Fix foreign fetch intercepting CORS preflighted requests if preflight was in cache.

third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2013, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
@@ skipping 351 matching lines @@
   // example, referrer. We need to accept them. For security, we must reject
   // forbidden headers/methods at the point we accept user's input. Not here.
   if (!request.isExternalRequest() &&
       ((m_options.preflightPolicy == ConsiderPreflight &&
         FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(),
                                                request.httpHeaderFields())) ||
        m_options.preflightPolicy == PreventPreflight)) {
     prepareCrossOriginRequest(crossOriginRequest);
     loadRequest(crossOriginRequest, crossOriginOptions);
   } else {
+    // Explicitly set the SkipServiceWorker flag here. Although the page is not
+    // controlled by a SW at this point, a new SW may be controlling the page
+    // when this request gets sent later. We should not send the actual request
+    // to the SW. https://crbug.com/604583
+    // Similarly we don't want any requests that could involve a CORS preflight
+    // to get intercepted by a foreign fetch service worker, even if we have the
+    // result of the preflight cached already. https://crbug.com/674370
+    crossOriginRequest.setSkipServiceWorker(
+        WebURLRequest::SkipServiceWorker::All);
+
     bool shouldForcePreflight =
         request.isExternalRequest() ||
         InspectorInstrumentation::shouldForceCORSPreflight(m_document);
     bool canSkipPreflight =
         CrossOriginPreflightResultCache::shared().canSkipPreflight(
             getSecurityOrigin()->toString(), crossOriginRequest.url(),
             effectiveAllowCredentials(), crossOriginRequest.httpMethod(),
             crossOriginRequest.httpHeaderFields());
     if (canSkipPreflight && !shouldForcePreflight) {
       if (getSecurityOrigin())
@@ skipping 527 matching lines @@
 }
 
 void DocumentThreadableLoader::loadActualRequest() {
   ResourceRequest actualRequest = m_actualRequest;
   ResourceLoaderOptions actualOptions = m_actualOptions;
   m_actualRequest = ResourceRequest();
   m_actualOptions = ResourceLoaderOptions();
 
   clearResource();
 
-  // Explicitly set the SkipServiceWorker flag here. Even if the page was not
-  // controlled by a SW when the preflight request was sent, a new SW may be
-  // controlling the page now by calling clients.claim(). We should not send
-  // the actual request to the SW. https://crbug.com/604583
-  actualRequest.setSkipServiceWorker(WebURLRequest::SkipServiceWorker::All);
-
   prepareCrossOriginRequest(actualRequest);
   loadRequest(actualRequest, actualOptions);
 }
 
 void DocumentThreadableLoader::handlePreflightFailure(
     const String& url,
     const String& errorDescription) {
   ResourceError error(errorDomainBlinkInternal, 0, url, errorDescription);
 
   // Prevent handleSuccessfulFinish() from bypassing access check.
@@ skipping 179 matching lines @@
 }
 
 DEFINE_TRACE(DocumentThreadableLoader) {
   visitor->trace(m_resource);
   visitor->trace(m_document);
   ThreadableLoader::trace(visitor);
   RawResourceClient::trace(visitor);
 }
 
 }  // namespace blink