Make DocumentThreadableLoader's cross origin logic clearer in terms of layering

third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 35 matching lines @@
 bool isOnAccessControlResponseHeaderWhitelist(const String& name) {
   DEFINE_THREAD_SAFE_STATIC_LOCAL(
       HTTPHeaderSet, allowedCrossOriginResponseHeaders,
       (new HTTPHeaderSet({
           "cache-control", "content-language", "content-type", "expires",
           "last-modified", "pragma",
       })));
   return allowedCrossOriginResponseHeaders.contains(name);
 }
 
-void updateRequestForAccessControl(ResourceRequest& request,
-                                   const SecurityOrigin* securityOrigin,
-                                   StoredCredentials allowCredentials) {
-  request.removeCredentials();
-  request.setAllowStoredCredentials(allowCredentials == AllowStoredCredentials);
-
-  if (securityOrigin)
-    request.setHTTPOrigin(securityOrigin);
-}
-
 // Fetch API Spec: https://fetch.spec.whatwg.org/#cors-preflight-fetch-0
 static AtomicString createAccessControlRequestHeadersHeader(
     const HTTPHeaderMap& headers) {
   Vector<String> filteredHeaders;
   for (const auto& header : headers) {
     if (FetchUtils::isSimpleHeader(header.key, header.value)) {
       // Exclude simple headers.
       continue;
     }
     if (equalIgnoringCase(header.key, "referer")) {
@@ skipping 14 matching lines @@
       headerBuffer.append(", ");
     headerBuffer.append(header);
   }
 
   return AtomicString(headerBuffer.toString());
 }
 
 ResourceRequest createAccessControlPreflightRequest(
     const ResourceRequest& request,
     const SecurityOrigin* securityOrigin) {
-  ResourceRequest preflightRequest(request.url());
-  updateRequestForAccessControl(preflightRequest, securityOrigin,
-                                DoNotAllowStoredCredentials);
+  const KURL& requestURL = request.url();
+
+  DCHECK(requestURL.user().isEmpty());
+  DCHECK(requestURL.pass().isEmpty());
+
+  ResourceRequest preflightRequest(requestURL);
+  preflightRequest.setAllowStoredCredentials(false);
   preflightRequest.setHTTPMethod(HTTPNames::OPTIONS);
   preflightRequest.setHTTPHeaderField(HTTPNames::Access_Control_Request_Method,
                                       AtomicString(request.httpMethod()));
   preflightRequest.setPriority(request.priority());
   preflightRequest.setRequestContext(request.requestContext());
   preflightRequest.setSkipServiceWorker(WebURLRequest::SkipServiceWorker::All);
 
   if (request.isExternalRequest()) {
     preflightRequest.setHTTPHeaderField(
         HTTPNames::Access_Control_Request_External, "true");
@@ skipping 320 matching lines @@
     //
     // This is equivalent to the step 2 in
     // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
     if (options.credentialsRequested == ClientDidNotRequestCredentials)
       options.allowCredentials = DoNotAllowStoredCredentials;
   }
   return true;
 }
 
 }  // namespace blink