Changeset 204117 in webkit
- Timestamp:
- Aug 4, 2016 12:56:37 AM (8 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 25 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r204116 r204117 1 2016-08-04 Youenn Fablet <youenn@apple.com> 2 3 DocumentThreadableLoader should pass the fetch mode to underlying loader code 4 https://bugs.webkit.org/show_bug.cgi?id=160399 5 6 Reviewed by Alex Christensen. 7 8 * TestExpectations: 9 * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt: 10 * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt: 11 * http/tests/workers/worker-redirect-expected.txt: 12 * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt: 13 * http/tests/xmlhttprequest/access-control-and-redirects-async.html: Fixed bugs in the test and updated comments. 14 * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt: 15 * http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt: 16 * http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt: 17 1 18 2016-08-04 Youenn Fablet <youenn@apple.com> 2 19 -
trunk/LayoutTests/TestExpectations
r204116 r204117 363 363 [ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-method-worker.html [ Skip ] 364 364 [ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-mode-worker.html [ Skip ] 365 [ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html [ Skip ] 365 366 [ Debug ] imported/w3c/web-platform-tests/fetch/nosniff/worker.html [ Skip ] 366 367 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt
r198591 r204117 1 CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the child-src directive of the Content Security Policy. 1 CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html. Domains, protocols and ports must match. 2 2 3 This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect. 3 4 -
trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt
r196526 r204117 1 CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html. Domains, protocols and ports must match. 2 1 3 This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin). 2 4 -
trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt
r203333 r204117 1 CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from frame with URL http://127.0.0.1:8000/workers/worker-redirect.html. Domains, protocols and ports must match. 2 1 3 Test that loading the worker's script does not allow a cross origin redirect (bug 26146) 2 4 -
trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
r202480 r204117 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.2 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi &%20%20access-control-allow-origin=http://localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.3 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=http://localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.4 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http:// localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.1 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 2 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks. 3 CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 4 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://127.0.0.1:8000 due to access control checks. 5 5 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*. Preflight response is not successful 6 6 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*&%20%20access-control-allow-headers=x-webkit. Cross-origin redirection denied by Cross-Origin Resource Sharing policy. … … 10 10 Expecting success: false 11 11 PASS: 0 12 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http:// localhost:8000 without credentials12 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials 13 13 Expecting success: true 14 FAIL: 0 15 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://localhost:8000 without credentials 16 Expecting success: false 17 PASS: 0 18 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi& access-control-allow-origin=http://localhost:8000 without credentials 14 PASS: PASS: Cross-domain access allowed. 15 16 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials 17 Expecting success: true 18 PASS: PASS: Cross-domain access allowed. 19 20 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials 19 21 Expecting success: false 20 22 PASS: 0 -
trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html
r202162 r204117 49 49 withoutCredentials, noCustomHeader, fails], 50 50 51 // Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response 52 // passes the access check. 53 // FIXME: this test fails because the redirect is vetoed. There are continued bugs with redirects when the original 54 // request was cross-origin. 51 // Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response passes the access check. 55 52 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\ 56 access-control-allow-origin=http:// localhost:8000",53 access-control-allow-origin=http://127.0.0.1:8000", 57 54 withoutCredentials, noCustomHeader, succeeds], 58 55 59 // Receives a redirect response with a URL containing the userinfo production. 56 // Receives a redirect response with a URL containing the userinfo production. Although loading should fail according fetch spec, 57 // the underlying HTTP stack currently removes credentials from redirection URL, hence loading is successful. 60 58 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\ 61 access-control-allow-origin=http:// localhost:8000",62 withoutCredentials, noCustomHeader, fails],59 access-control-allow-origin=http://127.0.0.1:8000", 60 withoutCredentials, noCustomHeader, succeeds], 63 61 64 62 // Receives a redirect response with a URL with an unsupported scheme. 65 63 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&\ 66 access-control-allow-origin=http:// localhost:8000",64 access-control-allow-origin=http://127.0.0.1:8000", 67 65 withoutCredentials, noCustomHeader, fails], 68 66 … … 75 73 withoutCredentials, addCustomHeader, fails], 76 74 77 // Successful preflight and receives a redirect response to the actual request and fails. 75 // Successful preflight and receives a redirect response to the actual request. 76 // Preflight to the redirected URL should fail as it does not allow custom headers. 78 77 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&\ 79 78 url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\ -
trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt
r203333 r204117 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy. 1 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 2 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks. 2 3 CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy. 3 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy. 4 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 5 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks. 4 6 Tests that redirects between origins are never allowed, even when access control is involved. 5 7 -
trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt
r195010 r204117 1 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 2 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:7/ due to access control checks. 2 3 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS: 3 4 -
trunk/LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt
r104803 r204117 1 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 2 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:7/ due to access control checks. 2 3 Test that a simple cross-origin request to a server that responds (but does not permit cross-origin requests) is indistinguishable from one that does not exist. Should say PASS: 3 4 -
trunk/LayoutTests/imported/w3c/ChangeLog
r204115 r204117 1 2016-08-04 Youenn Fablet <youenn@apple.com> 2 3 DocumentThreadableLoader should pass the fetch mode to underlying loader code 4 https://bugs.webkit.org/show_bug.cgi?id=160399 5 6 Reviewed by Alex Christensen. 7 8 Updated expectations. 9 Added new tests to check specifically for Origin header in case of redirections. 10 Updated server-side redirect.py python script to generate valid Location URLs. 11 12 * web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt: 13 * web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt: 14 * web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt: 15 * web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt: 16 * web-platform-tests/fetch/api/redirect/redirect-location-expected.txt: 17 * web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt: 18 * web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt: Added. 19 * web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt: Added. 20 * web-platform-tests/fetch/api/redirect/redirect-origin-worker.html: Added. 21 * web-platform-tests/fetch/api/redirect/redirect-origin.html: Added. 22 * web-platform-tests/fetch/api/redirect/redirect-origin.js: Added. 23 (testOriginAfterRedirection): 24 * web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt: 25 * web-platform-tests/fetch/api/redirect/redirect-schemes.html: Updated test so that fetches are done in a deterministic order, one after the other is finished. 26 * web-platform-tests/fetch/api/resources/redirect.py: 27 (main): 28 1 29 2016-08-03 Chris Dumez <cdumez@apple.com> 2 30 -
trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt
r191546 r204117 1 1 Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth2/corsenabled.py 2 CONSOLE MESSAGE: line 34: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth2/corsenabled.py due to access control checks. 2 3 3 4 FAIL XMLHttpRequest: send() - "Basic" authenticated CORS request using setRequestHeader() (expects to succeed) assert_true: responseText should contain the right user and password expected true got false -
trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt
r202542 r204117 1 1 Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth7/corsenabled.py 2 CONSOLE MESSAGE: line 33: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth7/corsenabled.py due to access control checks. 2 3 Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth8/corsenabled-no-authorize.py 4 CONSOLE MESSAGE: line 33: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth8/corsenabled-no-authorize.py due to access control checks. 3 5 4 6 FAIL CORS request with setRequestHeader auth to URL accepting Authorization header assert_true: responseText should contain the right user and password expected true got false -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt
r203900 r204117 1 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 2 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 3 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 4 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 5 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 6 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 7 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 8 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 9 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 10 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 11 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 12 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 13 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 14 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 15 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 16 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 17 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 18 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 19 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 20 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 21 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 22 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 23 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 24 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 25 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 26 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 27 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 28 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 29 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 30 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 