Changeset 204117 in webkit

Timestamp:

Aug 4, 2016 12:56:37 AM (8 years ago)

Author:

commit-queue@webkit.org

Message:

DocumentThreadableLoader should pass the fetch mode to underlying loader code
​https://bugs.webkit.org/show_bug.cgi?id=160399

Patch by Youenn Fablet <​youenn@apple.com> on 2016-08-04
Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

Updated expectations.
Added new tests to check specifically for Origin header in case of redirections.
Updated server-side redirect.py python script to generate valid Location URLs.

• web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt:
• web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt:
• web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt:
• web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt:
• web-platform-tests/fetch/api/redirect/redirect-location-expected.txt:
• web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt:
• web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt: Added.
• web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt: Added.
• web-platform-tests/fetch/api/redirect/redirect-origin-worker.html: Added.
• web-platform-tests/fetch/api/redirect/redirect-origin.html: Added.
• web-platform-tests/fetch/api/redirect/redirect-origin.js: Added.

(testOriginAfterRedirection):

• web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt:
• web-platform-tests/fetch/api/redirect/redirect-schemes.html: Updated test so that fetches are done in a deterministic order, one after the other is finished.
• web-platform-tests/fetch/api/resources/redirect.py:

(main):

Source/WebCore:

Tests: imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html

imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html

Covered by existing and rebased tests.

DocumentThredableLoader was previously loading resources in NoCors mode and doing the cors checks on it own.
This was duplicating code and increasing the risk of being not consistent.
DocumentThreadableLoader is now passing the fetch mode given by client to underlying loader code.
This allows removing some CORS checks in DocumentThreadableLoader code for redirections.

Updated SubresourceLoader redirection CORS checks to be on par with DocumentThreadableLoader.
In particular, aligning the code with ​https://fetch.spec.whatwg.org/#http-redirect-fetch.

The error logging situation is not perfect as some errors are properly logged in the console while some others are not.
For instance blockedError (due to forbidden port for instance) reason is not logged on the console.

• loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::redirectReceived): Updating redirection checking as SubresourceLoader is already doing most of the checks.
(WebCore::DocumentThreadableLoader::didReceiveResponse): Removing temp hack as tainting is now computed by underlying loader code.
(WebCore::DocumentThreadableLoader::loadRequest): Removing fetch mode change.

• loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::willSendRequestInternal): Updating cancellation error and improve error logging.
(WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): Improved the checks and error reporting.
Tried to align as much as possible to ​https://fetch.spec.whatwg.org/#http-redirect-fetch.

• loader/SubresourceLoader.h:
• xml/XMLHttpRequest.cpp:

(WebCore::XMLHttpRequest::didFail): Added an error message to the console in case of access control error.

LayoutTests:

• TestExpectations:
• http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
• http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt:
• http/tests/workers/worker-redirect-expected.txt:
• http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
• http/tests/xmlhttprequest/access-control-and-redirects-async.html: Fixed bugs in the test and updated comments.
• http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
• http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
• http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/workers/worker-redirect-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html (modified) (2 diffs)
• LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.js (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes.html (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/DocumentThreadableLoader.cpp (modified) (3 diffs)
• Source/WebCore/loader/SubresourceLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/SubresourceLoader.h (modified) (2 diffs)
• Source/WebCore/xml/XMLHttpRequest.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-08-04  Youenn Fablet  <youenn@apple.com>
+
+        DocumentThreadableLoader should pass the fetch mode to underlying loader code
+        https://bugs.webkit.org/show_bug.cgi?id=160399
+
+        Reviewed by Alex Christensen.
+
+        * TestExpectations:
+        * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+        * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt:
+        * http/tests/workers/worker-redirect-expected.txt:
+        * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
+        * http/tests/xmlhttprequest/access-control-and-redirects-async.html: Fixed bugs in the test and updated comments.
+        * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
+        * http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt:
+
 2016-08-04  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -363 +363 @@
 [ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-method-worker.html [ Skip ]
 [ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-mode-worker.html [ Skip ]
+[ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html [ Skip ]
 [ Debug ] imported/w3c/web-platform-tests/fetch/nosniff/worker.html [ Skip ]
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html. Domains, protocols and ports must match.
+
 This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
 

trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html. Domains, protocols and ports must match.
+
 This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).
 

trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from frame with URL http://127.0.0.1:8000/workers/worker-redirect.html. Domains, protocols and ports must match.
+
 Test that loading the worker's script does not allow a cross origin redirect (bug 26146)
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=http://localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=http://localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://127.0.0.1:8000 due to access control checks.
 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*. Preflight response is not successful
 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*&%20%20access-control-allow-headers=x-webkit. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
@@ -10 +10 @@
 Expecting success: false
 PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://localhost:8000 without credentials
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://127.0.0.1:8000 without credentials
 Expecting success: true
-FAIL: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://localhost:8000 without credentials
-Expecting success: false
-PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&  access-control-allow-origin=http://localhost:8000 without credentials
+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://127.0.0.1:8000 without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&  access-control-allow-origin=http://127.0.0.1:8000 without credentials
 Expecting success: false
 PASS: 0

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html

@@ -49 +49 @@
   withoutCredentials, noCustomHeader, fails],
 
-// Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response
-// passes the access check.
-// FIXME: this test fails because the redirect is vetoed. There are continued bugs with redirects when the original
-// request was cross-origin.
+// Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response passes the access check.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
-  access-control-allow-origin=http://localhost:8000",
+  access-control-allow-origin=http://127.0.0.1:8000",
   withoutCredentials, noCustomHeader, succeeds],
 
-// Receives a redirect response with a URL containing the userinfo production.
+// Receives a redirect response with a URL containing the userinfo production. Although loading should fail according fetch spec,
+// the underlying HTTP stack currently removes credentials from redirection URL, hence loading is successful.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
-  access-control-allow-origin=http://localhost:8000",
-  withoutCredentials, noCustomHeader, fails],
+  access-control-allow-origin=http://127.0.0.1:8000",
+  withoutCredentials, noCustomHeader, succeeds],
 
 // Receives a redirect response with a URL with an unsupported scheme.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&\
-  access-control-allow-origin=http://localhost:8000",
+  access-control-allow-origin=http://127.0.0.1:8000",
   withoutCredentials, noCustomHeader, fails],
 
@@ -75 +73 @@
   withoutCredentials, addCustomHeader, fails],
 
-// Successful preflight and receives a redirect response to the actual request and fails.
+// Successful preflight and receives a redirect response to the actual request.
+// Preflight to the redirected URL should fail as it does not allow custom headers.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&\
   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
 CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
 Tests that redirects between origins are never allowed, even when access control is involved.
 

trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:7/ due to access control checks.
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 

trunk/LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:7/ due to access control checks.
 Test that a simple cross-origin request to a server that responds (but does not permit cross-origin requests) is indistinguishable from one that does not exist. Should say PASS:
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2016-08-04  Youenn Fablet  <youenn@apple.com>
+
+        DocumentThreadableLoader should pass the fetch mode to underlying loader code
+        https://bugs.webkit.org/show_bug.cgi?id=160399
+
+        Reviewed by Alex Christensen.
+
+        Updated expectations.
+        Added new tests to check specifically for Origin header in case of redirections.
+        Updated server-side redirect.py python script to generate valid Location URLs.
+
+        * web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt:
+        * web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-location-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt: Added.
+        * web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt: Added.
+        * web-platform-tests/fetch/api/redirect/redirect-origin-worker.html: Added.
+        * web-platform-tests/fetch/api/redirect/redirect-origin.html: Added.
+        * web-platform-tests/fetch/api/redirect/redirect-origin.js: Added.
+        (testOriginAfterRedirection):
+        * web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt:
+        * web-platform-tests/fetch/api/redirect/redirect-schemes.html: Updated test so that fetches are done in a deterministic order, one after the other is finished.
+        * web-platform-tests/fetch/api/resources/redirect.py:
+        (main):
+
 2016-08-03  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt

@@ -1 +1 @@
 Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth2/corsenabled.py
+CONSOLE MESSAGE: line 34: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth2/corsenabled.py due to access control checks.
 
 FAIL XMLHttpRequest: send() - "Basic" authenticated CORS request using setRequestHeader() (expects to succeed) assert_true: responseText should contain the right user and password expected true got false

trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt

@@ -1 +1 @@
 Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth7/corsenabled.py
+CONSOLE MESSAGE: line 33: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth7/corsenabled.py due to access control checks.
 Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth8/corsenabled-no-authorize.py
+CONSOLE MESSAGE: line 33: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth8/corsenabled-no-authorize.py due to access control checks.
 
