Source/core/fetch/CrossOriginAccessControl.cpp - Issue 196043002: HTML Imports: Send credentials for same origin requests

Side by Side Diff: Source/core/fetch/CrossOriginAccessControl.cpp

Issue 196043002: HTML Imports: Send credentials for same origin requests (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Updated Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« no previous file with comments | « Source/core/css/CSSImageSetValue.cpp ('k') | Source/core/fetch/FetchRequest.h » ('j') | no next file with comments »

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.	2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions	5 * modification, are permitted provided that the following conditions

6 * are met:	6 * are met:

7 * 1. Redistributions of source code must retain the above copyright	7 * 1. Redistributions of source code must retain the above copyright

8 * notice, this list of conditions and the following disclaimer.	8 * notice, this list of conditions and the following disclaimer.

9 * 2. Redistributions in binary form must reproduce the above copyright	9 * 2. Redistributions in binary form must reproduce the above copyright

10 * notice, this list of conditions and the following disclaimer in the	10 * notice, this list of conditions and the following disclaimer in the

(...skipping 222 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
233	233

234 // Same-origin request URLs that redirect are allowed without checking acces s.	234 // Same-origin request URLs that redirect are allowed without checking acces s.

235 if (!securityOrigin->canRequest(originalURL)) {	235 if (!securityOrigin->canRequest(originalURL)) {

236 // Follow http://www.w3.org/TR/cors/#redirect-steps	236 // Follow http://www.w3.org/TR/cors/#redirect-steps

237 String errorDescription;	237 String errorDescription;

238	238

239 // Steps 3 & 4 - check if scheme and other URL restrictions hold.	239 // Steps 3 & 4 - check if scheme and other URL restrictions hold.

240 bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescriptio n);	240 bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescriptio n);

241 if (allowRedirect) {	241 if (allowRedirect) {

242 // Step 5: perform resource sharing access check.	242 // Step 5: perform resource sharing access check.

243 StoredCredentials withCredentials = resource->resourceRequest().allo wStoredCredentials() ? AllowStoredCredentials : DoNotAllowStoredCredentials;	243 StoredCredentials withCredentials = resource->lastResourceRequest(). allowStoredCredentials() ? AllowStoredCredentials : DoNotAllowStoredCredentials;
	Nate Chapin 2014/03/18 21:50:20 I would have thought that lastResourceRequest() wa I would have thought that lastResourceRequest() was the same as the request parameter. Is that incorrect? Hajime Morrita 2014/03/18 22:10:40 The \|request\| parameter isn't in the Resource::m_r Show quoted text On 2014/03/18 21:50:20, Nate Chapin wrote: > I would have thought that lastResourceRequest() was the same as the request > parameter. Is that incorrect? The \|request\| parameter isn't in the Resource::m_redirectChain yet so lastResourceRequest() is different from \|request\|. It is added to the chain later. Probably that is because handleRedirect() could decline the upcoming redirect. Nate Chapin 2014/03/18 22:15:44 Maybe we should consider updating the redirect cha Show quoted text On 2014/03/18 22:10:40, morrita1 wrote: > On 2014/03/18 21:50:20, Nate Chapin wrote: > > I would have thought that lastResourceRequest() was the same as the request > > parameter. Is that incorrect? > The \|request\| parameter isn't in the Resource::m_redirectChain yet so > lastResourceRequest() is different from \|request\|. It is added to the chain > later. Probably that is because handleRedirect() could decline the upcoming > redirect. Maybe we should consider updating the redirect chain, then doing the handleRedirect() check? Having the extra request in the redirect chain shouldn't matter if the request gets cancelled. We don't have to block this patch on that change, though. Hajime Morrita 2014/03/18 22:34:58 I can do this, but how does it help? We need secon Show quoted text On 2014/03/18 22:15:44, Nate Chapin wrote: > On 2014/03/18 22:10:40, morrita1 wrote: > > On 2014/03/18 21:50:20, Nate Chapin wrote: > > > I would have thought that lastResourceRequest() was the same as the request > > > parameter. Is that incorrect? > > The \|request\| parameter isn't in the Resource::m_redirectChain yet so > > lastResourceRequest() is different from \|request\|. It is added to the chain > > later. Probably that is because handleRedirect() could decline the upcoming > > redirect. > > Maybe we should consider updating the redirect chain, then doing the > handleRedirect() check? Having the extra request in the redirect chain shouldn't > matter if the request gets cancelled. I can do this, but how does it help? We need secondLastResouceRequest() or something here then, or example. I agree that though, the redirect handling is confusing as a result of historically accumulated debt and should be straighten somehow. Currently the flow goes up and down between layers and hard to follow.
244 allowRedirect = passesAccessControlCheck(redirectResponse, withCrede ntials, securityOrigin, errorDescription);	244 allowRedirect = passesAccessControlCheck(redirectResponse, withCrede ntials, securityOrigin, errorDescription);

245 if (allowRedirect) {	245 if (allowRedirect) {

246 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o riginalURL);	246 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(o riginalURL);

247 // Step 6: if the request URL origin is not same origin as the o riginal URL's,	247 // Step 6: if the request URL origin is not same origin as the o riginal URL's,

248 // set the source origin to a globally unique identifier.	248 // set the source origin to a globally unique identifier.

249 if (!originalOrigin->canRequest(requestURL)) {	249 if (!originalOrigin->canRequest(requestURL)) {

250 options.securityOrigin = SecurityOrigin::createUnique();	250 options.securityOrigin = SecurityOrigin::createUnique();

251 securityOrigin = options.securityOrigin.get();	251 securityOrigin = options.securityOrigin.get();

252 }	252 }

253 }	253 }

(...skipping 10 matching lines...) Expand all Loading...
264 request.setHTTPOrigin(securityOrigin->toAtomicString());	264 request.setHTTPOrigin(securityOrigin->toAtomicString());

265 // If the user didn't request credentials in the first place, update our	265 // If the user didn't request credentials in the first place, update our

266 // state so we neither request them nor expect they must be allowed.	266 // state so we neither request them nor expect they must be allowed.

267 if (options.credentialsRequested == ClientDidNotRequestCredentials)	267 if (options.credentialsRequested == ClientDidNotRequestCredentials)

268 options.allowCredentials = DoNotAllowStoredCredentials;	268 options.allowCredentials = DoNotAllowStoredCredentials;

269 }	269 }

270 return true;	270 return true;

271 }	271 }

272	272

273 } // namespace WebCore	273 } // namespace WebCore

OLD	NEW