CREDENTIAL: Rework the integration with Fetch (1/2)

third_party/WebKit/Source/modules/fetch/Request.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "modules/fetch/Request.h"
 
 #include "bindings/core/v8/Dictionary.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
 #include "core/fetch/FetchUtils.h"
@@ skipping 198 matching lines @@
     // "Let |credentials| be |init|'s credentials member if it is present, and
     // |fallbackCredentials| otherwise."
     // "If |credentials| is non-null, set |request|'s credentials mode to
     // |credentials|."
     if (init.credentials == "omit") {
         request->setCredentials(WebURLRequest::FetchCredentialsModeOmit);
     } else if (init.credentials == "same-origin") {
         request->setCredentials(WebURLRequest::FetchCredentialsModeSameOrigin);
     } else if (init.credentials == "include") {
         request->setCredentials(WebURLRequest::FetchCredentialsModeInclude);
+    } else if (init.credentials == "password") {
+        if (!init.attachedCredential.get()) {
+            exceptionState.throwTypeError("Cannot construct a Request with a credential mode of 'password' without a PasswordCredential.");
+            return nullptr;
+        }
+        request->setCredentials(WebURLRequest::FetchCredentialsModePassword);
+        request->setAttachedCredentialBuffer(new BodyStreamBuffer(init.attachedCredential.release()));
+        request->setRedirect(WebURLRequest::FetchRedirectModeManual);

[horo, 2016/04/04 05:26:00]

Please add layout tests to check the manual redirect works well.

1. The server returns a redirect response to same origin.
2. The server returns a redirect response to other origin.

In SW patch, https://codereview.chromium.org/1847383003/

1. e.respondWith(Response.redirect("/same_origin_url"))
2. e.respondWith(Response.redirect("//other_origin_url"))
3. e.respondWith(fetch("/same_origin_url_to_redirect_to_same_origin"));
4. e.respondWith(fetch("/same_origin_url_to_redirect_to_other_origin"));
5. e.respondWith(fetch("//other_origin_url_to_redirect_to_same_origin"));
6. e.respondWith(fetch("//other_origin_url_to_redirect_to_other_origin"));

[Mike West, 2016/04/04 08:04:20]

Done. I also drove-by a small fix to set the opaque-redirect response's URL,
which wasn't being set in the current code (as the Fetch spec notes, it's safe
to do so, because we don't actually follow the redirect, so the URL will be the
value the page actually requested).

     } else {
         if (!inputRequest)
             request->setCredentials(WebURLRequest::FetchCredentialsModeOmit);
     }
 
     // TODO(yhirano): Implement the following step:
     //   "If |init|'s cache member is present, set |request|'s cache mode to
     //   it."
 
     // "If |init|'s redirect member is present, set |request|'s redirect mode
@@ skipping 69 matching lines @@
         r->getHeaders()->fillWith(init.headersDictionary, exceptionState);
     } else {
         ASSERT(headers);
         r->getHeaders()->fillWith(headers, exceptionState);
     }
     if (exceptionState.hadException())
         return nullptr;
 
     // "If either |init|'s body member is present or |temporaryBody| is
     // non-null, and |request|'s method is `GET` or `HEAD`, throw a TypeError.
-    if (init.body || temporaryBody) {
+    if (init.body || temporaryBody || request->credentials() == WebURLRequest::FetchCredentialsModePassword) {
         if (request->method() == HTTPNames::GET || request->method() == HTTPNames::HEAD) {
             exceptionState.throwTypeError("Request with GET/HEAD method cannot have body.");
             return nullptr;
         }
     }
 
+    // TODO(mkwst): See the comment in RequestInit about serializing the attached credential
+    // prior to hitting the Service Worker machinery.
+    if (request->credentials() == WebURLRequest::FetchCredentialsModePassword) {
+        r->getHeaders()->append(HTTPNames::Content_Type, init.contentType, exceptionState);
+
+        // TODO(mkwst): This should be a registrable-domain match.
+        if (!origin->canRequest(r->url())) {
+            exceptionState.throwTypeError("Credentials may only be submitted to same-origin endpoints.");
+            return nullptr;
+        }
+    }
+
     // "If |init|'s body member is present, run these substeps:"
     if (init.body) {
         // Perform the following steps:
         // - "Let |stream| and |Content-Type| be the result of extracting
         //   |init|'s body member."
         // - "Set |temporaryBody| to |stream|.
         // - "If |Content-Type| is non-null and |r|'s request's header list
         //   contains no header named `Content-Type`, append
         //   `Content-Type`/|Content-Type| to |r|'s Headers object. Rethrow any
         //   exception."
         temporaryBody = new BodyStreamBuffer(init.body.release());
         if (!init.contentType.isEmpty() && !r->getHeaders()->has(HTTPNames::Content_Type, exceptionState)) {
             r->getHeaders()->append(HTTPNames::Content_Type, init.contentType, exceptionState);
         }
         if (exceptionState.hadException())
             return nullptr;
     }
 
     // "Set |r|'s request's body to |temporaryBody|.
     if (temporaryBody)
         r->m_request->setBuffer(temporaryBody);
 
-    // https://w3c.github.io/webappsec-credential-management/#monkey-patching-fetch-3
-    // "If |init|'s body member is a 'Credential' object:"
-    if (init.isCredentialRequest) {
-        // "1. If |r|'s url is not the same as |r|'s client’s origin, throw a TypeError."
-        if (!origin->canRequest(r->url())) {
-            exceptionState.throwTypeError("Credentials may only be submitted to same-origin endpoints.");
-            return nullptr;
-        }
-        // "2. Set |r|'s redirect mode to "error"."
-        r->m_request->setRedirect(WebURLRequest::FetchRedirectModeError);
-        // "3. Set |r|'s skip-service-worker flag."
-        // TODO(mkwst): Set this flag.
-        // "4. Set |r|'s opaque flag."
-        r->setOpaque();
-    }
-
     // "Set |r|'s MIME type to the result of extracting a MIME type from |r|'s
     // request's header list."
     r->m_request->setMIMEType(r->m_request->headerList()->extractMIMEType());
 
     // "If |input| is a Request object and |input|'s request's body is
     // non-null, run these substeps:"
     if (inputRequest && inputRequest->bodyBuffer()) {
         // "Set |input|'s body to an empty byte stream."
         inputRequest->m_request->setBuffer(new BodyStreamBuffer(createFetchDataConsumerHandleFromWebHandle(createDoneDataConsumerHandle())));
         // "Set |input|'s disturbed flag."
@@ skipping 190 matching lines @@
     // "The credentials attribute's getter must return the value corresponding
     // to the first matching statement, switching on request's credentials
     // mode:"
     switch (m_request->credentials()) {
     case WebURLRequest::FetchCredentialsModeOmit:
         return "omit";
     case WebURLRequest::FetchCredentialsModeSameOrigin:
         return "same-origin";
     case WebURLRequest::FetchCredentialsModeInclude:
         return "include";
+    case WebURLRequest::FetchCredentialsModePassword:
+        return "password";
     }
     ASSERT_NOT_REACHED();
     return "";
 }
 
 String Request::redirect() const
 {
     // "The redirect attribute's getter must return request's redirect mode."
     switch (m_request->redirect()) {
     case WebURLRequest::FetchRedirectModeFollow:
@@ skipping 66 matching lines @@
 }
 
 DEFINE_TRACE(Request)
 {
     Body::trace(visitor);
     visitor->trace(m_request);
     visitor->trace(m_headers);
 }
 
 } // namespace blink