Changeset 205473 in webkit

Timestamp:

Sep 6, 2016 4:06:52 AM (8 years ago)

Author:

commit-queue@webkit.org

Message:

CachedResourceLoader is not taking into account fetch options to use or not cached resources
​https://bugs.webkit.org/show_bug.cgi?id=161389

Patch by Youenn Fablet <​youenn@apple.com> on 2016-09-06
Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Updated as new console log messages appear now that cors checks are done at SubresourceLoader level.

• web-platform-tests/XMLHttpRequest/security-consideration.sub-expected.txt:
• web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
• web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
• web-platform-tests/fetch/api/cors/cors-basic.js: Fixing a typo in the test making the test always passing, since the fetch promise was not taken into account.
• web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt:
• web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt:
• web-platform-tests/fetch/api/cors/cors-origin-expected.txt:
• web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt:
• web-platform-tests/fetch/api/cors/cors-origin.js:

(corsOrigin): Fixing a typo in the test making the tests always passing, since the fetch promise was not taken into account.

• web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt:
• web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt:

Source/WebCore:

Tests: http/tests/fetch/fetching-same-resource-with-diffferent-options.html

http/tests/security/cross-origin-cached-resource-parallel.html
http/tests/security/cross-origin-cached-resource.html
http/tests/security/load-image-after-redirection-2.html
http/tests/security/shape-outside-and-cached-resources.html

Adding CORS checks for the response in case of CORS fetch mode, in SubresourceLoader.
Removing the CORS checks in Image and DocumentThreadableLoader.

The direction of this patch is to make CachedResource origin-specific/fetch mode specific.

This will remove the need for CachedResource clients to do CORS checks when receiving the notifyFinished call.
This will also make the computation of whether a resource is clean or not much easier since the CachedResource knowd its origin and its response tainting.

Removing the CORS checks at ImageLoader creates the risk of using some cached resources loaded from previously no-cors mode without doing the actual CORS check.
Note that the risk was already there in case of a resource loaded through redirections.
Reusing a cached resource for a load with different options also leads to bad computation of the resource tainting.

As a first step, improvements are done but only for CachedImage resources.

This patch limits the direct reuse of cached resources as follow:

• If the request and existing resources have different origins.
• If the fetch mode is different between request and existing resource.

In those cases, a new CachedResource is created with the correct options and origin.
The data and response of the CachedResource found in the cache are copied efficiently in the new CachedResource, if the matching CachedResource finished loading (CachedImage specific).

If the matching CachedResource is still loading, we trigger a reload (with caching=false to not disturb the being loaded resource).
This should be made more efficient at some point, especially if the matching CachedResource already has its response set.

This triggers a change of behavior: previously, the CORS checks were done by the ImageLoader when the resource was finished loading.
The CORS checks were controlled by the crossOrigin attribute, which may be set or unset between the load start and the load end.

Now the crossOrigin attribute is checked at load start. If it is set, the CORS checks will happen even if the attribute is unset before the end of the load.
This is more consistent as the actual request was built with CORS enabled.

• loader/CrossOriginPreflightChecker.cpp:

(WebCore::CrossOriginPreflightChecker::startPreflight): Setting correctly the preflight options as per fetch spec.

• loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::didReceiveResponse): Removing CORS check.
(WebCore::DocumentThreadableLoader::loadRequest): Adding CORS check in sync mode.

• loader/ImageLoader.cpp:

(WebCore::ImageLoader::updateFromElement):
(WebCore::ImageLoader::notifyFinished):

• loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::didReceiveResponse): Adding CORS checks to the response
(WebCore::SubresourceLoader::checkResponseCrossOriginAccessControl): Helper routine to do CORS checks

• loader/SubresourceLoader.h:
• loader/cache/CachedImage.cpp:

(WebCore::CachedImage::cloneData): Responsible to set image content from another CachedImage.

• loader/cache/CachedImage.h:
• loader/cache/CachedResource.cpp:

(WebCore::CachedResource::computeOrigin): Helper routine to set the origin and whether the resource is cross-origin or not.
(WebCore::CachedResource::load): Using computeOrigin.
(WebCore::CachedResource::loadFrom): Loading from a CachedResource from the same type and which finished loading.

