CORS-RFC1918: Force preflights for external requests in DocumentThreadableLoader.

third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 63 matching lines @@
 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
 {
     ResourceRequest preflightRequest(request.url());
     updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
     preflightRequest.setHTTPMethod(HTTPNames::OPTIONS);
     preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Method, AtomicString(request.httpMethod()));
     preflightRequest.setPriority(request.priority());
     preflightRequest.setRequestContext(request.requestContext());
     preflightRequest.setSkipServiceWorker(true);
 
+    if (request.isExternalRequest())
+        preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_External, "true");
+
     const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
 
     if (requestHeaderFields.size() > 0) {
         // Fetch API Spec:
         //   https://fetch.spec.whatwg.org/#cors-preflight-fetch-0
         Vector<String> headers;
         for (const auto& header : requestHeaderFields) {
             if (FetchUtils::isSimpleHeader(header.key, header.value)) {
                 // Exclude simple headers.
                 continue;
@@ skipping 126 matching lines @@
     //   http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
     // https://crbug.com/452394
     if (response.httpStatusCode() < 200 || response.httpStatusCode() >= 300) {
         errorDescription = "Response for preflight has invalid HTTP status code " + String::number(response.httpStatusCode());
         return false;
     }
 
     return true;
 }
 
+bool passesExternalPreflightCheck(const ResourceResponse& response, String& errorDescription)
+{
+    AtomicString result = response.httpHeaderField(HTTPNames::Access_Control_Allow_External);
+    if (result.isNull()) {
+        errorDescription = "No 'Access-Control-Allow-External' header was present in the preflight response for this external request (This is an experimental header which is defined in 'https://mikewest.github.io/cors-rfc1918/').";
+        return false;
+    }
+    if (!equalIgnoringCase(result, "true")) {
+        errorDescription = "The 'Access-Control-Allow-External' header in the preflight response for this external request had a value of '" + result + "',  not 'true' (This is an experimental header which is defined in 'https://mikewest.github.io/cors-rfc1918/').";
+        return false;
+    }
+    return true;
+}
+
 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet)
 {
     Vector<String> headers;
     headerValue.split(',', false, headers);
     for (unsigned headerCount = 0; headerCount < headers.size(); headerCount++) {
         String strippedHeader = headers[headerCount].stripWhiteSpace();
         if (!strippedHeader.isEmpty())
             headerSet.add(strippedHeader);
     }
 }
@@ skipping 54 matching lines @@
         newRequest.setHTTPOrigin(securityOrigin);
         // If the user didn't request credentials in the first place, update our
         // state so we neither request them nor expect they must be allowed.
         if (options.credentialsRequested == ClientDidNotRequestCredentials)
             options.allowCredentials = DoNotAllowStoredCredentials;
     }
     return true;
 }
 
 } // namespace blink