CrossOriginAccessControl: separate access checks and error message generation

third_party/WebKit/Source/core/fetch/ResourceLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2010, 2011 Apple Inc. All rights reserved.
  *           (C) 2007 Graham Dennis (graham.dennis@gmail.com)
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 29 matching lines @@
 #include "platform/network/ResourceError.h"
 #include "public/platform/Platform.h"
 #include "public/platform/WebCachePolicy.h"
 #include "public/platform/WebData.h"
 #include "public/platform/WebURLError.h"
 #include "public/platform/WebURLRequest.h"
 #include "public/platform/WebURLResponse.h"
 #include "wtf/Assertions.h"
 #include "wtf/CurrentTime.h"
 #include "wtf/PtrUtil.h"
+#include "wtf/text/StringBuilder.h"
 #include <memory>
 
 namespace blink {
 
 ResourceLoader* ResourceLoader::create(ResourceFetcher* fetcher,
                                        Resource* resource) {
   return new ResourceLoader(fetcher, resource);
 }
 
 ResourceLoader::ResourceLoader(ResourceFetcher* fetcher, Resource* resource)
@@ skipping 212 matching lines @@
 
   if (sourceOrigin->canRequestNoSuborigin(response.url()))
     return ResourceRequestBlockedReason::None;
 
   // Use the original response instead of the 304 response for a successful
   // revaldiation.
   const ResourceResponse& responseForAccessControl =
       (resource->isCacheValidator() && response.httpStatusCode() == 304)
           ? resource->response()
           : response;
-  String errorDescription;
-  if (!passesAccessControlCheck(
+
+  CrossOriginAccessControl::AccessStatus corsStatus =
+      CrossOriginAccessControl::checkAccess(
           responseForAccessControl, resource->options().allowCredentials,
-          sourceOrigin, errorDescription,
-          resource->lastResourceRequest().requestContext())) {
+          sourceOrigin);
+  if (corsStatus != CrossOriginAccessControl::kAccessAllowed) {
     resource->setCORSFailed();
     if (!forPreload) {
       String resourceType = Resource::resourceTypeToString(
           resource->getType(), resource->options().initiatorInfo.name);
-      context().addConsoleMessage(
-          "Access to " + resourceType + " at '" + response.url().getString() +
-          "' from origin '" + sourceOrigin->toString() +
-          "' has been blocked by CORS policy: " + errorDescription);
+      StringBuilder builder;
+      builder.append("Access to ");
+      builder.append(resourceType);
+      builder.append(" at '");
+      builder.append(response.url().getString());
+      builder.append("' from origin '");
+      builder.append(sourceOrigin->toString());
+      builder.append("' has been blocked by CORS policy: ");
+      CrossOriginAccessControl::accessControlErrorString(
+          builder, corsStatus, responseForAccessControl, sourceOrigin,
+          resource->lastResourceRequest().requestContext());
+      context().addConsoleMessage(builder.toString());
     }
     return ResourceRequestBlockedReason::Other;
   }
   return ResourceRequestBlockedReason::None;
 }
 
 void ResourceLoader::didReceiveResponse(
     const WebURLResponse& webURLResponse,
     std::unique_ptr<WebDataConsumerHandle> handle) {
   DCHECK(!webURLResponse.isNull());
@@ skipping 195 matching lines @@
     return;
 
   // Don't activate if cache policy is explicitly set.
   if (request.getCachePolicy() != WebCachePolicy::UseProtocolCachePolicy)
     return;
 
   m_isCacheAwareLoadingActivated = true;
 }
 
 }  // namespace blink