| Index: Source/core/loader/DocumentThreadableLoader.cpp
|
| diff --git a/Source/core/loader/DocumentThreadableLoader.cpp b/Source/core/loader/DocumentThreadableLoader.cpp
|
| index 3cdd83fde895b57f08203a6de78b8e26fdb8ef44..326fa43a50cbddecfeb5bc6e3f36fb9367ce444f 100644
|
| --- a/Source/core/loader/DocumentThreadableLoader.cpp
|
| +++ b/Source/core/loader/DocumentThreadableLoader.cpp
|
| @@ -153,6 +153,10 @@ void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques
|
| return;
|
| }
|
|
|
| + // We use isSimpleOrForbiddenRequest() here since |request| may have been
|
| + // modified in the process of loading (not from the user's input). For
|
| + // example, referrer. We need to accept them. For security, we must reject
|
| + // forbidden headers/methods at the point we accept user's input. Not here.
|
| if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) {
|
| ResourceRequest crossOriginRequest(request);
|
| ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);
|
|
|
Chromium Code Reviews
Issue 675993003:
Explain the reason why we're using isSimpleOrForbiddenRequest() in makeCrossOriginAccessRequest() (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master