Improve handling of CORS redirects for some resource loads.

Source/core/fetch/ResourceFetcher.cpp

 /*
     Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
     Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
     Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
     Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
     Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
 
     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Library General Public
     License as published by the Free Software Foundation; either
@@ skipping 13 matching lines @@
     pages from the web. It has a memory cache for these objects.
 */
 
 #include "config.h"
 #include "core/fetch/ResourceFetcher.h"
 
 #include "RuntimeEnabledFeatures.h"
 #include "bindings/v8/ScriptController.h"
 #include "core/dom/Document.h"
 #include "core/fetch/CSSStyleSheetResource.h"
+#include "core/fetch/CrossOriginAccessControl.h"
 #include "core/fetch/DocumentResource.h"
 #include "core/fetch/FetchContext.h"
 #include "core/fetch/FontResource.h"
 #include "core/fetch/ImageResource.h"
 #include "core/fetch/MemoryCache.h"
 #include "core/fetch/RawResource.h"
 #include "core/fetch/ResourceLoader.h"
 #include "core/fetch/ResourceLoaderSet.h"
 #include "core/fetch/ScriptResource.h"
 #include "core/fetch/ShaderResource.h"
@@ skipping 499 matching lines @@
     // folks block insecure content with a CSP policy, they don't get a warning.
     // They'll still get a warning in the console about CSP blocking the load.
 
     // FIXME: Should we consider forPreload here?
     if (!checkInsecureContent(type, url, options.mixedContentBlockingTreatment))
         return false;
 
     return true;
 }
 
-bool ResourceFetcher::canAccessResource(Resource* resource, const KURL& url) const
+bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sourceOrigin, const KURL& url) const
 {
     // Redirects can change the response URL different from one of request.
     if (!canRequest(resource->type(), url, resource->options(), false, FetchRequest::UseDefaultOriginRestrictionForType))
         return false;
 
-    if (!document() || document()->securityOrigin()->canRequest(url))
+    if (!sourceOrigin && document())
+        sourceOrigin = document()->securityOrigin();
+
+    if (!sourceOrigin || sourceOrigin->canRequest(url))

[abarth-chromium, 2014/02/05 08:20:44]

The !sourceOrigin case here cannot occur.  document()->securityOrigin() is
always non-null.

         return true;
 
     String errorDescription;
-    if (!resource->passesAccessControlCheck(document()->securityOrigin(), errorDescription)) {
+    if (!resource->passesAccessControlCheck(sourceOrigin, errorDescription)) {
         if (frame() && frame()->document()) {
             String resourceType = Resource::resourceTypeToString(resource->type(), resource->options().initiatorInfo);
             frame()->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, resourceType + " from origin '" + SecurityOrigin::create(url)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription);
         }
         return false;
     }
     return true;
 }
 
 bool ResourceFetcher::shouldLoadNewResource(Resource::Type type) const
@@ skipping 725 matching lines @@
     if (Frame* frame = this->frame())
         return frame->page()->defersLoading();
     return false;
 }
 
 bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const
 {
     return this == possibleOwner;
 }
 
-bool ResourceFetcher::shouldRequest(Resource* resource, const ResourceRequest& request, const ResourceLoaderOptions& options)
+bool ResourceFetcher::canAccessRedirect(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options)
 {
     if (!canRequest(resource->type(), request.url(), options, false, FetchRequest::UseDefaultOriginRestrictionForType))
         return false;
+    if (options.corsEnabled == IsCORSEnabled) {
+        SecurityOrigin* sourceOrigin = options.securityOrigin.get();
+        if (!sourceOrigin && document())
+            sourceOrigin = document()->securityOrigin();
+        if (!sourceOrigin)
+            return false;

[abarth-chromium, 2014/02/05 08:20:44]

This can't ever occur.  documet()->securityOrigin() is always non-null.

[sof, 2014/02/05 10:05:42]

Just being conservative, good to know. Gone.

+        String errorMessage;
+        if (!CrossOriginAccessControl::handleRedirect(resource, sourceOrigin, request, redirectResponse, options, errorMessage)) {
+            if (frame() && frame()->document())

[abarth-chromium, 2014/02/05 08:20:44]

frame()->document() will always be non-null in this case.  In fact, it will
always be equal to document()

[sof, 2014/02/05 10:05:42]

I did have it as "if (document())" initially (like in canAccessResource()), but
noticed that in a HTML Imports testcase
(import-script-block-crossorigin-dynamic) which generates CORS errors from
within an imported document, the errors weren't being propagated out (=> console
errors not being displayed in the test's output.)

Where do we want to report such errors to?

+                frame()->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, errorMessage);

[abarth-chromium, 2014/02/05 08:20:44]

Why not just call addCnosoleMessage on document() directory?  There's no way to
get here after the document detaches from the frame.  You can add an
ASSERT(frame()); if you like.

+            return false;
+        }
+    }
     if (resource->type() == Resource::Image && shouldDeferImageLoad(request.url()))
         return false;
     return true;
 }
 
 void ResourceFetcher::refResourceLoaderHost()
 {
     ref();
 }
 
@@ skipping 84 matching lines @@
     case Revalidate:
         ++m_revalidateCount;
         return;
     case Use:
         ++m_useCount;
         return;
     }
 }
 
 }