Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(243)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/fetch/CrossOriginAccessControl.cpp

Issue 332633006: Include error status code in console message for non-CORS response. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Update test expectation Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/xmlhttprequest/workers/access-control-basic-get-fail-non-simple-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2008 Apple Inc. All Rights Reserved. 2 * Copyright (C) 2008 Apple Inc. All Rights Reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 124 matching lines...) Expand 10 before | Expand all | Expand 10 after
135 } 135 }
136 136
137 return preflightRequest; 137 return preflightRequest;
138 } 138 }
139 139
140 static bool isOriginSeparator(UChar ch) 140 static bool isOriginSeparator(UChar ch)
141 { 141 {
142 return isASCIISpace(ch) || ch == ','; 142 return isASCIISpace(ch) || ch == ',';
143 } 143 }
144 144
145 static bool isInterestingStatusCode(int statusCode)
146 {
147 // Predicate that gates what status codes should be included in
148 // console error messages for responses containing no access
149 // control headers.
150 return statusCode >= 400;
151 }
152
145 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential s includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription) 153 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential s includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
146 { 154 {
147 AtomicallyInitializedStatic(AtomicString&, accessControlAllowOrigin = *new A tomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral)); 155 AtomicallyInitializedStatic(AtomicString&, accessControlAllowOrigin = *new A tomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral));
148 AtomicallyInitializedStatic(AtomicString&, accessControlAllowCredentials = * new AtomicString("access-control-allow-credentials", AtomicString::ConstructFrom Literal)); 156 AtomicallyInitializedStatic(AtomicString&, accessControlAllowCredentials = * new AtomicString("access-control-allow-credentials", AtomicString::ConstructFrom Literal));
149 157
150 if (!response.httpStatusCode()) { 158 if (!response.httpStatusCode()) {
151 errorDescription = "Received an invalid response. Origin '" + securityOr igin->toString() + "' is therefore not allowed access."; 159 errorDescription = "Received an invalid response. Origin '" + securityOr igin->toString() + "' is therefore not allowed access.";
152 return false; 160 return false;
153 } 161 }
154 162
155 const AtomicString& accessControlOriginString = response.httpHeaderField(acc essControlAllowOrigin); 163 const AtomicString& accessControlOriginString = response.httpHeaderField(acc essControlAllowOrigin);
156 if (accessControlOriginString == starAtom) { 164 if (accessControlOriginString == starAtom) {
157 // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent, 165 // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
158 // even with Access-Control-Allow-Credentials set to true. 166 // even with Access-Control-Allow-Credentials set to true.
159 if (includeCredentials == DoNotAllowStoredCredentials) 167 if (includeCredentials == DoNotAllowStoredCredentials)
160 return true; 168 return true;
161 if (response.isHTTP()) { 169 if (response.isHTTP()) {
162 errorDescription = "A wildcard '*' cannot be used in the 'Access-Con trol-Allow-Origin' header when the credentials flag is true. Origin '" + securit yOrigin->toString() + "' is therefore not allowed access."; 170 errorDescription = "A wildcard '*' cannot be used in the 'Access-Con trol-Allow-Origin' header when the credentials flag is true. Origin '" + securit yOrigin->toString() + "' is therefore not allowed access.";
163 return false; 171 return false;
164 } 172 }
165 } else if (accessControlOriginString != securityOrigin->toAtomicString()) { 173 } else if (accessControlOriginString != securityOrigin->toAtomicString()) {
166 if (accessControlOriginString.isEmpty()) { 174 if (accessControlOriginString.isEmpty()) {
167 errorDescription = "No 'Access-Control-Allow-Origin' header is prese nt on the requested resource. Origin '" + securityOrigin->toString() + "' is the refore not allowed access."; 175 errorDescription = "No 'Access-Control-Allow-Origin' header is prese nt on the requested resource. Origin '" + securityOrigin->toString() + "' is the refore not allowed access.";
176
177 if (isInterestingStatusCode(response.httpStatusCode()))
178 errorDescription.append(" The response had HTTP status code " + String::number(response.httpStatusCode()) + ".");
168 } else if (accessControlOriginString.string().find(isOriginSeparator, 0) != kNotFound) { 179 } else if (accessControlOriginString.string().find(isOriginSeparator, 0) != kNotFound) {
169 errorDescription = "The 'Access-Control-Allow-Origin' header contain s multiple values '" + accessControlOriginString + "', but only one is allowed. Origin '" + securityOrigin->toString() + "' is therefore not allowed access."; 180 errorDescription = "The 'Access-Control-Allow-Origin' header contain s multiple values '" + accessControlOriginString + "', but only one is allowed. Origin '" + securityOrigin->toString() + "' is therefore not allowed access.";
170 } else { 181 } else {
171 KURL headerOrigin(KURL(), accessControlOriginString); 182 KURL headerOrigin(KURL(), accessControlOriginString);
172 if (!headerOrigin.isValid()) 183 if (!headerOrigin.isValid())
173 errorDescription = "The 'Access-Control-Allow-Origin' header con tains the invalid value '" + accessControlOriginString + "'. Origin '" + securit yOrigin->toString() + "' is therefore not allowed access."; 184 errorDescription = "The 'Access-Control-Allow-Origin' header con tains the invalid value '" + accessControlOriginString + "'. Origin '" + securit yOrigin->toString() + "' is therefore not allowed access.";
174 else 185 else
175 errorDescription = "The 'Access-Control-Allow-Origin' header has a value '" + accessControlOriginString + "' that is not equal to the supplied o rigin. Origin '" + securityOrigin->toString() + "' is therefore not allowed acce ss."; 186 errorDescription = "The 'Access-Control-Allow-Origin' header has a value '" + accessControlOriginString + "' that is not equal to the supplied o rigin. Origin '" + securityOrigin->toString() + "' is therefore not allowed acce ss.";
176 } 187 }
177 return false; 188 return false;
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after
266 request.setHTTPOrigin(securityOrigin->toAtomicString()); 277 request.setHTTPOrigin(securityOrigin->toAtomicString());
267 // If the user didn't request credentials in the first place, update our 278 // If the user didn't request credentials in the first place, update our
268 // state so we neither request them nor expect they must be allowed. 279 // state so we neither request them nor expect they must be allowed.
269 if (options.credentialsRequested == ClientDidNotRequestCredentials) 280 if (options.credentialsRequested == ClientDidNotRequestCredentials)
270 options.allowCredentials = DoNotAllowStoredCredentials; 281 options.allowCredentials = DoNotAllowStoredCredentials;
271 } 282 }
272 return true; 283 return true;
273 } 284 }
274 285
275 } // namespace WebCore 286 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/xmlhttprequest/workers/access-control-basic-get-fail-non-simple-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698