Make DocumentThreadableLoader's cross origin logic clearer in terms of layering

third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2013, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
@@ skipping 153 matching lines @@
       m_crossOriginNonSimpleRequest(false),
       m_isUsingDataConsumerHandle(false),
       m_async(blockingBehavior == LoadAsynchronously),
       m_requestContext(WebURLRequest::RequestContextUnspecified),
       m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout),
       m_requestStartedSeconds(0.0),
       m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl
                               ? kMaxCORSRedirects
                               : 0),
       m_redirectMode(WebURLRequest::FetchRedirectModeFollow),
-      m_didRedirect(false) {
+      m_overrideReferrer(false) {
   DCHECK(client);
 }
 
 void DocumentThreadableLoader::start(const ResourceRequest& request) {
   // Setting an outgoing referer is only supported in the async code path.
   DCHECK(m_async || request.httpReferrer().isEmpty());
 
   m_sameOriginRequest =
       getSecurityOrigin()->canRequestNoSuborigin(request.url());
   m_requestContext = request.requestContext();
@@ skipping 120 matching lines @@
     loadRequest(request, m_resourceLoaderOptions);
     return;
   }
 
   DCHECK(m_options.crossOriginRequestPolicy == UseAccessControl ||
          request.isExternalRequest());
 
   makeCrossOriginAccessRequest(request);
 }
 
+void DocumentThreadableLoader::prepareCrossOriginRequest(
+    ResourceRequest& request) {
+  if (getSecurityOrigin())
+    request.setHTTPOrigin(getSecurityOrigin());
+  if (m_overrideReferrer)
+    request.setHTTPReferrer(m_referrerAfterRedirect);
+}
+
 void DocumentThreadableLoader::makeCrossOriginAccessRequest(
     const ResourceRequest& request) {
   DCHECK(m_options.crossOriginRequestPolicy == UseAccessControl ||
          request.isExternalRequest());
   DCHECK(m_client);
   DCHECK(!resource());
 
   // Cross-origin requests are only allowed certain registered schemes. We would
   // catch this when checking response headers later, but there is no reason to
   // send a request, preflighted or not, that's guaranteed to be denied.
@@ skipping 21 matching lines @@
                       "Requests to internal network resources are not allowed "
                       "from non-secure contexts (see https://goo.gl/Y0ZkNV). "
                       "This is an experimental restriction which is part of "
                       "'https://mikewest.github.io/cors-rfc1918/'."));
     return;
   }
 
   ResourceRequest crossOriginRequest(request);
   ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
 
+  crossOriginRequest.removeCredentials();
+
+  crossOriginRequest.setAllowStoredCredentials(effectiveAllowCredentials() ==
+                                               AllowStoredCredentials);
+
+  // We update the credentials mode according to effectiveAllowCredentials()
+  // here for backward compatibility. But this is not correct.
+  // FIXME: We should set it in the caller of DocumentThreadableLoader.
+  crossOriginRequest.setFetchCredentialsMode(
+      effectiveAllowCredentials() == AllowStoredCredentials
+          ? WebURLRequest::FetchCredentialsModeInclude
+          : WebURLRequest::FetchCredentialsModeOmit);
+
   // We use isSimpleOrForbiddenRequest() here since |request| may have been
   // modified in the process of loading (not from the user's input). For
   // example, referrer. We need to accept them. For security, we must reject
   // forbidden headers/methods at the point we accept user's input. Not here.
   if (!request.isExternalRequest() &&
       ((m_options.preflightPolicy == ConsiderPreflight &&
         FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(),
                                                request.httpHeaderFields())) ||
        m_options.preflightPolicy == PreventPreflight)) {
-    updateRequestForAccessControl(crossOriginRequest, getSecurityOrigin(),
-                                  effectiveAllowCredentials());
-    // We update the credentials mode according to effectiveAllowCredentials()
-    // here for backward compatibility. But this is not correct.
-    // FIXME: We should set it in the caller of DocumentThreadableLoader.
-    crossOriginRequest.setFetchCredentialsMode(
-        effectiveAllowCredentials() == AllowStoredCredentials
-            ? WebURLRequest::FetchCredentialsModeInclude
-            : WebURLRequest::FetchCredentialsModeOmit);
-    if (m_didRedirect) {
-      crossOriginRequest.setHTTPReferrer(m_referrerAfterRedirect);
-    }
+    prepareCrossOriginRequest(crossOriginRequest);
     loadRequest(crossOriginRequest, crossOriginOptions);
   } else {
     m_crossOriginNonSimpleRequest = true;
-    // Do not set the Origin header for preflight requests.
-    updateRequestForAccessControl(crossOriginRequest, 0,
-                                  effectiveAllowCredentials());
-    // We update the credentials mode according to effectiveAllowCredentials()
-    // here for backward compatibility. But this is not correct.
-    // FIXME: We should set it in the caller of DocumentThreadableLoader.
-    crossOriginRequest.setFetchCredentialsMode(
-        effectiveAllowCredentials() == AllowStoredCredentials
-            ? WebURLRequest::FetchCredentialsModeInclude
-            : WebURLRequest::FetchCredentialsModeOmit);
-    m_actualRequest = crossOriginRequest;
-    m_actualOptions = crossOriginOptions;
-
-    if (m_didRedirect) {
-      m_actualRequest.setHTTPReferrer(m_referrerAfterRedirect);
-    }
 
