Chromium Code Reviews Chromium Code Reviews
Issue 18595008:
Prevents sending of 'orgin' in the "Access-Control-Request-Headers" when preflight requests are mad… (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 92 } | 92 } |
| 93 | 93 |
| 94 makeCrossOriginAccessRequest(request); | 94 makeCrossOriginAccessRequest(request); |
| 95 } | 95 } |
| 96 | 96 |
| 97 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request) | 97 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request) |
| 98 { | 98 { |
| 99 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); | 99 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); |
| 100 | 100 |
| 101 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(re quest)); | 101 OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(re quest)); |
| 102 updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_optio ns.allowCredentials); | |
| 103 | 102 |
| 104 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFiel ds())) || m_options.preflightPolicy == PreventPreflight) | 103 if ((m_options.preflightPolicy == ConsiderPreflight && isSimpleCrossOriginAc cessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFiel ds())) || m_options.preflightPolicy == PreventPreflight) { |
| 104 updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_o ptions.allowCredentials); | |
| 105 makeSimpleCrossOriginAccessRequest(*crossOriginRequest); | 105 makeSimpleCrossOriginAccessRequest(*crossOriginRequest); |
| 106 else { | 106 } else { |
| 107 m_simpleRequest = false; | 107 m_simpleRequest = false; |
| 108 // Do not set the Origin header for preflight requests. | |
| 109 updateRequestForAccessControl(*crossOriginRequest, static_cast<SecurityO rigin*>(0), m_options.allowCredentials); | |
|
abarth-chromium
2013/07/16 06:28:20
You shouldn't need the static_cast here.
ancilgeorge
2013/07/16 07:05:01
Done.
| |
| 108 m_actualRequest = crossOriginRequest.release(); | 110 m_actualRequest = crossOriginRequest.release(); |
| 109 | 111 |
| 110 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO rigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actua lRequest->httpMethod(), m_actualRequest->httpHeaderFields())) | 112 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityO rigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actua lRequest->httpMethod(), m_actualRequest->httpHeaderFields())) |
| 111 preflightSuccess(); | 113 preflightSuccess(); |
| 112 else | 114 else |
| 113 makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); | 115 makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); |
| 114 } | 116 } |
| 115 } | 117 } |
| 116 | 118 |
| 117 void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const Resource Request& request) | 119 void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const Resource Request& request) |
| (...skipping 361 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 479 return true; | 481 return true; |
| 480 return m_document->contentSecurityPolicy()->allowConnectToSource(url); | 482 return m_document->contentSecurityPolicy()->allowConnectToSource(url); |
| 481 } | 483 } |
| 482 | 484 |
| 483 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const | 485 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const |
| 484 { | 486 { |
| 485 return m_options.securityOrigin ? m_options.securityOrigin.get() : m_documen t->securityOrigin(); | 487 return m_options.securityOrigin ? m_options.securityOrigin.get() : m_documen t->securityOrigin(); |
| 486 } | 488 } |
| 487 | 489 |
| 488 } // namespace WebCore | 490 } // namespace WebCore |
| OLD | NEW |
