| Index: Source/core/fetch/CrossOriginAccessControl.cpp
|
| diff --git a/Source/core/fetch/CrossOriginAccessControl.cpp b/Source/core/fetch/CrossOriginAccessControl.cpp
|
| index 0329c690d3a6650c6b0e6a942913a240329ebe89..1e343457c18a773d5f56c3c0f468c8263ba02cef 100644
|
| --- a/Source/core/fetch/CrossOriginAccessControl.cpp
|
| +++ b/Source/core/fetch/CrossOriginAccessControl.cpp
|
| @@ -29,6 +29,7 @@
|
|
|
| #include "core/fetch/Resource.h"
|
| #include "core/fetch/ResourceLoaderOptions.h"
|
| +#include "core/frame/UseCounter.h"
|
| #include "platform/network/HTTPParsers.h"
|
| #include "platform/network/ResourceRequest.h"
|
| #include "platform/network/ResourceResponse.h"
|
| @@ -114,7 +115,7 @@ static bool isInterestingStatusCode(int statusCode)
|
| return statusCode >= 400;
|
| }
|
|
|
| -bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
|
| +bool passesAccessControlCheck(ExecutionContext* context, const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
|
| {
|
| AtomicallyInitializedStatic(AtomicString&, accessControlAllowOrigin = *new AtomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral));
|
| AtomicallyInitializedStatic(AtomicString&, accessControlAllowCredentials = *new AtomicString("access-control-allow-credentials", AtomicString::ConstructFromLiteral));
|
| @@ -158,6 +159,8 @@ bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential
|
| errorDescription = "Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is '" + accessControlCredentialsString + "'. It must be 'true' to allow credentials.";
|
| return false;
|
| }
|
| + if (accessControlOriginString == "null")
|
| + UseCounter::count(context, UseCounter::CORSCredentialedNullOriginAccessAllowed);
|
| }
|
|
|
| return true;
|
| @@ -200,7 +203,7 @@ bool CrossOriginAccessControl::isLegalRedirectLocation(const KURL& requestURL, S
|
| return true;
|
| }
|
|
|
| -bool CrossOriginAccessControl::handleRedirect(Resource* resource, SecurityOrigin* securityOrigin, ResourceRequest& request, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options, String& errorMessage)
|
| +bool CrossOriginAccessControl::handleRedirect(ExecutionContext* context, Resource* resource, SecurityOrigin* securityOrigin, ResourceRequest& request, const ResourceResponse& redirectResponse, ResourceLoaderOptions& options, String& errorMessage)
|
| {
|
| // http://www.w3.org/TR/cors/#redirect-steps terminology:
|
| const KURL& originalURL = redirectResponse.url();
|
| @@ -218,7 +221,7 @@ bool CrossOriginAccessControl::handleRedirect(Resource* resource, SecurityOrigin
|
| if (allowRedirect) {
|
| // Step 5: perform resource sharing access check.
|
| StoredCredentials withCredentials = resource->lastResourceRequest().allowStoredCredentials() ? AllowStoredCredentials : DoNotAllowStoredCredentials;
|
| - allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription);
|
| + allowRedirect = passesAccessControlCheck(context, redirectResponse, withCredentials, securityOrigin, errorDescription);
|
| if (allowRedirect) {
|
| RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
|
| // Step 6: if the request URL origin is not same origin as the original URL's,
|
|
|
Chromium Code Reviews
Issue 732323004:
Add use counter for credentialed CORS access from null origins. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master