• loader/cache/CachedResource.h:

(WebCore::CachedResource::cloneData):

• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::updateCachedResourceWithCurrentRequest): Helper routine responsible to adapt the CachedResource
that can be reused to the origin and options of a new request.
(WebCore::CachedResourceLoader::requestResource): Calling updateCachedResourceWithCurrentRequest before actually returning the resource.
(WebCore::CachedResourceLoader::determineRevalidationPolicy): Space clean-up.

• loader/cache/CachedResourceLoader.h:
• loader/cache/CachedResourceRequest.h:

(WebCore::CachedResourceRequest::setCachingPolicy):

• style/StylePendingResources.cpp:

(WebCore::Style::loadPendingImage): Allowing data URLs for ShapeOutside data.

LayoutTests:

Added specific expectations for fetch cors-origin* tests for mac-wk2 and ios-simulator-wk2 as these tests use
HTTPS, and the connection is refused.

• TestExpectations: Marking http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html as flaky.
• http/tests/eventsource/eventsource-cors-basic-expected.txt:
• http/tests/eventsource/eventsource-cors-with-credentials-expected.txt:
• http/tests/fetch/fetching-same-resource-with-diffferent-options-expected.txt: Added.
• http/tests/fetch/fetching-same-resource-with-diffferent-options.html: Added.
• http/tests/loading/cross-origin-XHR-willLoadRequest-expected.txt:
• http/tests/resources/download-json-with-delay.php:
• http/tests/resources/redirect.php:
• http/tests/security/cross-origin-cached-resource-expected.txt: Added.
• http/tests/security/cross-origin-cached-resource-parallel-expected.txt: Added.
• http/tests/security/cross-origin-cached-resource-parallel.html: Added.
• http/tests/security/cross-origin-cached-resource.html: Added.
• http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt:
• http/tests/security/load-image-after-redirection-2-expected.txt: Added.
• http/tests/security/load-image-after-redirection-2.html: Added.
• http/tests/security/resources/abe-allow-star.php:
• http/tests/security/resources/allow-if-origin.php: Added.
• http/tests/security/resources/cross-origin-cached-resource-iframe.html: Added.
• http/tests/security/resources/rgbalpha.png: Added.
• http/tests/security/shape-outside-and-cached-resources-expected.html: Added.
• http/tests/security/shape-outside-and-cached-resources.html: Added.
• http/tests/security/video-poster-cross-origin-crash-expected.txt:
• http/tests/security/video-poster-cross-origin-crash2-expected.txt:
• http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt:
• http/tests/xmlhttprequest/access-control-repeated-failed-preflight-crash-expected.txt:
• http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt:
• http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt:
• http/tests/xmlhttprequest/cross-site-denied-response-expected.txt:
• http/tests/xmlhttprequest/onerror-event-expected.txt:
• http/tests/xmlhttprequest/origin-whitelisting-https-expected.txt:
• http/tests/xmlhttprequest/origin-whitelisting-ip-addresses-with-subdomains-expected.txt:
• http/tests/xmlhttprequest/post-blob-content-type-async-expected.txt:
• http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt:
• http/tests/xmlhttprequest/redirect-cross-origin-expected.txt:
• http/tests/xmlhttprequest/simple-cross-origin-denied-events-expected.txt:
• http/tests/xmlhttprequest/simple-cross-origin-progress-events-expected.txt:
• http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:
• platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
• platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
• platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt: Added.
• platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt: Added.
• platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
• platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
• platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt: Added.
• platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/http/tests/eventsource/eventsource-cors-basic-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/eventsource/eventsource-cors-with-credentials-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/fetch/fetching-same-resource-with-diffferent-options-expected.txt (added)
• LayoutTests/http/tests/fetch/fetching-same-resource-with-diffferent-options.html (added)
• LayoutTests/http/tests/loading/cross-origin-XHR-willLoadRequest-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/resources/download-json-with-delay.php (modified) (1 diff)
• LayoutTests/http/tests/resources/redirect.php (modified) (2 diffs)
• LayoutTests/http/tests/security/cross-origin-cached-resource-expected.txt (added)
• LayoutTests/http/tests/security/cross-origin-cached-resource-parallel-expected.txt (added)
• LayoutTests/http/tests/security/cross-origin-cached-resource-parallel.html (added)
• LayoutTests/http/tests/security/cross-origin-cached-resource.html (added)
• LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/load-image-after-redirection-2-expected.txt (added)
• LayoutTests/http/tests/security/load-image-after-redirection-2.html (added)
• LayoutTests/http/tests/security/resources/abe-allow-star.php (modified) (1 diff)
• LayoutTests/http/tests/security/resources/allow-if-origin.php (added)
• LayoutTests/http/tests/security/resources/cross-origin-cached-resource-iframe.html (added)
• LayoutTests/http/tests/security/resources/rgbalpha.png (added)
• LayoutTests/http/tests/security/shape-outside-and-cached-resources-expected.html (added)
• LayoutTests/http/tests/security/shape-outside-and-cached-resources.html (added)