 FAIL CORS request with setRequestHeader auth to URL accepting Authorization header assert_true: responseText should contain the right user and password expected true got false

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 
 PASS Redirect 301 from same origin to remote with user and password 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 
 PASS Redirect 301 from same origin to remote with user and password 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
 
 PASS Redirect 301 in "follow" mode without location 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
 
 PASS Redirect 301 in "follow" mode without location 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Not allowed to load local resource: blob:djfksfjs?l=blob:djfksfjs&count=1
+CONSOLE MESSAGE: Cross-origin redirection to mailto:a@a.com denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,HI denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to facetime:a@a.org denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to about:blank denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to about:unicorn denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Not allowed to load local resource: blob:djfksfjs
 
 PASS Fetch: handling different schemes in redirects 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes.html

@@ -7 +7 @@
 <script>
   // All non-HTTP(S) schemes cannot survive redirects
-  var url = "../resources/redirect.py?location=",
-      tests = [
-    fetch(url + "mailto:a@a.com"),
-    fetch(url + "data:,HI"),
-    fetch(url + "facetime:a@a.org"),
-    fetch(url + "about:blank"),
-    fetch(url + "about:unicorn"),
-    fetch(url + "blob:djfksfjs")
+  var url = "../resources/redirect.py?location=";
+  var tests = [
+    url + "mailto:a@a.com",
+    url + "data:,HI",
+    url + "facetime:a@a.org",
+    url + "about:blank",
+    url + "about:unicorn",
+    url + "blob:djfksfjs"
   ];
-  tests.forEach(function(f) {
-    promise_test(function(t) {
-      return promise_rejects(t, new TypeError(), f)
+  tests.forEach(function(url) {
+    promise_test(function(test) {
+      return promise_rejects(test, new TypeError(), fetch(url))
     })
   })

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py

@@ +1 @@
+from urllib import urlencode
+from urlparse import urlparse
+
 def main(request, response):
     stashed_data = {'count': 0, 'preflight': "0"}
@@ -29 +32 @@
     stashed_data['count'] += 1
 
-    #keep url parameters in location
-    url_parameters = "?" + "&".join(map(lambda x: x[0][0] + "=" + x[1][0], request.GET.items()))
-    #make sure location changes during redirection loop
-    url_parameters += "&count=" + str(stashed_data['count'])
-
     if "location" in request.GET:
-        headers.append(("Location", request.GET['location'] + url_parameters))
+        url = request.GET['location']
+        scheme = urlparse(url).scheme
+        if scheme == "" or scheme == "http" or scheme == "https":
+            url += "&" if '?' in url else "?"
+            #keep url parameters in location
+            url += urlencode(request.GET.items())
+            #make sure location changes during redirection loop
+            url += "&count=" + str(stashed_data['count'])
+        headers.append(("Location", url))
 
     if token:

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-08-04  Youenn Fablet  <youenn@apple.com>
+
+        DocumentThreadableLoader should pass the fetch mode to underlying loader code
+        https://bugs.webkit.org/show_bug.cgi?id=160399
+
+        Reviewed by Alex Christensen.
+
+        Tests: imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html
+               imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html
+        Covered by existing and rebased tests.
+
+        DocumentThredableLoader was previously loading resources in NoCors mode and doing the cors checks on it own.
+        This was duplicating code and increasing the risk of being not consistent.
+        DocumentThreadableLoader is now passing the fetch mode given by client to underlying loader code.
+        This allows removing some CORS checks in DocumentThreadableLoader code for redirections.
+
+        Updated SubresourceLoader redirection CORS checks to be on par with DocumentThreadableLoader.
+        In particular, aligning the code with https://fetch.spec.whatwg.org/#http-redirect-fetch.
+
+        The error logging situation is not perfect as some errors are properly logged in the console while some others are not.
+        For instance blockedError (due to forbidden port for instance) reason is not logged on the console.
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::redirectReceived): Updating redirection checking as SubresourceLoader is already doing most of the checks.
+        (WebCore::DocumentThreadableLoader::didReceiveResponse): Removing temp hack as tainting is now computed by underlying loader code.
+        (WebCore::DocumentThreadableLoader::loadRequest): Removing fetch mode change.
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::willSendRequestInternal): Updating cancellation error and improve error logging.
+        (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): Improved the checks and error reporting.
+        Tried to align as much as possible to https://fetch.spec.whatwg.org/#http-redirect-fetch.
+        * loader/SubresourceLoader.h:
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::didFail): Added an error message to the console in case of access control error.
+
 2016-08-03  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

