Chromium Code Reviews Chromium Code Reviews
Issue 2421093003:
Allow redirects for requests that require preflight. (Closed)
| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. | 2 * Copyright (C) 2011, 2012 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2013, Intel Corporation | 3 * Copyright (C) 2013, Intel Corporation |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 154 BlockingBehavior blockingBehavior, | 154 BlockingBehavior blockingBehavior, |
| 155 const ThreadableLoaderOptions& options, | 155 const ThreadableLoaderOptions& options, |
| 156 const ResourceLoaderOptions& resourceLoaderOptions) | 156 const ResourceLoaderOptions& resourceLoaderOptions) |
| 157 : m_client(client), | 157 : m_client(client), |
| 158 m_document(&document), | 158 m_document(&document), |
| 159 m_options(options), | 159 m_options(options), |
| 160 m_resourceLoaderOptions(resourceLoaderOptions), | 160 m_resourceLoaderOptions(resourceLoaderOptions), |
| 161 m_forceDoNotAllowStoredCredentials(false), | 161 m_forceDoNotAllowStoredCredentials(false), |
| 162 m_securityOrigin(m_resourceLoaderOptions.securityOrigin), | 162 m_securityOrigin(m_resourceLoaderOptions.securityOrigin), |
| 163 m_sameOriginRequest(false), | 163 m_sameOriginRequest(false), |
| 164 m_crossOriginNonSimpleRequest(false), | |
| 165 m_isUsingDataConsumerHandle(false), | 164 m_isUsingDataConsumerHandle(false), |
| 166 m_async(blockingBehavior == LoadAsynchronously), | 165 m_async(blockingBehavior == LoadAsynchronously), |
| 167 m_requestContext(WebURLRequest::RequestContextUnspecified), | 166 m_requestContext(WebURLRequest::RequestContextUnspecified), |
| 168 m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout), | 167 m_timeoutTimer(this, &DocumentThreadableLoader::didTimeout), |
| 169 m_requestStartedSeconds(0.0), | 168 m_requestStartedSeconds(0.0), |
| 170 m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl | 169 m_corsRedirectLimit(m_options.crossOriginRequestPolicy == UseAccessControl |
| 171 ? kMaxCORSRedirects | 170 ? kMaxCORSRedirects |
| 172 : 0), | 171 : 0), |
| 173 m_redirectMode(WebURLRequest::FetchRedirectModeFollow), | 172 m_redirectMode(WebURLRequest::FetchRedirectModeFollow), |
| 174 m_didRedirect(false) { | 173 m_didRedirect(false) { |
| (...skipping 192 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 367 // FIXME: We should set it in the caller of DocumentThreadableLoader. | 366 // FIXME: We should set it in the caller of DocumentThreadableLoader. |
| 368 crossOriginRequest.setFetchCredentialsMode( | 367 crossOriginRequest.setFetchCredentialsMode( |
| 369 effectiveAllowCredentials() == AllowStoredCredentials | 368 effectiveAllowCredentials() == AllowStoredCredentials |
| 370 ? WebURLRequest::FetchCredentialsModeInclude | 369 ? WebURLRequest::FetchCredentialsModeInclude |
| 371 : WebURLRequest::FetchCredentialsModeOmit); | 370 : WebURLRequest::FetchCredentialsModeOmit); |
| 372 if (m_didRedirect) { | 371 if (m_didRedirect) { |
| 373 crossOriginRequest.setHTTPReferrer(m_referrerAfterRedirect); | 372 crossOriginRequest.setHTTPReferrer(m_referrerAfterRedirect); |
| 374 } | 373 } |
| 375 loadRequest(crossOriginRequest, crossOriginOptions); | 374 loadRequest(crossOriginRequest, crossOriginOptions); |
| 376 } else { | 375 } else { |
| 377 m_crossOriginNonSimpleRequest = true; | |
| 378 // Do not set the Origin header for preflight requests. | 376 // Do not set the Origin header for preflight requests. |
| 379 updateRequestForAccessControl(crossOriginRequest, 0, | 377 updateRequestForAccessControl(crossOriginRequest, 0, |
| 380 effectiveAllowCredentials()); | 378 effectiveAllowCredentials()); |
| 381 // We update the credentials mode according to effectiveAllowCredentials() | 379 // We update the credentials mode according to effectiveAllowCredentials() |
| 382 // here for backward compatibility. But this is not correct. | 380 // here for backward compatibility. But this is not correct. |