• LayoutTests/http/tests/security/video-poster-cross-origin-crash-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/video-poster-cross-origin-crash2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-repeated-failed-preflight-crash-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/cross-site-denied-response-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/onerror-event-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/origin-whitelisting-https-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/origin-whitelisting-ip-addresses-with-subdomains-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/post-blob-content-type-async-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-progress-events-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/security-consideration.sub-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic.js (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin.js (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt (modified) (5 diffs)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt (modified) (5 diffs)
• LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt (modified) (1 diff)
• LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt (modified) (1 diff)
• LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt (added)
• LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt (added)
• LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt (added)
• LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/CrossOriginPreflightChecker.cpp (modified) (1 diff)
• Source/WebCore/loader/DocumentThreadableLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/ImageLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/SubresourceLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/SubresourceLoader.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedImage.cpp (modified) (2 diffs)
• Source/WebCore/loader/cache/CachedImage.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResource.cpp (modified) (3 diffs)
• Source/WebCore/loader/cache/CachedResource.h (modified) (2 diffs)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (3 diffs)
• Source/WebCore/loader/cache/CachedResourceLoader.h (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceRequest.h (modified) (1 diff)
• Source/WebCore/style/StylePendingResources.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-09-06  Youenn Fablet  <youenn@apple.com>
+
+        CachedResourceLoader is not taking into account fetch options to use or not cached resources
+        https://bugs.webkit.org/show_bug.cgi?id=161389
+
+        Reviewed by Darin Adler.
+
+        Added specific expectations for fetch cors-origin* tests for mac-wk2 and ios-simulator-wk2 as these tests use
+        HTTPS, and the connection is refused.
+
+        * TestExpectations: Marking http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html as flaky.
+        * http/tests/eventsource/eventsource-cors-basic-expected.txt:
+        * http/tests/eventsource/eventsource-cors-with-credentials-expected.txt:
+        * http/tests/fetch/fetching-same-resource-with-diffferent-options-expected.txt: Added.
+        * http/tests/fetch/fetching-same-resource-with-diffferent-options.html: Added.
+        * http/tests/loading/cross-origin-XHR-willLoadRequest-expected.txt:
+        * http/tests/resources/download-json-with-delay.php:
+        * http/tests/resources/redirect.php:
+        * http/tests/security/cross-origin-cached-resource-expected.txt: Added.
+        * http/tests/security/cross-origin-cached-resource-parallel-expected.txt: Added.
+        * http/tests/security/cross-origin-cached-resource-parallel.html: Added.
+        * http/tests/security/cross-origin-cached-resource.html: Added.
+        * http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt:
+        * http/tests/security/load-image-after-redirection-2-expected.txt: Added.
+        * http/tests/security/load-image-after-redirection-2.html: Added.
+        * http/tests/security/resources/abe-allow-star.php:
+        * http/tests/security/resources/allow-if-origin.php: Added.
+        * http/tests/security/resources/cross-origin-cached-resource-iframe.html: Added.
+        * http/tests/security/resources/rgbalpha.png: Added.
+        * http/tests/security/shape-outside-and-cached-resources-expected.html: Added.
+        * http/tests/security/shape-outside-and-cached-resources.html: Added.
+        * http/tests/security/video-poster-cross-origin-crash-expected.txt:
+        * http/tests/security/video-poster-cross-origin-crash2-expected.txt:
+        * http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt:
+        * http/tests/xmlhttprequest/access-control-repeated-failed-preflight-crash-expected.txt:
+        * http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt:
+        * http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt:
+        * http/tests/xmlhttprequest/cross-site-denied-response-expected.txt:
+        * http/tests/xmlhttprequest/onerror-event-expected.txt:
+        * http/tests/xmlhttprequest/origin-whitelisting-https-expected.txt:
+        * http/tests/xmlhttprequest/origin-whitelisting-ip-addresses-with-subdomains-expected.txt:
+        * http/tests/xmlhttprequest/post-blob-content-type-async-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-expected.txt:
+        * http/tests/xmlhttprequest/simple-cross-origin-denied-events-expected.txt:
+        * http/tests/xmlhttprequest/simple-cross-origin-progress-events-expected.txt:
+        * http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:
+        * platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
+        * platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
+        * platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt: Added.
+        * platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt: Added.
+        * platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
+        * platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
+        * platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt: Added.
+        * platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt: Added.
+
 2016-09-06  Philippe Normand  <pnormand@igalia.com>
 