31 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 32 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 33 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 34 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 35 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 36 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 37 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 38 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 39 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 40 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 41 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 42 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 43 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 44 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 45 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 1 46 2 47 PASS Redirect 301 from same origin to remote with user and password -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt
r203900 r204117 1 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 2 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 3 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 4 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 5 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 6 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 7 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 8 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 9 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 10 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 11 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 12 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 13 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 14 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 15 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 16 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 17 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 18 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 19 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 20 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 21 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 22 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 23 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 24 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 25 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 26 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 27 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 28 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 29 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 30 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 31 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 32 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 33 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 34 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 35 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 36 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 37 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 38 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 39 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 40 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 41 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 42 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 43 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 44 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 45 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true. 1 46 2 47 PASS Redirect 301 from same origin to remote with user and password -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-expected.txt
r201324 r204117 1 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 2 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 3 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 4 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 5 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 1 6 2 7 PASS Redirect 301 in "follow" mode without location -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt
r203164 r204117 1 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 2 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 3 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 4 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 5 CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 1 6 2 7 PASS Redirect 301 in "follow" mode without location -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt
r202853 r204117 1 CONSOLE MESSAGE: Not allowed to load local resource: blob:djfksfjs?l=blob:djfksfjs&count=1 1 CONSOLE MESSAGE: Cross-origin redirection to mailto:a@a.com denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 2 CONSOLE MESSAGE: Cross-origin redirection to data:,HI denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 3 CONSOLE MESSAGE: Cross-origin redirection to facetime:a@a.org denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 4 CONSOLE MESSAGE: Cross-origin redirection to about:blank denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 5 CONSOLE MESSAGE: Cross-origin redirection to about:unicorn denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. 6 CONSOLE MESSAGE: Not allowed to load local resource: blob:djfksfjs 2 7 3 8 PASS Fetch: handling different schemes in redirects -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes.html
r202853 r204117 7 7 <script> 8 8 // All non-HTTP(S) schemes cannot survive redirects 9 var url = "../resources/redirect.py?location=" ,10 11 fetch(url + "mailto:a@a.com"),12 fetch(url + "data:,HI"),13 fetch(url + "facetime:a@a.org"),14 fetch(url + "about:blank"),15 fetch(url + "about:unicorn"),16 fetch(url + "blob:djfksfjs")9 var url = "../resources/redirect.py?location="; 10 var tests = [ 11 url + "mailto:a@a.com", 12 url + "data:,HI", 13 url + "facetime:a@a.org", 14 url + "about:blank", 15 url + "about:unicorn", 16 url + "blob:djfksfjs" 17 17 ]; 18 tests.forEach(function( f) {19 promise_test(function(t ) {20 return promise_rejects(t , new TypeError(), f)18 tests.forEach(function(url) { 19 promise_test(function(test) { 20 return promise_rejects(test, new TypeError(), fetch(url)) 21 21 }) 22 22 }) -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py