     bool shouldForcePreflight =
         request.isExternalRequest() ||
         InspectorInstrumentation::shouldForceCORSPreflight(m_document);
     bool canSkipPreflight =
         CrossOriginPreflightResultCache::shared().canSkipPreflight(
-            getSecurityOrigin()->toString(), m_actualRequest.url(),
-            effectiveAllowCredentials(), m_actualRequest.httpMethod(),
-            m_actualRequest.httpHeaderFields());
+            getSecurityOrigin()->toString(), crossOriginRequest.url(),
+            effectiveAllowCredentials(), crossOriginRequest.httpMethod(),
+            crossOriginRequest.httpHeaderFields());
     if (canSkipPreflight && !shouldForcePreflight) {
-      loadActualRequest();
+      if (getSecurityOrigin())
+        crossOriginRequest.setHTTPOrigin(getSecurityOrigin());
+      if (m_overrideReferrer)
+        crossOriginRequest.setHTTPReferrer(m_referrerAfterRedirect);
+
+      prepareCrossOriginRequest(crossOriginRequest);
+      loadRequest(crossOriginRequest, crossOriginOptions);
     } else {
       ResourceRequest preflightRequest = createAccessControlPreflightRequest(
-          m_actualRequest, getSecurityOrigin());
+          crossOriginRequest, getSecurityOrigin());
+
       // Create a ResourceLoaderOptions for preflight.
-      ResourceLoaderOptions preflightOptions = m_actualOptions;
+      ResourceLoaderOptions preflightOptions = crossOriginOptions;
       preflightOptions.allowCredentials = DoNotAllowStoredCredentials;
+
+      m_actualRequest = crossOriginRequest;
+      m_actualOptions = crossOriginOptions;
+
+      prepareCrossOriginRequest(crossOriginRequest);
       loadRequest(preflightRequest, preflightOptions);
     }
   }
 }
 
 DocumentThreadableLoader::~DocumentThreadableLoader() {
   CHECK(!m_client);
   DCHECK(!m_resource);
 }
 
@@ skipping 201 matching lines @@
   m_sameOriginRequest = false;
 
   // Since the request is no longer same-origin, if the user didn't request
   // credentials in the first place, update our state so we neither request them
   // nor expect they must be allowed.
   if (m_resourceLoaderOptions.credentialsRequested ==
       ClientDidNotRequestCredentials)
     m_forceDoNotAllowStoredCredentials = true;
 
   // Save the referrer to use when following the redirect.
-  m_didRedirect = true;
+  m_overrideReferrer = true;
   m_referrerAfterRedirect =
       Referrer(request.httpReferrer(), request.getReferrerPolicy());
 
   ResourceRequest crossOriginRequest(request);
 
   // Remove any headers that may have been added by the network layer that cause
   // access control to fail.
   crossOriginRequest.clearHTTPReferrer();
   crossOriginRequest.clearHTTPOrigin();
   crossOriginRequest.clearHTTPUserAgent();
@@ skipping 283 matching lines @@
   m_fallbackRequestForServiceWorker = ResourceRequest();
   dispatchInitialRequest(fallbackRequest);
 }
 
 void DocumentThreadableLoader::loadActualRequest() {
   ResourceRequest actualRequest = m_actualRequest;
   ResourceLoaderOptions actualOptions = m_actualOptions;
   m_actualRequest = ResourceRequest();
   m_actualOptions = ResourceLoaderOptions();
 
-  actualRequest.setHTTPOrigin(getSecurityOrigin());
-
   clearResource();
 
   // Explicitly set the SkipServiceWorker flag here. Even if the page was not
   // controlled by a SW when the preflight request was sent, a new SW may be
   // controlling the page now by calling clients.claim(). We should not send
   // the actual request to the SW. https://crbug.com/604583
   actualRequest.setSkipServiceWorker(WebURLRequest::SkipServiceWorker::All);
 
+  prepareCrossOriginRequest(actualRequest);
   loadRequest(actualRequest, actualOptions);
 }
 
 void DocumentThreadableLoader::handlePreflightFailure(
     const String& url,
     const String& errorDescription) {
   ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription);
 
   // Prevent handleSuccessfulFinish() from bypassing access check.
   m_actualRequest = ResourceRequest();
@@ skipping 173 matching lines @@
 }
 
 DEFINE_TRACE(DocumentThreadableLoader) {
   visitor->trace(m_resource);
   visitor->trace(m_document);
   ThreadableLoader::trace(visitor);
   RawResourceClient::trace(visitor);
 }
 
 }  // namespace blink