trunk/LayoutTests/TestExpectations

@@ -796 +796 @@
 webkit.org/b/158480 http/tests/websocket/tests/hybi/upgrade-simple-ws.html [ Skip ]
 
+webkit.org/b/161389 http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html [ Pass Failure  ]
+
 # These state object tests purposefully stress a resource limit, and take multiple seconds to run.
 loader/stateobjects/pushstate-size-iframe.html [ Slow ]

trunk/LayoutTests/http/tests/eventsource/eventsource-cors-basic-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: EventSource cannot load http://localhost:8000/eventsource/resources/es-cors-basic.php?count=1. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: EventSource cannot load http://localhost:8000/eventsource/resources/es-cors-basic.php?count=2. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 Test that basic EventSource cross-origin requests fail until they are allowed by the Access-Control-Allow-Origin header. Should print a series of PASS messages followed by DONE.

trunk/LayoutTests/http/tests/eventsource/eventsource-cors-with-credentials-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: EventSource cannot load http://localhost:8000/eventsource/resources/es-cors-credentials.php?count=1. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: EventSource cannot load http://localhost:8000/eventsource/resources/es-cors-credentials.php?count=2. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
 CONSOLE MESSAGE: EventSource cannot load http://localhost:8000/eventsource/resources/es-cors-credentials.php?count=3. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
 Test that EventSource cross-origin requests with credentials fail until the correct CORS headers are sent. Should print a series of PASS messages followed by DONE.

trunk/LayoutTests/http/tests/loading/cross-origin-XHR-willLoadRequest-expected.txt

@@ -4 +4 @@
 main frame - didHandleOnloadEventsForFrame
 main frame - didFinishLoadForFrame
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/loading/resources/foo.txt. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/loading/resources/foo.txt due to access control checks.
 The console message above should report failure to load foo.txt due to cross-origin access, not a network error.

trunk/LayoutTests/http/tests/resources/download-json-with-delay.php

@@ -1 +1 @@
 <?php
 header("Expires: Thu, 01 Dec 2003 16:00:00 GMT");
-header("Cache-Control: no-cache, no-store, must-revalidate");
-header("Pragma: no-cache");
-header("Content-Type: application/x-no-buffering-please");
+
+if ($_GET['allowCache']) {
+    header("Content-Type: application/json");
+} else {
+    header("Content-Type: application/x-no-buffering-please");
+    header("Cache-Control: no-cache, no-store, must-revalidate");
+    header("Pragma: no-cache");
+}
+
+if ($_GET['cors']) {
+    header("Access-Control-Allow-Origin: *");
+}
 
 $iteration = $_GET['iteration'];

trunk/LayoutTests/http/tests/resources/redirect.php

@@ -1 +1 @@
 <?php
-    function addCacheControl() {
-        # Workaround for https://bugs.webkit.org/show_bug.cgi?id=77538
-        # Caching redirects results in flakiness in tests that dump loader delegates.
-        header("Cache-Control: no-store");
+    function addCacheControl($allowCache) {
+        if ($allowCache)
+            header("Cache-Control: public, max-age=86400");
+        else {
+            # Workaround for https://bugs.webkit.org/show_bug.cgi?id=77538
+            # Caching redirects results in flakiness in tests that dump loader delegates.
+            header("Cache-Control: no-store");
+        }
     }
 
     $url = $_GET['url'];
 
+    $allowCache = isset($_GET['allowCache']);
+
     if (isset($_GET['refresh'])) {
         header("HTTP/1.1 200");
         header("Refresh: " . $_GET['refresh'] . "; url=$url");
-        addCacheControl();
+        addCacheControl($allowCache);
         return;
     }
@@ -23 +29 @@
         header("HTTP/1.1 " . $_GET['code']);
     header("Location: $url");
-    addCacheControl();
+    addCacheControl($allowCache);
 ?>

trunk/LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
 ALERT: PASS: The error event was called.

