DescriptionRestrict CORS wildcard+credentials combination for http(s) only.
CORS-with-credentials are only defined for http(s) resources.
Chromium uses Access-Control-Allow-Origin: * with the intention of
whitelisting resources at certain origins for use in XMLHttpRequest and
images with canvas.
When the includeCredentials flag is set, these requests are blocked, even
though the term "credentials" makes no sense for data:/chrome-extension:-URLs.
This CL relaxes the wildcard check for non-http(s) resources, so that implementors
can choose to use CORS regardless of whether credentials were requested.
BUG=315152
TEST=Layout tests are already in CL https://codereview.chromium.org/54173002/
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=169391
Patch Set 1 #Patch Set 2 : Check scheme of requested resource instead of securityOrigin #Messages
Total messages: 13 (0 generated)
|