Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(76)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

Issue 2290193003: Include the Origin header for XHR and Fetch API even if the request is same-origin
Patch Set: a Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/Source/core/loader/DocumentThreadableLoader.h ('k') | third_party/WebKit/Source/core/loader/ThreadableLoader.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
3 * Copyright (C) 2013, Intel Corporation 3 * Copyright (C) 2013, Intel Corporation
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are 6 * modification, are permitted provided that the following conditions are
7 * met: 7 * met:
8 * 8 *
9 * * Redistributions of source code must retain the above copyright 9 * * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
(...skipping 231 matching lines...) Expand 10 before | Expand all | Expand 10 after
242 m_fallbackRequestForServiceWorker = ResourceRequest(request); 242 m_fallbackRequestForServiceWorker = ResourceRequest(request);
243 // m_fallbackRequestForServiceWorker is used when a regular controll ing 243 // m_fallbackRequestForServiceWorker is used when a regular controll ing
244 // service worker doesn't handle a cross origin request. When this h appens 244 // service worker doesn't handle a cross origin request. When this h appens
245 // we still want to give foreign fetch a chance to handle the reques t, so 245 // we still want to give foreign fetch a chance to handle the reques t, so
246 // only skip the controlling service worker for the fallback request . 246 // only skip the controlling service worker for the fallback request .
247 // This is currently safe because of http://crbug.com/604084 the 247 // This is currently safe because of http://crbug.com/604084 the
248 // wasFallbackRequiredByServiceWorker flag is never set when foreign fetch 248 // wasFallbackRequiredByServiceWorker flag is never set when foreign fetch
249 // handled a request. 249 // handled a request.
250 m_fallbackRequestForServiceWorker.setSkipServiceWorker(WebURLRequest ::SkipServiceWorker::Controlling); 250 m_fallbackRequestForServiceWorker.setSkipServiceWorker(WebURLRequest ::SkipServiceWorker::Controlling);
251 } 251 }
252
253 if (m_options.sameOriginHeaderPolicy == IncludeSameOriginHeader)
254 newRequest.setHTTPOrigin(getSecurityOrigin());
255
252 loadRequest(newRequest, m_resourceLoaderOptions); 256 loadRequest(newRequest, m_resourceLoaderOptions);
253 return; 257 return;
254 } 258 }
255 259
256 dispatchInitialRequest(newRequest); 260 dispatchInitialRequest(newRequest);
257 } 261 }
258 262
259 void DocumentThreadableLoader::dispatchInitialRequest(const ResourceRequest& req uest) 263 void DocumentThreadableLoader::dispatchInitialRequest(ResourceRequest& request)
260 { 264 {
261 if (!request.isExternalRequest() && (m_sameOriginRequest || m_options.crossO riginRequestPolicy == AllowCrossOriginRequests)) { 265 if (!request.isExternalRequest() && (m_sameOriginRequest || m_options.crossO riginRequestPolicy == AllowCrossOriginRequests)) {
266 if (m_options.sameOriginHeaderPolicy == IncludeSameOriginHeader)
267 request.setHTTPOrigin(getSecurityOrigin());
268
262 loadRequest(request, m_resourceLoaderOptions); 269 loadRequest(request, m_resourceLoaderOptions);
263 return; 270 return;
264 } 271 }
265 272
266 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl || request.isE xternalRequest()); 273 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl || request.isE xternalRequest());
267 274
268 makeCrossOriginAccessRequest(request); 275 makeCrossOriginAccessRequest(request);
269 } 276 }
270 277
271 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request) 278 void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques t& request)
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
306 // We update the credentials mode according to effectiveAllowCredentials () here for backward compatibility. But this is not correct. 313 // We update the credentials mode according to effectiveAllowCredentials () here for backward compatibility. But this is not correct.
307 // FIXME: We should set it in the caller of DocumentThreadableLoader. 314 // FIXME: We should set it in the caller of DocumentThreadableLoader.
308 crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() = = AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRe quest::FetchCredentialsModeOmit); 315 crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() = = AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRe quest::FetchCredentialsModeOmit);
309 if (m_didRedirect) { 316 if (m_didRedirect) {
310 crossOriginRequest.setHTTPReferrer(SecurityPolicy::generateReferrer( m_referrerAfterRedirect.referrerPolicy, crossOriginRequest.url(), m_referrerAfte rRedirect.referrer)); 317 crossOriginRequest.setHTTPReferrer(SecurityPolicy::generateReferrer( m_referrerAfterRedirect.referrerPolicy, crossOriginRequest.url(), m_referrerAfte rRedirect.referrer));
311 } 318 }
312 loadRequest(crossOriginRequest, crossOriginOptions); 319 loadRequest(crossOriginRequest, crossOriginOptions);
313 } else { 320 } else {
314 m_crossOriginNonSimpleRequest = true; 321 m_crossOriginNonSimpleRequest = true;
315 // Do not set the Origin header for preflight requests. 322 // Do not set the Origin header for preflight requests.
316 updateRequestForAccessControl(crossOriginRequest, 0, effectiveAllowCrede ntials()); 323 updateRequestForAccessControl(crossOriginRequest, nullptr, effectiveAllo wCredentials());
317 // We update the credentials mode according to effectiveAllowCredentials () here for backward compatibility. But this is not correct. 324 // We update the credentials mode according to effectiveAllowCredentials () here for backward compatibility. But this is not correct.
318 // FIXME: We should set it in the caller of DocumentThreadableLoader. 325 // FIXME: We should set it in the caller of DocumentThreadableLoader.
319 crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() = = AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRe quest::FetchCredentialsModeOmit); 326 crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() = = AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRe quest::FetchCredentialsModeOmit);
320 m_actualRequest = crossOriginRequest; 327 m_actualRequest = crossOriginRequest;
321 m_actualOptions = crossOriginOptions; 328 m_actualOptions = crossOriginOptions;
322 329
323 if (m_didRedirect) { 330 if (m_didRedirect) {
324 m_actualRequest.setHTTPReferrer(SecurityPolicy::generateReferrer(m_r eferrerAfterRedirect.referrerPolicy, m_actualRequest.url(), m_referrerAfterRedir ect.referrer)); 331 m_actualRequest.setHTTPReferrer(SecurityPolicy::generateReferrer(m_r eferrerAfterRedirect.referrerPolicy, m_actualRequest.url(), m_referrerAfterRedir ect.referrer));
325 } 332 }
326 333
(...skipping 660 matching lines...) Expand 10 before | Expand all | Expand 10 after
987 994
988 DEFINE_TRACE(DocumentThreadableLoader) 995 DEFINE_TRACE(DocumentThreadableLoader)
989 { 996 {
990 visitor->trace(m_resource); 997 visitor->trace(m_resource);
991 visitor->trace(m_document); 998 visitor->trace(m_document);
992 ThreadableLoader::trace(visitor); 999 ThreadableLoader::trace(visitor);
993 RawResourceClient::trace(visitor); 1000 RawResourceClient::trace(visitor);
994 } 1001 }
995 1002
996 } // namespace blink 1003 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/Source/core/loader/DocumentThreadableLoader.h ('k') | third_party/WebKit/Source/core/loader/ThreadableLoader.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698