r195954 r204117 1 from urllib import urlencode 2 from urlparse import urlparse 3 1 4 def main(request, response): 2 5 stashed_data = {'count': 0, 'preflight': "0"} … … 29 32 stashed_data['count'] += 1 30 33 31 #keep url parameters in location32 url_parameters = "?" + "&".join(map(lambda x: x[0][0] + "=" + x[1][0], request.GET.items()))33 #make sure location changes during redirection loop34 url_parameters += "&count=" + str(stashed_data['count'])35 36 34 if "location" in request.GET: 37 headers.append(("Location", request.GET['location'] + url_parameters)) 35 url = request.GET['location'] 36 scheme = urlparse(url).scheme 37 if scheme == "" or scheme == "http" or scheme == "https": 38 url += "&" if '?' in url else "?" 39 #keep url parameters in location 40 url += urlencode(request.GET.items()) 41 #make sure location changes during redirection loop 42 url += "&count=" + str(stashed_data['count']) 43 headers.append(("Location", url)) 38 44 39 45 if token: -
trunk/Source/WebCore/ChangeLog
r204115 r204117 1 2016-08-04 Youenn Fablet <youenn@apple.com> 2 3 DocumentThreadableLoader should pass the fetch mode to underlying loader code 4 https://bugs.webkit.org/show_bug.cgi?id=160399 5 6 Reviewed by Alex Christensen. 7 8 Tests: imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html 9 imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html 10 Covered by existing and rebased tests. 11 12 DocumentThredableLoader was previously loading resources in NoCors mode and doing the cors checks on it own. 13 This was duplicating code and increasing the risk of being not consistent. 14 DocumentThreadableLoader is now passing the fetch mode given by client to underlying loader code. 15 This allows removing some CORS checks in DocumentThreadableLoader code for redirections. 16 17 Updated SubresourceLoader redirection CORS checks to be on par with DocumentThreadableLoader. 18 In particular, aligning the code with https://fetch.spec.whatwg.org/#http-redirect-fetch. 19 20 The error logging situation is not perfect as some errors are properly logged in the console while some others are not. 21 For instance blockedError (due to forbidden port for instance) reason is not logged on the console. 22 23 * loader/DocumentThreadableLoader.cpp: 24 (WebCore::DocumentThreadableLoader::redirectReceived): Updating redirection checking as SubresourceLoader is already doing most of the checks. 25 (WebCore::DocumentThreadableLoader::didReceiveResponse): Removing temp hack as tainting is now computed by underlying loader code. 26 (WebCore::DocumentThreadableLoader::loadRequest): Removing fetch mode change. 27 * loader/SubresourceLoader.cpp: 28 (WebCore::SubresourceLoader::willSendRequestInternal): Updating cancellation error and improve error logging. 29 (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): Improved the checks and error reporting. 30 Tried to align as much as possible to https://fetch.spec.whatwg.org/#http-redirect-fetch. 31 * loader/SubresourceLoader.h: 32 * xml/XMLHttpRequest.cpp: 33 (WebCore::XMLHttpRequest::didFail): Added an error message to the console in case of access control error. 34 1 35 2016-08-03 Chris Dumez <cdumez@apple.com> 2 36 -
trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp
r204019 r204117 221 221 return; 222 222 223 // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported 224 // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the 225 // original request was not same-origin. 226 if (m_options.mode == FetchOptions::Mode::Cors) { 227 bool allowRedirect = false; 228 if (m_simpleRequest) { 229 String accessControlErrorDescription; 230 allowRedirect = isValidCrossOriginRedirectionURL(request.url()) 231 && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)); 232 } 233 234 if (allowRedirect) { 235 if (m_resource) 236 clearResource(); 237 238 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::createFromString(redirectResponse.url()); 239 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::createFromString(request.url()); 240 // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin, 241 // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request 242 // should be the original URL origin.) 243 if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(requestOrigin.get())) 244 m_origin = SecurityOrigin::createUnique(); 245 // Force any subsequent request to use these checks. 246 m_sameOriginRequest = false; 247 248 if (m_options.credentials == FetchOptions::Credentials::SameOrigin) 249 m_options.allowCredentials = DoNotAllowStoredCredentials; 250 251 cleanRedirectedRequestForAccessControl(request); 252 253 makeCrossOriginAccessRequest(ResourceRequest(request)); 254 return; 255 } 256 } 257 258 reportCrossOriginResourceSharingError(*m_client, redirectResponse.url()); 259 request = ResourceRequest(); 223 // Force any subsequent request to use these checks. 224 m_sameOriginRequest = false; 225 226 ASSERT(m_resource); 227 ASSERT(m_resource->loader()); 228 ASSERT(m_options.mode == FetchOptions::Mode::Cors); 229 230 // FIXME: We could remove that restriction, since we can use preflighting. 231 if (!m_simpleRequest) { 232 reportCrossOriginResourceSharingError(*m_client, redirectResponse.url()); 233 request = ResourceRequest(); 234 return; 235 } 236 237 // Loader might have modified the origin to a unique one, let's reuse it for subsequent loads. 238 m_origin = m_resource->loader()->origin(); 239 240 // Except in case where preflight is needed, loading should be able to continue on its own. 241 // But we also handle credentials here if it is restricted to SameOrigin. 242 if (m_options.credentials != FetchOptions::Credentials::SameOrigin) 243 return; 244 245 m_options.allowCredentials = DoNotAllowStoredCredentials; 246 247 clearResource(); 248 249 // We need to clean the request again as SubresourceLoader may not always do the cleaning, 250 // especially in the case of a cross-origin load but redirection sticking to the same origin. 