CREDENTIAL: Rework the integration with Fetch (1/2)

third_party/WebKit/Source/modules/fetch/Request.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "modules/fetch/Request.h"
 
 #include "bindings/core/v8/Dictionary.h"
 #include "core/dom/Document.h"
 #include "core/dom/ExecutionContext.h"
 #include "core/fetch/FetchUtils.h"
@@ skipping 24 matching lines @@
     DOMWrapperWorld& world = scriptState->world();
     if (world.isIsolatedWorld())
         request->setOrigin(world.isolatedWorldSecurityOrigin());
     else
         request->setOrigin(scriptState->getExecutionContext()->getSecurityOrigin());
     // FIXME: Set ForceOriginHeaderFlag.
     request->setSameOriginDataURLFlag(true);
     request->setReferrer(original->referrer());
     request->setMode(original->mode());
     request->setCredentials(original->credentials());
+    request->setAttachedCredential(original->attachedCredential());
     request->setRedirect(original->redirect());
     request->setIntegrity(original->integrity());
     // FIXME: Set cache mode.
     // TODO(yhirano): Set redirect mode.
     return request;
 }
 
 Request* Request::createRequestWithRequestOrString(ScriptState* scriptState, Request* inputRequest, const String& inputString, RequestInit& init, ExceptionState& exceptionState)
 {
     // - "If |input| is a Request object and it is disturbed, throw a
@@ skipping 154 matching lines @@
     // "Let |credentials| be |init|'s credentials member if it is present, and
     // |fallbackCredentials| otherwise."
     // "If |credentials| is non-null, set |request|'s credentials mode to
     // |credentials|."
     if (init.credentials == "omit") {
         request->setCredentials(WebURLRequest::FetchCredentialsModeOmit);
     } else if (init.credentials == "same-origin") {
         request->setCredentials(WebURLRequest::FetchCredentialsModeSameOrigin);
     } else if (init.credentials == "include") {
         request->setCredentials(WebURLRequest::FetchCredentialsModeInclude);
+    } else if (init.credentials == "password") {
+        if (!init.attachedCredential.get()) {
+            exceptionState.throwTypeError("Cannot construct a Request with a credential mode of 'password' without a PasswordCredential.");
+            return nullptr;
+        }
+        request->setCredentials(WebURLRequest::FetchCredentialsModePassword);
+        request->setAttachedCredential(init.attachedCredential);
+        request->setRedirect(WebURLRequest::FetchRedirectModeManual);
     } else {
         if (!inputRequest)
             request->setCredentials(WebURLRequest::FetchCredentialsModeOmit);
     }
 
     // TODO(yhirano): Implement the following step:
     //   "If |init|'s cache member is present, set |request|'s cache mode to
     //   it."
 
     // "If |init|'s redirect member is present, set |request|'s redirect mode
@@ skipping 69 matching lines @@
         r->getHeaders()->fillWith(init.headersDictionary, exceptionState);
     } else {
         ASSERT(headers);
         r->getHeaders()->fillWith(headers, exceptionState);
     }
     if (exceptionState.hadException())
         return nullptr;
 
     // "If either |init|'s body member is present or |temporaryBody| is
     // non-null, and |request|'s method is `GET` or `HEAD`, throw a TypeError.
-    if (init.body || temporaryBody) {
+    if (init.body || temporaryBody || request->credentials() == WebURLRequest::FetchCredentialsModePassword) {
         if (request->method() == HTTPNames::GET || request->method() == HTTPNames::HEAD) {
             exceptionState.throwTypeError("Request with GET/HEAD method cannot have body.");
             return nullptr;
         }
     }
 
+    // TODO(mkwst): See the comment in RequestInit about serializing the attached credential
+    // prior to hitting the Service Worker machinery.
+    if (request->credentials() == WebURLRequest::FetchCredentialsModePassword) {
+        r->getHeaders()->append(HTTPNames::Content_Type, init.contentType, exceptionState);
+
+        // TODO(mkwst): This should be a registrable-domain match.
+        if (!origin->canRequest(r->url())) {
+            exceptionState.throwTypeError("Credentials may only be submitted to same-origin endpoints.");
+            return nullptr;
+        }
+    }
+
     // "If |init|'s body member is present, run these substeps:"
     if (init.body) {
         // Perform the following steps:
         // - "Let |stream| and |Content-Type| be the result of extracting
         //   |init|'s body member."
         // - "Set |temporaryBody| to |stream|.
         // - "If |Content-Type| is non-null and |r|'s request's header list
         //   contains no header named `Content-Type`, append
         //   `Content-Type`/|Content-Type| to |r|'s Headers object. Rethrow any
         //   exception."
         temporaryBody = new BodyStreamBuffer(init.body.release());
         if (!init.contentType.isEmpty() && !r->getHeaders()->has(HTTPNames::Content_Type, exceptionState)) {
             r->getHeaders()->append(HTTPNames::Content_Type, init.contentType, exceptionState);
         }
         if (exceptionState.hadException())
             return nullptr;
     }
 
     // "Set |r|'s request's body to |temporaryBody|.
     if (temporaryBody)
         r->m_request->setBuffer(temporaryBody);
 
-    // https://w3c.github.io/webappsec-credential-management/#monkey-patching-fetch-3
-    // "If |init|'s body member is a 'Credential' object:"
-    if (init.isCredentialRequest) {
-        // "1. If |r|'s url is not the same as |r|'s client’s origin, throw a TypeError."
-        if (!origin->canRequest(r->url())) {
-            exceptionState.throwTypeError("Credentials may only be submitted to same-origin endpoints.");
-            return nullptr;
-        }
-        // "2. Set |r|'s redirect mode to "error"."
-        r->m_request->setRedirect(WebURLRequest::FetchRedirectModeError);
-        // "3. Set |r|'s skip-service-worker flag."
-        // TODO(mkwst): Set this flag.
-        // "4. Set |r|'s opaque flag."
-        r->setOpaque();
-    }
-
     // "Set |r|'s MIME type to the result of extracting a MIME type from |r|'s
     // request's header list."
     r->m_request->setMIMEType(r->m_request->headerList()->extractMIMEType());
 
     // "If |input| is a Request object and |input|'s request's body is
     // non-null, run these substeps:"
     if (inputRequest && inputRequest->bodyBuffer()) {
         // "Set |input|'s body to an empty byte stream."
         inputRequest->m_request->setBuffer(new BodyStreamBuffer(createFetchDataConsumerHandleFromWebHandle(createDoneDataConsumerHandle())));
         // "Set |input|'s disturbed flag."
@@ skipping 190 matching lines @@
     // "The credentials attribute's getter must return the value corresponding
     // to the first matching statement, switching on request's credentials
     // mode:"
     switch (m_request->credentials()) {
     case WebURLRequest::FetchCredentialsModeOmit:
         return "omit";
     case WebURLRequest::FetchCredentialsModeSameOrigin:
         return "same-origin";
     case WebURLRequest::FetchCredentialsModeInclude:
         return "include";
+    case WebURLRequest::FetchCredentialsModePassword:
+        return "password";
     }
     ASSERT_NOT_REACHED();
     return "";
 }
 
 String Request::redirect() const
 {
     // "The redirect attribute's getter must return request's redirect mode."
     switch (m_request->redirect()) {
     case WebURLRequest::FetchRedirectModeFollow:
@@ skipping 66 matching lines @@
 }
 
 DEFINE_TRACE(Request)
 {
     Body::trace(visitor);
     visitor->trace(m_request);
     visitor->trace(m_headers);
 }
 
 } // namespace blink