trunk/LayoutTests/http/tests/security/resources/abe-allow-star.php

@@ -1 +1 @@
 <?php
 header("Access-Control-Allow-Origin: *");
+
+$allowCache = $_GET['allowCache'];
+if (isset($allowCache))
+    header("Cache-Control: max-age=100");
 
 $name = 'abe.png';

trunk/LayoutTests/http/tests/security/video-poster-cross-origin-crash-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
 >>>

trunk/LayoutTests/http/tests/security/video-poster-cross-origin-crash2-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
 Test passes if it doesn't crash.

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+CONSOLE MESSAGE: Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi due to access control checks.
 Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-repeated-failed-preflight-crash-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi due to access control checks.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi due to access control checks.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi due to access control checks.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi due to access control checks.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi due to access control checks.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi due to access control checks.
 PASS

trunk/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 56: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cross-origin-no-authorization.php. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cross-origin-no-authorization.php. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
+CONSOLE MESSAGE: Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cross-origin-no-authorization.php due to access control checks.
 Start
 Trying different ways to access a password protected resource from another origin. The UA already has login and password for this protection space.

trunk/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/basic-auth/basic-auth.php?uid=41531. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/basic-auth/basic-auth.php?uid=41531 due to access control checks.
 There should be no authentication prompt displayed, since this is a cross-origin request. In automatic mode, the test relies on logging of authentication sheets.

trunk/LayoutTests/http/tests/xmlhttprequest/cross-site-denied-response-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml due to access control checks.
 PASS
 

trunk/LayoutTests/http/tests/xmlhttprequest/onerror-event-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-denied.cgi due to access control checks.
 This test that the error event is fired for XMLHttpRequests
 

trunk/LayoutTests/http/tests/xmlhttprequest/origin-whitelisting-https-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 20: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/get.txt. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/get.txt. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/get.txt due to access control checks.
 Tests that origin whitelisting for https does not match http URLs.
 

trunk/LayoutTests/http/tests/xmlhttprequest/origin-whitelisting-ip-addresses-with-subdomains-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 16: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/get.txt. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/get.txt. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/get.txt due to access control checks.
 Specifying that an IP address should match subdomains doesn't make sense. This test verifies that it doesn't do anything.
 

trunk/LayoutTests/http/tests/xmlhttprequest/post-blob-content-type-async-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-allow-lists.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-allow-lists.php due to access control checks.
 Test verifies that content MIME type is set correctly when Blob is sent using XMLHttpRequest asynchronously.
 

trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml due to access control checks.
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 

trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml due to access control checks.
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 

trunk/LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml due to access control checks.
 Test that a simple cross-origin request to a server that responds (but does not permit cross-origin requests) is indistinguishable from one that does not exist. Should say PASS:
 

trunk/LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-progress-events-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cross-site-progress-events.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cross-site-progress-events.cgi due to access control checks.
 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/cross-site-progress-events.cgi. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 Test that upload progress events are not dispatched for simple cross-origin requests (i.e. if the listener is set after calling send(), and there are no other reasons to make a preflight request).

trunk/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8080/xmlhttprequest/resources/forbidden.txt. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8080/xmlhttprequest/resources/forbidden.txt due to access control checks.
 This tests that unsafe redirects won't be allowed when making an XMLHttpRequest.
 Sync XHR started.

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2016-09-06  Youenn Fablet  <youenn@apple.com>
+
+        CachedResourceLoader is not taking into account fetch options to use or not cached resources
+        https://bugs.webkit.org/show_bug.cgi?id=161389
+
+        Reviewed by Darin Adler.
+
+        Updated as new console log messages appear now that cors checks are done at SubresourceLoader level.
+
+        * web-platform-tests/XMLHttpRequest/security-consideration.sub-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-basic.js: Fixing a typo in the test making the test always passing, since the fetch promise was not taken into account.
+        * web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-origin-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-origin.js:
+        (corsOrigin): Fixing a typo in the test making the tests always passing, since the fetch promise was not taken into account.
+        * web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt:
+
 2016-09-05  Commit Queue  <commit-queue@webkit.org>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/security-consideration.sub-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8801/XMLHttpRequest/resources/img.jpg. Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8801/XMLHttpRequest/resources/img.jpg due to access control checks.
 
