Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(386)

Issue 2642043004: Fix a bug in origin header generation for CORS preflight in extensions (Closed)

Created:
3 years, 11 months ago by tyoshino (SeeGerritForStatus)
Modified:
3 years, 11 months ago
Reviewers:
yhirano
CC:
chromium-reviews
Target Ref:
refs/pending/branch-heads/2924
Project:
chromium
Visibility:
Public.

Description

Fix a bug in origin header generation for CORS preflight in extensions In the refactoring CL https://codereview.chromium.org/2420603003 by me, I forgot to set the origin header to the preflight request in DocumentThreadableLoader::makeCrossOriginAccessRequest(). When the loading happens in an isolated world, the origin header will have an incorrect value due to this bug. We should add the referrer header to a preflight to conform to the spec, but to limit the effect of this patch, it's not included. See the added TODO. This fix also cleans up the code around the main fix: - createAccessControlPreflightRequests()'s SecurityOrigin argument is unused. Remove it. - makeCrossOriginAccessRequest() has duplicated call to setHTTPOrigin() and setHTTPReferrer() (included in prepareCrossoriginRequest() call next to them). Remove them. - prepareCrossOriginRequest(crossOriginRequest) in the code path for issuing a preflight is meaningless. It should have made on m_actualRequest. That said, since loadActualRequest() has prepareCrossOriginRequest() call, we don't even have to call prepareCrossoriginRequest(m_actualRequest). The only difference https://codereview.chromium.org/2420603003 introduced is that m_actualRequest doesn't have the origin and referrer header until loadActualRequest() is called. The only concern with this change is the preflightResult->allowsCrossOriginHeaders() call in DocumentThreadableLoader::handlePreflightResponse(). However, since these headers are listed in the forbidden header names, presence of these headers doesn't affect the return value of allowsCrossOriginHeaders(). So, just remove the meaningless code. BUG=680320 R=yhirano@chromium.org Review-Url: https://codereview.chromium.org/2635023003 Cr-Commit-Position: refs/heads/master@{#444328} (cherry picked from commit 78d4c0d304e60af63f0a087b8b3de73c27d489b4) Review-Url: https://codereview.chromium.org/2642043004 . Cr-Commit-Position: refs/branch-heads/2924@{#814} Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059} Committed: https://chromium.googlesource.com/chromium/src/+/3104235614e3f7bf250531bae504c706eda7d376

Patch Set 1 #

Messages

Total messages: 2 (1 generated)
tyoshino (SeeGerritForStatus)
3 years, 11 months ago (2017-01-20 06:07:12 UTC) #2
Message was sent while issue was closed.
Committed patchset #1 (id:1) manually as
3104235614e3f7bf250531bae504c706eda7d376.

Powered by Google App Engine
This is Rietveld 408576698