CREDENTIAL: Rework the integration with Fetch (1/2)

third_party/WebKit/Source/modules/fetch/Request.cpp

Index: third_party/WebKit/Source/modules/fetch/Request.cpp
diff --git a/third_party/WebKit/Source/modules/fetch/Request.cpp b/third_party/WebKit/Source/modules/fetch/Request.cpp
index 1bbbb2c5e93cc3819b3ababe1f911d4f2faff0ce..115069684a2c2d8f54adf7918acd609c3c83f40b 100644
--- a/third_party/WebKit/Source/modules/fetch/Request.cpp
+++ b/third_party/WebKit/Source/modules/fetch/Request.cpp
@@ -216,6 +216,14 @@ Request* Request::createRequestWithRequestOrString(ScriptState* scriptState, Req
         request->setCredentials(WebURLRequest::FetchCredentialsModeSameOrigin);
     } else if (init.credentials == "include") {
         request->setCredentials(WebURLRequest::FetchCredentialsModeInclude);
+    } else if (init.credentials == "password") {
+        if (!init.attachedCredential.get()) {
+            exceptionState.throwTypeError("Cannot construct a Request with a credential mode of 'password' without a PasswordCredential.");
+            return nullptr;
+        }
+        request->setCredentials(WebURLRequest::FetchCredentialsModePassword);
+        request->setAttachedCredentialBuffer(new BodyStreamBuffer(init.attachedCredential.release()));
+        request->setRedirect(WebURLRequest::FetchRedirectModeManual);

[horo, 2016/04/04 05:26:00]

Please add layout tests to check the manual redirect works well.

1. The server returns a redirect response to same origin.
2. The server returns a redirect response to other origin.

In SW patch, https://codereview.chromium.org/1847383003/

1. e.respondWith(Response.redirect("/same_origin_url"))
2. e.respondWith(Response.redirect("//other_origin_url"))
3. e.respondWith(fetch("/same_origin_url_to_redirect_to_same_origin"));
4. e.respondWith(fetch("/same_origin_url_to_redirect_to_other_origin"));
5. e.respondWith(fetch("//other_origin_url_to_redirect_to_same_origin"));
6. e.respondWith(fetch("//other_origin_url_to_redirect_to_other_origin"));

[Mike West, 2016/04/04 08:04:20]

Done. I also drove-by a small fix to set the opaque-redirect response's URL,
which wasn't being set in the current code (as the Fetch spec notes, it's safe
to do so, because we don't actually follow the redirect, so the URL will be the
value the page actually requested).

     } else {
         if (!inputRequest)
             request->setCredentials(WebURLRequest::FetchCredentialsModeOmit);
@@ -305,13 +313,25 @@ Request* Request::createRequestWithRequestOrString(ScriptState* scriptState, Req
 
     // "If either |init|'s body member is present or |temporaryBody| is
     // non-null, and |request|'s method is `GET` or `HEAD`, throw a TypeError.
-    if (init.body || temporaryBody) {
+    if (init.body || temporaryBody || request->credentials() == WebURLRequest::FetchCredentialsModePassword) {
         if (request->method() == HTTPNames::GET || request->method() == HTTPNames::HEAD) {
             exceptionState.throwTypeError("Request with GET/HEAD method cannot have body.");
             return nullptr;
         }
     }
 
+    // TODO(mkwst): See the comment in RequestInit about serializing the attached credential
+    // prior to hitting the Service Worker machinery.
+    if (request->credentials() == WebURLRequest::FetchCredentialsModePassword) {
+        r->getHeaders()->append(HTTPNames::Content_Type, init.contentType, exceptionState);
+
+        // TODO(mkwst): This should be a registrable-domain match.
+        if (!origin->canRequest(r->url())) {
+            exceptionState.throwTypeError("Credentials may only be submitted to same-origin endpoints.");
+            return nullptr;
+        }
+    }
+
     // "If |init|'s body member is present, run these substeps:"
     if (init.body) {
         // Perform the following steps:
@@ -334,22 +354,6 @@ Request* Request::createRequestWithRequestOrString(ScriptState* scriptState, Req
     if (temporaryBody)
         r->m_request->setBuffer(temporaryBody);
 
-    // https://w3c.github.io/webappsec-credential-management/#monkey-patching-fetch-3
-    // "If |init|'s body member is a 'Credential' object:"
-    if (init.isCredentialRequest) {
-        // "1. If |r|'s url is not the same as |r|'s client’s origin, throw a TypeError."
-        if (!origin->canRequest(r->url())) {
-            exceptionState.throwTypeError("Credentials may only be submitted to same-origin endpoints.");
-            return nullptr;
-        }
-        // "2. Set |r|'s redirect mode to "error"."
-        r->m_request->setRedirect(WebURLRequest::FetchRedirectModeError);
-        // "3. Set |r|'s skip-service-worker flag."
-        // TODO(mkwst): Set this flag.
-        // "4. Set |r|'s opaque flag."
-        r->setOpaque();
-    }
-
     // "Set |r|'s MIME type to the result of extracting a MIME type from |r|'s
     // request's header list."
     r->m_request->setMIMEType(r->m_request->headerList()->extractMIMEType());
@@ -560,6 +564,8 @@ String Request::credentials() const
         return "same-origin";
     case WebURLRequest::FetchCredentialsModeInclude:
         return "include";
+    case WebURLRequest::FetchCredentialsModePassword:
+        return "password";
     }
     ASSERT_NOT_REACHED();
     return "";