 FAIL ProgressEvent: security consideration assert_unreached: MUST NOT dispatch progress event. Reached unreachable code

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS Same domain different port [no-cors mode] 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS Same domain different port [no-cors mode] 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic.js

@@ -21 +21 @@
 
   promise_test(function(test) {
-    var testedPromise = fetch(url + RESOURCES_DIR + "top.txt", {"mode": "cors"} ).then(function(resp) {
-      return promise_rejects(test, new TypeError(), testedPromise);
-    });
+    return promise_rejects(test, new TypeError(), fetch(url + RESOURCES_DIR + "top.txt", {"mode": "cors"}));
   }, desc + " [server forbid CORS]");
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS 3 origins allowed, match the 3rd (http://localhost:8800) 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS 3 origins allowed, match the 3rd (http://localhost:8800) 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS Cross domain different subdomain [origin OK] 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS Cross domain different subdomain [origin OK] 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin.js

@@ -17 +17 @@
 
   promise_test(function(test) {
-    fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token).then(function(resp) {
+    return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token).then(function(resp) {
       assert_equals(resp.status, 200, "Clean stash response's status is 200");
       if (shouldPass) {

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=301&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=301&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
@@ -8 +11 @@
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=301&location=http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=301&location=http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=302&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=302&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
@@ -17 +23 @@
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=302&location=http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=302&location=http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=303&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=303&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
@@ -26 +35 @@
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=303&location=http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=303&location=http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=307&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=307&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
@@ -35 +47 @@
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=307&location=http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=307&location=http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=308&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=308&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=301&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=301&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
@@ -8 +11 @@
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=301&location=http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=301&location=http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=302&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=302&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
@@ -17 +23 @@
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=302&location=http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=302&location=http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=303&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=303&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
@@ -26 +35 @@
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=303&location=http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=303&location=http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=307&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=307&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
@@ -35 +47 @@
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=307&location=http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=307&location=http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=308&location=http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
 CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=308&location=http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.

trunk/LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS Same domain different port [no-cors mode] 

trunk/LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS Same domain different port [no-cors mode] 

trunk/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS Same domain different port [no-cors mode] 

