Index: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp |
diff --git a/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp |
index e6aa7c47fd9a818012271e5280e0167f6aa41045..c71ae427dc6b403dfa01852a61f7e1fb76093323 100644 |
--- a/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp |
+++ b/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp |
@@ -369,6 +369,16 @@ void DocumentThreadableLoader::makeCrossOriginAccessRequest( |
prepareCrossOriginRequest(crossOriginRequest); |
loadRequest(crossOriginRequest, crossOriginOptions); |
} else { |
+ // Explicitly set the SkipServiceWorker flag here. Although the page is not |
+ // controlled by a SW at this point, a new SW may be controlling the page |
+ // when this request gets sent later. We should not send the actual request |
+ // to the SW. https://crbug.com/604583 |
+ // Similarly we don't want any requests that could involve a CORS preflight |
+ // to get intercepted by a foreign fetch service worker, even if we have the |
+ // result of the preflight cached already. https://crbug.com/674370 |
+ crossOriginRequest.setSkipServiceWorker( |
+ WebURLRequest::SkipServiceWorker::All); |
+ |
bool shouldForcePreflight = |
request.isExternalRequest() || |
InspectorInstrumentation::shouldForceCORSPreflight(m_document); |
@@ -916,12 +926,6 @@ void DocumentThreadableLoader::loadActualRequest() { |
clearResource(); |
- // Explicitly set the SkipServiceWorker flag here. Even if the page was not |
- // controlled by a SW when the preflight request was sent, a new SW may be |
- // controlling the page now by calling clients.claim(). We should not send |
- // the actual request to the SW. https://crbug.com/604583 |
- actualRequest.setSkipServiceWorker(WebURLRequest::SkipServiceWorker::All); |
- |
prepareCrossOriginRequest(actualRequest); |
loadRequest(actualRequest, actualOptions); |
} |