@@ -221 +221 @@
         return;
 
-    // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported
-    // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the
-    // original request was not same-origin.
-    if (m_options.mode == FetchOptions::Mode::Cors) {
-        bool allowRedirect = false;
-        if (m_simpleRequest) {
-            String accessControlErrorDescription;
-            allowRedirect = isValidCrossOriginRedirectionURL(request.url())
-                && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription));
-        }
-
-        if (allowRedirect) {
-            if (m_resource)
-                clearResource();
-
-            RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::createFromString(redirectResponse.url());
-            RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::createFromString(request.url());
-            // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin,
-            // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request
-            // should be the original URL origin.)
-            if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(requestOrigin.get()))
-                m_origin = SecurityOrigin::createUnique();
-            // Force any subsequent request to use these checks.
-            m_sameOriginRequest = false;
-
-            if (m_options.credentials == FetchOptions::Credentials::SameOrigin)
-                m_options.allowCredentials = DoNotAllowStoredCredentials;
-
-            cleanRedirectedRequestForAccessControl(request);
-
-            makeCrossOriginAccessRequest(ResourceRequest(request));
-            return;
-        }
-    }
-
-    reportCrossOriginResourceSharingError(*m_client, redirectResponse.url());
-    request = ResourceRequest();
+    // Force any subsequent request to use these checks.
+    m_sameOriginRequest = false;
+
+    ASSERT(m_resource);
+    ASSERT(m_resource->loader());
+    ASSERT(m_options.mode == FetchOptions::Mode::Cors);
+
+    // FIXME: We could remove that restriction, since we can use preflighting.
+    if (!m_simpleRequest) {
+        reportCrossOriginResourceSharingError(*m_client, redirectResponse.url());
+        request = ResourceRequest();
+        return;
+    }
+
+    // Loader might have modified the origin to a unique one, let's reuse it for subsequent loads.
+    m_origin = m_resource->loader()->origin();
+
+    // Except in case where preflight is needed, loading should be able to continue on its own.
+    // But we also handle credentials here if it is restricted to SameOrigin.
+    if (m_options.credentials != FetchOptions::Credentials::SameOrigin)
+        return;
+
+    m_options.allowCredentials = DoNotAllowStoredCredentials;
+
+    clearResource();
+
+    // We need to clean the request again as SubresourceLoader may not always do the cleaning,
+    // especially in the case of a cross-origin load but redirection sticking to the same origin.
+    cleanRedirectedRequestForAccessControl(request);
+    makeCrossOriginAccessRequest(ResourceRequest(request));
 }
 
@@ -286 +279 @@
 
     ASSERT(response.type() != ResourceResponse::Type::Error);
-    if (response.type() == ResourceResponse::Type::Default) {
-        // FIXME: To be removed once the real fetch mode is passed to underlying loaders.
-        if (options().mode == FetchOptions::Mode::Cors && tainting == ResourceResponse::Tainting::Opaque)
-            tainting = ResourceResponse::Tainting::Cors;
+    if (response.type() == ResourceResponse::Type::Default)
         m_client->didReceiveResponse(identifier, ResourceResponse::filterResponse(response, tainting));
-    } else {
+    else {
         ASSERT(response.isNull() && response.type() == ResourceResponse::Type::Opaqueredirect);
         m_client->didReceiveResponse(identifier, response);
@@ -369 +359 @@
         ThreadableLoaderOptions options = m_options;
         options.clientCredentialPolicy = m_sameOriginRequest ? ClientCredentialPolicy::MayAskClientForCredentials : ClientCredentialPolicy::CannotAskClientForCredentials;
-
-        // Set to NoCors as CORS checks are done in DocumentThreadableLoader
-        options.mode = FetchOptions::Mode::NoCors;
 