| 383 // FIXME: We should set it in the caller of DocumentThreadableLoader. | 381 // FIXME: We should set it in the caller of DocumentThreadableLoader. |
| 384 crossOriginRequest.setFetchCredentialsMode( | 382 crossOriginRequest.setFetchCredentialsMode( |
| 385 effectiveAllowCredentials() == AllowStoredCredentials | 383 effectiveAllowCredentials() == AllowStoredCredentials |
| 386 ? WebURLRequest::FetchCredentialsModeInclude | 384 ? WebURLRequest::FetchCredentialsModeInclude |
| 387 : WebURLRequest::FetchCredentialsModeOmit); | 385 : WebURLRequest::FetchCredentialsModeOmit); |
| (...skipping 168 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 556 | 554 |
| 557 --m_corsRedirectLimit; | 555 --m_corsRedirectLimit; |
| 558 | 556 |
| 559 InspectorInstrumentation::didReceiveCORSRedirectResponse( | 557 InspectorInstrumentation::didReceiveCORSRedirectResponse( |
| 560 document().frame(), resource->identifier(), | 558 document().frame(), resource->identifier(), |
| 561 document().frame()->loader().documentLoader(), redirectResponse, | 559 document().frame()->loader().documentLoader(), redirectResponse, |
| 562 resource); | 560 resource); |
| 563 | 561 |
| 564 bool allowRedirect = false; | 562 bool allowRedirect = false; |
| 565 String accessControlErrorDescription; | 563 String accessControlErrorDescription; |
| 566 | 564 |
|
yhirano
2016/10/27 06:19:44
The preflight request (not a request w/preflight)
Jack Bates
2016/11/03 17:22:03
Right. I confirm that if you try to redirect the p
| |
| 567 if (m_crossOriginNonSimpleRequest) { | 565 if (!CrossOriginAccessControl::isLegalRedirectLocation( |
| 568 // Non-simple cross origin requests (both preflight and actual one) are not | 566 request.url(), accessControlErrorDescription)) { |
| 569 // allowed to follow redirect. | |
| 570 accessControlErrorDescription = | |
| 571 "Redirect from '" + redirectResponse.url().getString() + "' to '" + | |
| 572 request.url().getString() + | |
| 573 "' has been blocked by CORS policy: Request requires preflight, which " | |
| 574 "is disallowed to follow cross-origin redirect."; | |
| 575 } else if (!CrossOriginAccessControl::isLegalRedirectLocation( | |
| 576 request.url(), accessControlErrorDescription)) { | |
| 577 accessControlErrorDescription = | 567 accessControlErrorDescription = |
| 578 "Redirect from '" + redirectResponse.url().getString() + | 568 "Redirect from '" + redirectResponse.url().getString() + |
| 579 "' has been blocked by CORS policy: " + accessControlErrorDescription; | 569 "' has been blocked by CORS policy: " + accessControlErrorDescription; |
| 580 } else if (!m_sameOriginRequest && | 570 } else if (!m_sameOriginRequest && |
| 581 !passesAccessControlCheck( | 571 !passesAccessControlCheck( |
| 582 redirectResponse, effectiveAllowCredentials(), | 572 redirectResponse, effectiveAllowCredentials(), |
| 583 getSecurityOrigin(), accessControlErrorDescription, | 573 getSecurityOrigin(), accessControlErrorDescription, |
| 584 m_requestContext)) { | 574 m_requestContext)) { |
| 585 // The redirect response must pass the access control check if the original | 575 // The redirect response must pass the access control check if the original |
| 586 // request was not same-origin. | 576 // request was not same-origin. |
| (...skipping 535 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1122 } | 1112 } |
| 1123 | 1113 |
| 1124 DEFINE_TRACE(DocumentThreadableLoader) { | 1114 DEFINE_TRACE(DocumentThreadableLoader) { |
| 1125 visitor->trace(m_resource); | 1115 visitor->trace(m_resource); |
| 1126 visitor->trace(m_document); | 1116 visitor->trace(m_document); |
| 1127 ThreadableLoader::trace(visitor); | 1117 ThreadableLoader::trace(visitor); |
| 1128 RawResourceClient::trace(visitor); | 1118 RawResourceClient::trace(visitor); |
| 1129 } | 1119 } |
| 1130 | 1120 |
| 1131 } // namespace blink | 1121 } // namespace blink |
| OLD | NEW |
