Set the request mode and the credentials mode even if the request will not go to ServiceWorker.

third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2013, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
@@ skipping 168 matching lines @@
     //     recorded here.
     // - ThreadableLoader w/ non-GET request is only created from javascript
     //   initiated fetch.
     //   - Some non-script initiated fetches such as WorkerScriptLoader also use
     //     ThreadableLoader, but they are guaranteed to use GET method.
     if (request.httpMethod() != HTTPNames::GET) {
         if (Page* page = m_document->page())
             page->chromeClient().didObserveNonGetFetchFromScript();
     }
 
+    ResourceRequest newRequest(request);
+    if (m_requestContext != WebURLRequest::RequestContextFetch) {
+        // When the request context is not "fetch",
+        // |crossOriginRequestPolicy| represents the fetch request mode,
+        // and |credentialsRequested| represents the fetch credentials mode.
+        // So we set those flags here so that we can see the correct request
+        // mode and credentials mode in the service worker's fetch event
+        // handler.
+        switch (m_options.crossOriginRequestPolicy) {
+        case DenyCrossOriginRequests:
+            newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeSameOrigin);
+            break;
+        case UseAccessControl:
+            if (m_options.preflightPolicy == ForcePreflight)
+                newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORSWithForcedPreflight);
+            else
+                newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORS);
+            break;
+        case AllowCrossOriginRequests:
+            // No-CORS requests are allowed only for those contexts when

[Marijn Kruisselbrink, 2016/05/12 17:30:37]

The comment doesn't match the check. You're comment says (!skipServiceWorker &&
(context == audio || context == ....)), while the implementation instead says
that no-cors is allowed for all these contexts, and any other context if
skipServiceWorker is set.

Also I don't understand why no-cors would need to be okay for other contexts as
long as skipServiceWorker is true?

[horo, 2016/05/16 06:24:19]

Updated comment.
Pepper plugins with private permission can send no-cors requests.
https://crrev.com/606993002
So we needs to allow the requests from these plugins.

+            // skipServiceWorker is not set.
+            SECURITY_CHECK(request.skipServiceWorker() || m_requestContext == WebURLRequest::RequestContextAudio || m_requestContext == WebURLRequest::RequestContextVideo || m_requestContext == WebURLRequest::RequestContextObject || m_requestContext == WebURLRequest::RequestContextFavicon || m_requestContext == WebURLRequest::RequestContextImage || m_requestContext == WebURLRequest::RequestContextScript);
+            newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeNoCORS);
+            break;
+        }
+        if (m_resourceLoaderOptions.allowCredentials == AllowStoredCredentials)
+            newRequest.setFetchCredentialsMode(WebURLRequest::FetchCredentialsModeInclude);
+        else
+            newRequest.setFetchCredentialsMode(WebURLRequest::FetchCredentialsModeSameOrigin);
+    }
+
     // We assume that ServiceWorker is skipped for sync requests and unsupported
     // protocol requests by content/ code.
     if (m_async && !request.skipServiceWorker() && SchemeRegistry::shouldTreatURLSchemeAsAllowingServiceWorkers(request.url().protocol()) && m_document->fetcher()->isControlledByServiceWorker()) {
-        ResourceRequest newRequest(request);
-        const WebURLRequest::RequestContext requestContext(request.requestContext());
-        if (requestContext != WebURLRequest::RequestContextFetch) {
-            // When the request context is not "fetch",
-            // |crossOriginRequestPolicy| represents the fetch request mode,
-            // and |credentialsRequested| represents the fetch credentials mode.
-            // So we set those flags here so that we can see the correct request
-            // mode and credentials mode in the service worker's fetch event
-            // handler.
-            switch (m_options.crossOriginRequestPolicy) {
-            case DenyCrossOriginRequests:
-                newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeSameOrigin);
-                break;
-            case UseAccessControl:
-                if (m_options.preflightPolicy == ForcePreflight)
-                    newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORSWithForcedPreflight);
-                else
-                    newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeCORS);
-                break;
-            case AllowCrossOriginRequests:
-                // No-CORS requests are allowed only for those contexts.
-                SECURITY_CHECK(requestContext == WebURLRequest::RequestContextAudio || requestContext == WebURLRequest::RequestContextVideo || requestContext == WebURLRequest::RequestContextObject || requestContext == WebURLRequest::RequestContextFavicon || requestContext == WebURLRequest::RequestContextImage || requestContext == WebURLRequest::RequestContextScript);
-                newRequest.setFetchRequestMode(WebURLRequest::FetchRequestModeNoCORS);
-                break;
-            }
-            if (m_resourceLoaderOptions.allowCredentials == AllowStoredCredentials)
-                newRequest.setFetchCredentialsMode(WebURLRequest::FetchCredentialsModeInclude);
-            else
-                newRequest.setFetchCredentialsMode(WebURLRequest::FetchCredentialsModeSameOrigin);
-        }
         if (newRequest.fetchRequestMode() == WebURLRequest::FetchRequestModeCORS || newRequest.fetchRequestMode() == WebURLRequest::FetchRequestModeCORSWithForcedPreflight) {
             m_fallbackRequestForServiceWorker = ResourceRequest(request);
             m_fallbackRequestForServiceWorker.setSkipServiceWorker(true);
         }
-
         loadRequest(newRequest, m_resourceLoaderOptions);
         // |this| may be dead here.
         return;
     }
 
-    dispatchInitialRequest(request);
+    dispatchInitialRequest(newRequest);
     // |this| may be dead here in async mode.
 }
 
 void DocumentThreadableLoader::dispatchInitialRequest(const ResourceRequest& request)
 {
     if (!request.isExternalRequest() && (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)) {
         loadRequest(request, m_resourceLoaderOptions);
         // |this| may be dead here in async mode.
         return;
     }
@@ skipping 731 matching lines @@
     return m_securityOrigin ? m_securityOrigin.get() : document().getSecurityOrigin();
 }
 
 Document& DocumentThreadableLoader::document() const
 {
     ASSERT(m_document);
     return *m_document;
 }
 
 } // namespace blink