         CachedResourceRequest newRequest(WTFMove(request), options);

trunk/Source/WebCore/loader/SubresourceLoader.cpp

@@ -204 +204 @@
         }
 
-        if (!checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest)) {
-            cancel();
+        String errorDescription;
+        if (!checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest, errorDescription)) {
+            String errorMessage = "Cross-origin redirection to " + newRequest.url().string() + " denied by Cross-Origin Resource Sharing policy: " + errorDescription;
+            if (m_frame && m_frame->document())
+                m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage);
+            cancel(ResourceError(String(), 0, request().url(), errorMessage, ResourceError::Type::AccessControl));
             return;
         }
@@ -398 +402 @@
 }
 
-bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest)
+bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest, String& errorMessage)
 {
     ASSERT(options().mode != FetchOptions::Mode::SameOrigin);
 
-    bool shouldCheckCrossOrigin = options().mode == FetchOptions::Mode::Cors && m_resource->isCrossOrigin();
-
-    if (!(m_origin && m_origin->canRequest(newRequest.url())))
+    bool crossOriginFlag = m_resource->isCrossOrigin();
+    bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url());
+
+    if (isNextRequestCrossOrigin)
         m_resource->setCrossOrigin();
 
-    if (!shouldCheckCrossOrigin)
+    if (options().mode != FetchOptions::Mode::Cors)
         return true;
 
+    // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 8 & 9.
+    if (m_resource->isCrossOrigin() && !isValidCrossOriginRedirectionURL(newRequest.url())) {
+        errorMessage = ASCIILiteral("URL is either a non-HTTP URL or contains credentials.");
+        return false;
+    }
+
     ASSERT(m_origin);
-    String errorDescription;
-    bool responsePassesCORS = m_origin->canRequest(previousRequest.url())
-        || passesAccessControlCheck(redirectResponse, options().allowCredentials, *m_origin, errorDescription);
-    if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) {
-        if (m_frame && m_frame->document()) {
-            String errorMessage = "Cross-origin redirection denied by Cross-Origin Resource Sharing policy: " +
-                (!responsePassesCORS ? errorDescription : "Redirected to either a non-HTTP URL or a URL that contains credentials.");
-            m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage);
-        }
+    if (crossOriginFlag && !passesAccessControlCheck(redirectResponse, options().allowCredentials, *m_origin, errorMessage))
         return false;
-    }
-
-    // If the request URL origin is not the same as the original origin, the request origin should be set to a globally unique identifier.
-    m_origin = SecurityOrigin::createUnique();
-    cleanRedirectedRequestForAccessControl(newRequest);
-    updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials);
+
+    bool redirectingToNewOrigin = false;
+    if (m_resource->isCrossOrigin()) {
+        if (!crossOriginFlag && isNextRequestCrossOrigin)
+            redirectingToNewOrigin = true;
+        else
+            redirectingToNewOrigin = !SecurityOrigin::create(previousRequest.url())->canRequest(newRequest.url());
+    }
+
+    // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 10.
+    if (crossOriginFlag && redirectingToNewOrigin)
+        m_origin = SecurityOrigin::createUnique();
+
+    if (redirectingToNewOrigin) {
+        cleanRedirectedRequestForAccessControl(newRequest);
+        updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials);
+    }
 
     return true;

trunk/Source/WebCore/loader/SubresourceLoader.h

@@ -52 +52 @@
     CachedResource* cachedResource();
 
+    SecurityOrigin* origin() { return m_origin.get(); }
 #if PLATFORM(IOS)
     bool startLoading() override;
@@ -92 +93 @@
 
     bool checkForHTTPStatusCodeError();
-    bool checkRedirectionCrossOriginAccessControl(const ResourceRequest&, const ResourceResponse&, ResourceRequest& newRequest);
+    bool checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse&, ResourceRequest& newRequest, String&);
 
     void didReceiveDataOrBuffer(const char*, int, RefPtr<SharedBuffer>&&, long long encodedDataLength, DataPayloadType);

trunk/Source/WebCore/xml/XMLHttpRequest.cpp

@@ -978 +978 @@
         String message = makeString("XMLHttpRequest cannot load ", error.failingURL().string(), ". ", error.localizedDescription());
         logConsoleError(scriptExecutionContext(), message);
+    } else if (error.isAccessControl()) {
+        String message = makeString("XMLHttpRequest cannot load ", error.failingURL().string(), " due to access control checks.");
+        logConsoleError(scriptExecutionContext(), message);
     }