251 cleanRedirectedRequestForAccessControl(request); 252 makeCrossOriginAccessRequest(ResourceRequest(request)); 260 253 } 261 254 … … 286 279 287 280 ASSERT(response.type() != ResourceResponse::Type::Error); 288 if (response.type() == ResourceResponse::Type::Default) { 289 // FIXME: To be removed once the real fetch mode is passed to underlying loaders. 290 if (options().mode == FetchOptions::Mode::Cors && tainting == ResourceResponse::Tainting::Opaque) 291 tainting = ResourceResponse::Tainting::Cors; 281 if (response.type() == ResourceResponse::Type::Default) 292 282 m_client->didReceiveResponse(identifier, ResourceResponse::filterResponse(response, tainting)); 293 }else {283 else { 294 284 ASSERT(response.isNull() && response.type() == ResourceResponse::Type::Opaqueredirect); 295 285 m_client->didReceiveResponse(identifier, response); … … 369 359 ThreadableLoaderOptions options = m_options; 370 360 options.clientCredentialPolicy = m_sameOriginRequest ? ClientCredentialPolicy::MayAskClientForCredentials : ClientCredentialPolicy::CannotAskClientForCredentials; 371 372 // Set to NoCors as CORS checks are done in DocumentThreadableLoader373 options.mode = FetchOptions::Mode::NoCors;374 361 375 362 CachedResourceRequest newRequest(WTFMove(request), options); -
trunk/Source/WebCore/loader/SubresourceLoader.cpp
r204019 r204117 204 204 } 205 205 206 if (!checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest)) { 207 cancel(); 206 String errorDescription; 207 if (!checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest, errorDescription)) { 208 String errorMessage = "Cross-origin redirection to " + newRequest.url().string() + " denied by Cross-Origin Resource Sharing policy: " + errorDescription; 209 if (m_frame && m_frame->document()) 210 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage); 211 cancel(ResourceError(String(), 0, request().url(), errorMessage, ResourceError::Type::AccessControl)); 208 212 return; 209 213 } … … 398 402 } 399 403 400 bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest )404 bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest, String& errorMessage) 401 405 { 402 406 ASSERT(options().mode != FetchOptions::Mode::SameOrigin); 403 407 404 bool shouldCheckCrossOrigin = options().mode == FetchOptions::Mode::Cors && m_resource->isCrossOrigin(); 405 406 if (!(m_origin && m_origin->canRequest(newRequest.url()))) 408 bool crossOriginFlag = m_resource->isCrossOrigin(); 409 bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url()); 410 411 if (isNextRequestCrossOrigin) 407 412 m_resource->setCrossOrigin(); 408 413 409 if ( !shouldCheckCrossOrigin)414 if (options().mode != FetchOptions::Mode::Cors) 410 415 return true; 411 416 417 // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 8 & 9. 418 if (m_resource->isCrossOrigin() && !isValidCrossOriginRedirectionURL(newRequest.url())) { 419 errorMessage = ASCIILiteral("URL is either a non-HTTP URL or contains credentials."); 420 return false; 421 } 422 412 423 ASSERT(m_origin); 413 String errorDescription; 414 bool responsePassesCORS = m_origin->canRequest(previousRequest.url()) 415 || passesAccessControlCheck(redirectResponse, options().allowCredentials, *m_origin, errorDescription); 416 if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) { 417 if (m_frame && m_frame->document()) { 418 String errorMessage = "Cross-origin redirection denied by Cross-Origin Resource Sharing policy: " + 419 (!responsePassesCORS ? errorDescription : "Redirected to either a non-HTTP URL or a URL that contains credentials."); 420 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage); 421 } 424 if (crossOriginFlag && !passesAccessControlCheck(redirectResponse, options().allowCredentials, *m_origin, errorMessage)) 422 425 return false; 423 } 424 425 // If the request URL origin is not the same as the original origin, the request origin should be set to a globally unique identifier. 426 m_origin = SecurityOrigin::createUnique(); 427 cleanRedirectedRequestForAccessControl(newRequest); 428 updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials); 426 427 bool redirectingToNewOrigin = false; 428 if (m_resource->isCrossOrigin()) { 429 if (!crossOriginFlag && isNextRequestCrossOrigin) 430 redirectingToNewOrigin = true; 431 else 432 redirectingToNewOrigin = !SecurityOrigin::create(previousRequest.url())->canRequest(newRequest.url()); 433 } 434 435 // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 10. 436 if (crossOriginFlag && redirectingToNewOrigin) 437 m_origin = SecurityOrigin::createUnique(); 438 439 if (redirectingToNewOrigin) { 440 cleanRedirectedRequestForAccessControl(newRequest); 441 updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials); 442 } 429 443 430 444 return true; -
trunk/Source/WebCore/loader/SubresourceLoader.h
r203815 r204117 52 52 CachedResource* cachedResource(); 53 53 54 SecurityOrigin* origin() { return m_origin.get(); } 54 55 #if PLATFORM(IOS) 55 56 bool startLoading() override; … … 92 93 93 94 bool checkForHTTPStatusCodeError(); 94 bool checkRedirectionCrossOriginAccessControl(const ResourceRequest& , const ResourceResponse&, ResourceRequest& newRequest);95 bool checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse&, ResourceRequest& newRequest, String&); 95 96 96 97 void didReceiveDataOrBuffer(const char*, int, RefPtr<SharedBuffer>&&, long long encodedDataLength, DataPayloadType); -
trunk/Source/WebCore/xml/XMLHttpRequest.cpp
r204019 r204117 978 978 String message = makeString("XMLHttpRequest cannot load ", error.failingURL().string(), ". ", error.localizedDescription()); 979 979 logConsoleError(scriptExecutionContext(), message); 980 } else if (error.isAccessControl()) { 981 String message = makeString("XMLHttpRequest cannot load ", error.failingURL().string(), " due to access control checks."); 982 logConsoleError(scriptExecutionContext(), message); 980 983 } 981 984
Note: See TracChangeset
for help on using the changeset viewer.