| Index: Source/core/loader/DocumentThreadableLoader.cpp
|
| diff --git a/Source/core/loader/DocumentThreadableLoader.cpp b/Source/core/loader/DocumentThreadableLoader.cpp
|
| index bcb00b9b67766a00380e91cad3274af94fc719e0..736a7bee514488a81394f10dfa60040a7dbd6b9f 100644
|
| --- a/Source/core/loader/DocumentThreadableLoader.cpp
|
| +++ b/Source/core/loader/DocumentThreadableLoader.cpp
|
| @@ -319,7 +319,26 @@ void DocumentThreadableLoader::handleResponse(unsigned long identifier, const Re
|
| return;
|
| }
|
|
|
| - // FIXME: When response.wasFetchedViaServiceWorker() is true, we need to check the URL of the response for CSP and CORS.
|
| + // If the response is fetched via ServiceWorker, the original URL of the response could be different from the URL of the request.
|
| + if (response.wasFetchedViaServiceWorker()) {
|
| + if (!isAllowedByPolicy(response.url())) {
|
| + m_client->didFailRedirectCheck();
|
| + return;
|
| + }
|
| + if (!isAllowedRedirect(response.url())) {
|
| + if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {
|
| + m_client->didFail(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), "Cross origin requests are not supported."));
|
| + return;
|
| + }
|
| + if (m_options.crossOriginRequestPolicy == UseAccessControl) {
|
| + String accessControlErrorDescription;
|
| + if (!passesAccessControlCheck(response, effectiveAllowCredentials(), securityOrigin(), accessControlErrorDescription)) {
|
| + m_client->didFailAccessControlCheck(ResourceError(errorDomainBlinkInternal, 0, response.url().string(), accessControlErrorDescription));
|
| + return;
|
| + }
|
| + }
|
| + }
|
| + }
|
|
|
| if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessControl) {
|
| String accessControlErrorDescription;
|
|
|
Chromium Code Reviews
Issue 333423004:
moved to https://codereview.chromium.org/399543002/ (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master