Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(7)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

Issue 1487343002: Set credentials mode "same-origin" when crossOrigin=anonymous is set. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/Source/core/html/parser/PreloadRequest.cpp ('k') | third_party/WebKit/Source/core/loader/ImageLoader.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
3 * Copyright (C) 2013, Intel Corporation 3 * Copyright (C) 2013, Intel Corporation
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are 6 * modification, are permitted provided that the following conditions are
7 * met: 7 * met:
8 * 8 *
9 * * Redistributions of source code must retain the above copyright 9 * * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after
249 } 249 }
250 250
251 // We use isSimpleOrForbiddenRequest() here since |request| may have been 251 // We use isSimpleOrForbiddenRequest() here since |request| may have been
252 // modified in the process of loading (not from the user's input). For 252 // modified in the process of loading (not from the user's input). For
253 // example, referrer. We need to accept them. For security, we must reject 253 // example, referrer. We need to accept them. For security, we must reject
254 // forbidden headers/methods at the point we accept user's input. Not here. 254 // forbidden headers/methods at the point we accept user's input. Not here.
255 if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleO rForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_option s.preflightPolicy == PreventPreflight) { 255 if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleO rForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_option s.preflightPolicy == PreventPreflight) {
256 ResourceRequest crossOriginRequest(request); 256 ResourceRequest crossOriginRequest(request);
257 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions); 257 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
258 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe ctiveAllowCredentials()); 258 updateRequestForAccessControl(crossOriginRequest, securityOrigin(), effe ctiveAllowCredentials());
259 // We update the credentials mode according to effectiveAllowCredentials () here for backward compatibility. But this is not correct.
260 // FIXME: We should set it in the caller of DocumentThreadableLoader.
261 crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() = = AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRe quest::FetchCredentialsModeOmit);
259 loadRequest(crossOriginRequest, crossOriginOptions); 262 loadRequest(crossOriginRequest, crossOriginOptions);
260 } else { 263 } else {
261 m_crossOriginNonSimpleRequest = true; 264 m_crossOriginNonSimpleRequest = true;
262 265
263 ResourceRequest crossOriginRequest(request); 266 ResourceRequest crossOriginRequest(request);
264 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions); 267 ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
265 // Do not set the Origin header for preflight requests. 268 // Do not set the Origin header for preflight requests.
266 updateRequestForAccessControl(crossOriginRequest, 0, effectiveAllowCrede ntials()); 269 updateRequestForAccessControl(crossOriginRequest, 0, effectiveAllowCrede ntials());
270 // We update the credentials mode according to effectiveAllowCredentials () here for backward compatibility. But this is not correct.
271 // FIXME: We should set it in the caller of DocumentThreadableLoader.
272 crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() = = AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRe quest::FetchCredentialsModeOmit);
267 m_actualRequest = crossOriginRequest; 273 m_actualRequest = crossOriginRequest;
268 m_actualOptions = crossOriginOptions; 274 m_actualOptions = crossOriginOptions;
269 275
270 bool shouldForcePreflight = InspectorInstrumentation::shouldForceCORSPre flight(m_document); 276 bool shouldForcePreflight = InspectorInstrumentation::shouldForceCORSPre flight(m_document);
271 bool canSkipPreflight = CrossOriginPreflightResultCache::shared().canSki pPreflight(securityOrigin()->toString(), m_actualRequest.url(), effectiveAllowCr edentials(), m_actualRequest.httpMethod(), m_actualRequest.httpHeaderFields()); 277 bool canSkipPreflight = CrossOriginPreflightResultCache::shared().canSki pPreflight(securityOrigin()->toString(), m_actualRequest.url(), effectiveAllowCr edentials(), m_actualRequest.httpMethod(), m_actualRequest.httpHeaderFields());
272 if (canSkipPreflight && !shouldForcePreflight) { 278 if (canSkipPreflight && !shouldForcePreflight) {
273 loadActualRequest(); 279 loadActualRequest();
274 } else { 280 } else {
275 ResourceRequest preflightRequest = createAccessControlPreflightReque st(m_actualRequest, securityOrigin()); 281 ResourceRequest preflightRequest = createAccessControlPreflightReque st(m_actualRequest, securityOrigin());
276 // Create a ResourceLoaderOptions for preflight. 282 // Create a ResourceLoaderOptions for preflight.
(...skipping 606 matching lines...) Expand 10 before | Expand all | Expand 10 after
883 return m_securityOrigin ? m_securityOrigin.get() : document().securityOrigin (); 889 return m_securityOrigin ? m_securityOrigin.get() : document().securityOrigin ();
884 } 890 }
885 891
886 Document& DocumentThreadableLoader::document() const 892 Document& DocumentThreadableLoader::document() const
887 { 893 {
888 ASSERT(m_document); 894 ASSERT(m_document);
889 return *m_document; 895 return *m_document;
890 } 896 }
891 897
892 } // namespace blink 898 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/Source/core/html/parser/PreloadRequest.cpp ('k') | third_party/WebKit/Source/core/loader/ImageLoader.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698