origin" when crossOrigin=anonymous is set.

third_party/WebKit/Source/core/css/CSSFontFaceSrcValue.cpp

 /*
  * Copyright (C) 2007, 2010 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 17 matching lines @@
 
 #include "core/css/CSSMarkup.h"
 #include "core/css/StyleSheetContents.h"
 #include "core/dom/Document.h"
 #include "core/dom/Node.h"
 #include "core/fetch/FetchInitiatorTypeNames.h"
 #include "core/fetch/FetchRequest.h"
 #include "core/fetch/FontResource.h"
 #include "core/fetch/ResourceFetcher.h"
 #include "core/loader/MixedContentChecker.h"
+#include "platform/CrossOriginAttributeValue.h"
 #include "platform/fonts/FontCache.h"
 #include "platform/fonts/FontCustomPlatformData.h"
 #include "platform/weborigin/SecurityPolicy.h"
 #include "wtf/text/StringBuilder.h"
 
 namespace blink {
 
 bool CSSFontFaceSrcValue::isSupportedFormat() const
 {
     // Normally we would just check the format, but in order to avoid conflicts with the old WinIE style of font-face,
@@ skipping 27 matching lines @@
     return m_fetched && m_fetched->loadFailedOrCanceled();
 }
 
 static void setCrossOriginAccessControl(FetchRequest& request, SecurityOrigin* securityOrigin)
 {
     // Local fonts are accessible from file: URLs even when
     // allowFileAccessFromFileURLs is false.
     if (request.url().isLocalFile())
         return;
 
-    StoredCredentials allowCredentials = DoNotAllowStoredCredentials;
-    bool sameOriginRequest = securityOrigin->canRequestNoSuborigin(request.url());
-    // Include credentials for same origin requests (and assume that
-    // redirects out of origin will be handled per Fetch spec.)
-    if (sameOriginRequest)
-        allowCredentials = AllowStoredCredentials;
-    request.setCrossOriginAccessControl(securityOrigin, allowCredentials, ClientDidNotRequestCredentials);
+    request.setCrossOriginAccessControl(securityOrigin, CrossOriginAttributeAnonymous);
 }
 
 FontResource* CSSFontFaceSrcValue::fetch(Document* document)
 {
     if (!m_fetched) {
         FetchRequest request(ResourceRequest(document->completeURL(m_resource)), FetchInitiatorTypeNames::css);
         request.setContentSecurityCheck(m_shouldCheckContentSecurityPolicy);
         SecurityOrigin* securityOrigin = document->securityOrigin();
         setCrossOriginAccessControl(request, securityOrigin);
         request.mutableResourceRequest().setHTTPReferrer(SecurityPolicy::generateReferrer(m_referrer.referrerPolicy, request.url(), m_referrer.referrer));
@@ skipping 21 matching lines @@
         m_fetched->lastResourceRequest().url(), MixedContentChecker::SendReport);
     document->fetcher()->requestLoadStarted(m_fetched.get(), request, ResourceFetcher::ResourceLoadingFromCache);
 }
 
 bool CSSFontFaceSrcValue::equals(const CSSFontFaceSrcValue& other) const
 {
     return m_isLocal == other.m_isLocal && m_format == other.m_format && m_resource == other.m_resource;
 }
 
 }