moved to https://codereview.chromium.org/399543002/

Source/core/loader/DocumentThreadableLoader.cpp

 /*
  * Copyright (C) 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2013, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
@@ skipping 165 matching lines @@
     if (resource())
         resource()->setDefersLoading(value);
 }
 
 void DocumentThreadableLoader::redirectReceived(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse)
 {
     ASSERT(m_client);
     ASSERT_UNUSED(resource, resource == this->resource());
 
     RefPtr<DocumentThreadableLoader> protect(this);
+
+    // We don't support redirect in Fech API yet.
+    // FIXME: Support redirect in Fech API.
+    if (resource->resourceRequest().requestContext() == blink::WebURLRequest::RequestContextFetch) {
+        m_client->didFailRedirectCheck();
+        request = ResourceRequest();
+        return;
+    }
+
     if (!isAllowedByPolicy(request.url())) {
         m_client->didFailRedirectCheck();
         request = ResourceRequest();
         return;
     }
 
     // Allow same origin requests to continue after allowing clients to audit the redirect.
     if (isAllowedRedirect(request.url())) {
         if (m_client->isDocumentThreadableLoaderClient())
             static_cast<DocumentThreadableLoaderClient*>(m_client)->willSendRequest(request, redirectResponse);
@@ skipping 116 matching lines @@
 
 void DocumentThreadableLoader::handleResponse(unsigned long identifier, const ResourceResponse& response)
 {
     ASSERT(m_client);
 
     if (m_actualRequest) {
         handlePreflightResponse(identifier, response);
         return;
     }
 
-    // FIXME: When response.wasFetchedViaServiceWorker() is true, we need to check the URL of the response for CSP and CORS.
+    // If the response is fetched via ServiceWorker, the original URL of the response could be different from the URL of the request.
+    if (response.wasFetchedViaServiceWorker()) {
+        if (!isAllowedByPolicy(response.url())) {
+            m_client->didFailRedirectCheck();
+            return;
+        }
+        if (!isAllowedRedirect(response.url()))  {
+            if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {
+                m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), "Cross origin requests are not supported."));
+                return;
+            }
+            if (m_options.crossOriginRequestPolicy == UseAccessControl) {
+                String accessControlErrorDescription;
+                if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription)) {
+                    m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription));
+                    return;
+                }
+            }
+        }
+    }
 
     if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessControl) {
         String accessControlErrorDescription;
         if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription)) {
             m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription));
             return;
         }
     }
 
     m_client->didReceiveResponse(identifier, response);
@@ skipping 167 matching lines @@
         return DoNotAllowStoredCredentials;
     return m_resourceLoaderOptions.allowCredentials;
 }
 
 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
 {
     return m_securityOrigin ? m_securityOrigin.get() : m_document.securityOrigin();
 }
 
 } // namespace WebCore