Improve handling of CORS redirects for some resource loads.

Source/core/fetch/ResourceFetcher.cpp

Index: Source/core/fetch/ResourceFetcher.cpp
diff --git a/Source/core/fetch/ResourceFetcher.cpp b/Source/core/fetch/ResourceFetcher.cpp
index e3d0397c0a0855a990b6e513feb5637637bce64a..2a52e75a1bb74e68ff43ab9bf0ea97e03c020f44 100644
--- a/Source/core/fetch/ResourceFetcher.cpp
+++ b/Source/core/fetch/ResourceFetcher.cpp
@@ -31,6 +31,7 @@
 #include "bindings/v8/ScriptController.h"
 #include "core/dom/Document.h"
 #include "core/fetch/CSSStyleSheetResource.h"
+#include "core/fetch/CrossOriginAccessControl.h"
 #include "core/fetch/DocumentResource.h"
 #include "core/fetch/FetchContext.h"
 #include "core/fetch/FontResource.h"
@@ -550,17 +551,20 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
     return true;
 }
 
-bool ResourceFetcher::canAccessResource(Resource* resource, const KURL& url) const
+bool ResourceFetcher::canAccessResource(Resource* resource, SecurityOrigin* sourceOrigin, const KURL& url) const
 {
     // Redirects can change the response URL different from one of request.
     if (!canRequest(resource->type(), url, resource->options(), false, FetchRequest::UseDefaultOriginRestrictionForType))
         return false;
 
-    if (!document() || document()->securityOrigin()->canRequest(url))
+    if (!sourceOrigin && document())
+        sourceOrigin = document()->securityOrigin();
+
+    if (!sourceOrigin || sourceOrigin->canRequest(url))
         return true;
 
     String errorDescription;
-    if (!resource->passesAccessControlCheck(document()->securityOrigin(), errorDescription)) {
+    if (!resource->passesAccessControlCheck(sourceOrigin, errorDescription)) {
         if (frame() && frame()->document()) {
             String resourceType = Resource::resourceTypeToString(resource->type(), resource->options().initiatorInfo);
             frame()->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, resourceType + " from origin '" + SecurityOrigin::create(url)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription);
@@ -1306,10 +1310,46 @@ bool ResourceFetcher::isLoadedBy(ResourceLoaderHost* possibleOwner) const
     return this == possibleOwner;
 }
 
-bool ResourceFetcher::shouldRequest(Resource* resource, const ResourceRequest& request, const ResourceLoaderOptions& options)
+bool ResourceFetcher::canAccessRedirect(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options)

[abarth-chromium, 2014/01/31 23:42:40]

The logic you're adding to this function looks way too complicated.  Is this
really what the spec says?  Can you write the code in a way that machines the
spec line-by-line and cites each step in the spec?

[sof, 2014/02/01 14:39:19]

I've tried to address this by factoring out the redirect steps into a separate
helper, including spec cross-references. Easier to comprehend/reconciliate?

More can be done to unify that method with the redirect steps that the
DocumentThreadableLoader performs. I would like to address that, but as
follow-on work. 

 {
     if (!canRequest(resource->type(), request.url(), options, false, FetchRequest::UseDefaultOriginRestrictionForType))
         return false;
+    if (options.corsEnabled == IsCORSEnabled) {
+        const KURL& redirectUrl = redirectResponse.url();
+        String errorDescription;
+        bool canRedirect = checkCrossOriginAccessRedirectionUrl(request.url(), errorDescription);
+        if (canRedirect) {
+            SecurityOrigin* sourceOrigin = options.securityOrigin.get();
+            if (!sourceOrigin && document())
+                sourceOrigin = document()->securityOrigin();
+            if (!sourceOrigin)
+                return false;
+
+            bool redirectOutOfOrigin = !sourceOrigin->canRequest(request.url());
+            if (!sourceOrigin->canRequest(redirectUrl)) {
+                // The request to the redirect URL was cross-origin; perform access check.
+                StoredCredentials withCredentials = resource->resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials;
+                canRedirect = passesAccessControlCheck(redirectResponse, withCredentials, sourceOrigin, errorDescription);
+                if (canRedirect && redirectOutOfOrigin) {
+                    // If allowed to redirect to another origin, the 'source origin'
+                    // becomes a globally unique origin.
+                    options.securityOrigin = SecurityOrigin::createUnique();
+                    sourceOrigin = options.securityOrigin.get();
+                }
+            }
+            // Add Origin: if redirecting out of origin.
+            if (canRedirect && redirectOutOfOrigin) {
+                request.clearHTTPOrigin();
+                request.setHTTPOrigin(sourceOrigin->toAtomicString());
+            }
+        }
+        if (!canRedirect) {
+            if (frame() && frame()->document()) {
+                frame()->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Redirect to origin '" + SecurityOrigin::create(redirectUrl)->toString() + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription);
+            }
+            return false;
+        }
+    }
     if (resource->type() == Resource::Image && shouldDeferImageLoad(request.url()))
         return false;
     return true;