trunk/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
 
 PASS Same domain different port [no-cors mode] 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-09-06  Youenn Fablet  <youenn@apple.com>
+
+        CachedResourceLoader is not taking into account fetch options to use or not cached resources
+        https://bugs.webkit.org/show_bug.cgi?id=161389
+
+        Reviewed by Darin Adler.
+
+        Tests: http/tests/fetch/fetching-same-resource-with-diffferent-options.html
+               http/tests/security/cross-origin-cached-resource-parallel.html
+               http/tests/security/cross-origin-cached-resource.html
+               http/tests/security/load-image-after-redirection-2.html
+               http/tests/security/shape-outside-and-cached-resources.html
+
+        Adding CORS checks for the response in case of CORS fetch mode, in SubresourceLoader.
+        Removing the CORS checks in Image and DocumentThreadableLoader.
+
+        The direction of this patch is to make CachedResource origin-specific/fetch mode specific.
+
+        This will remove the need for CachedResource clients to do CORS checks when receiving the notifyFinished call.
+        This will also make the computation of whether a resource is clean or not much easier since the CachedResource knowd its origin and its response tainting.
+
+        Removing the CORS checks at ImageLoader creates the risk of using some cached resources loaded from previously no-cors mode without doing the actual CORS check.
+        Note that the risk was already there in case of a resource loaded through redirections.
+        Reusing a cached resource for a load with different options also leads to bad computation of the resource tainting.
+
+        As a first step, improvements are done but only for CachedImage resources.
+
+        This patch limits the direct reuse of cached resources as follow:
+        - If the request and existing resources have different origins.
+        - If the fetch mode is different between request and existing resource.
+
+        In those cases, a new CachedResource is created with the correct options and origin.
+        The data and response of the CachedResource found in the cache are copied efficiently in the new CachedResource, if the matching CachedResource finished loading (CachedImage specific).
+
+        If the matching CachedResource is still loading, we trigger a reload (with caching=false to not disturb the being loaded resource).
+        This should be made more efficient at some point, especially if the matching CachedResource already has its response set.
+
+        This triggers a change of behavior: previously, the CORS checks were done by the ImageLoader when the resource was finished loading.
+        The CORS checks were controlled by the crossOrigin attribute, which may be set or unset between the load start and the load end.
+
+        Now the crossOrigin attribute is checked at load start. If it is set, the CORS checks will happen even if the attribute is unset before the end of the load.
+        This is more consistent as the actual request was built with CORS enabled.
+
+        * loader/CrossOriginPreflightChecker.cpp:
+        (WebCore::CrossOriginPreflightChecker::startPreflight): Setting correctly the preflight options as per fetch spec.
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::didReceiveResponse): Removing CORS check.
+        (WebCore::DocumentThreadableLoader::loadRequest): Adding CORS check in sync mode.
+        * loader/ImageLoader.cpp:
+        (WebCore::ImageLoader::updateFromElement):
+        (WebCore::ImageLoader::notifyFinished):
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::didReceiveResponse): Adding CORS checks to the response
+        (WebCore::SubresourceLoader::checkResponseCrossOriginAccessControl): Helper routine to do CORS checks
+        * loader/SubresourceLoader.h:
+        * loader/cache/CachedImage.cpp:
+        (WebCore::CachedImage::cloneData): Responsible to set image content from another CachedImage.
+        * loader/cache/CachedImage.h:
+        * loader/cache/CachedResource.cpp:
+        (WebCore::CachedResource::computeOrigin): Helper routine to set the origin and whether the resource is cross-origin or not.
+        (WebCore::CachedResource::load): Using computeOrigin.
+        (WebCore::CachedResource::loadFrom): Loading from a CachedResource from the same type and which finished loading.
+        * loader/cache/CachedResource.h:
+        (WebCore::CachedResource::cloneData):
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::updateCachedResourceWithCurrentRequest): Helper routine responsible to adapt the CachedResource
+        that can be reused to the origin and options of a new request.
+        (WebCore::CachedResourceLoader::requestResource): Calling updateCachedResourceWithCurrentRequest before actually returning the resource.
+        (WebCore::CachedResourceLoader::determineRevalidationPolicy): Space clean-up.
+        * loader/cache/CachedResourceLoader.h:
+        * loader/cache/CachedResourceRequest.h:
+        (WebCore::CachedResourceRequest::setCachingPolicy):
+        * style/StylePendingResources.cpp:
+        (WebCore::Style::loadPendingImage): Allowing data URLs for ShapeOutside data.
+
 2016-09-05  Darin Adler  <darin@apple.com>
 

trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp

@@ -101 +101 @@
 void CrossOriginPreflightChecker::startPreflight()
 {
-    ResourceLoaderOptions options = static_cast<FetchOptions>(m_loader.options());
-    options.credentials = FetchOptions::Credentials::Omit;
+    ResourceLoaderOptions options;
+    options.referrerPolicy = m_loader.options().referrerPolicy;
     options.redirect = FetchOptions::Redirect::Manual;
 

trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

@@ -277 +277 @@
     ASSERT(m_client);
 
-    String accessControlErrorDescription;
-    if (!m_sameOriginRequest && m_options.mode == FetchOptions::Mode::Cors) {
-        if (!passesAccessControlCheck(response, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)) {
-            m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, response.url(), accessControlErrorDescription, ResourceError::Type::AccessControl));
-            return;
-        }
-    }
-
     ASSERT(response.type() != ResourceResponse::Type::Error);
     if (response.type() == ResourceResponse::Type::Default) {
@@ -431 +423 @@
 
     ResourceResponse::Tainting tainting = ResourceResponse::Tainting::Basic;
-    if (!m_sameOriginRequest)
-        tainting = m_options.mode == FetchOptions::Mode::Cors ? ResourceResponse::Tainting::Cors : ResourceResponse::Tainting::Opaque;
+    if (!m_sameOriginRequest) {
+        if (m_options.mode == FetchOptions::Mode::NoCors)
+            tainting = ResourceResponse::Tainting::Opaque;
+        else {
+            ASSERT(m_options.mode == FetchOptions::Mode::Cors);
+            tainting = ResourceResponse::Tainting::Cors;
+            String accessControlErrorDescription;
+            if (!passesAccessControlCheck(response, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)) {
+                m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, response.url(), accessControlErrorDescription, ResourceError::Type::AccessControl));
+                return;
+            }
+        }
+    }
     didReceiveResponse(identifier, response, tainting);
 

trunk/Source/WebCore/loader/ImageLoader.cpp

@@ -211 +211 @@
         errorEventSender().dispatchEventSoon(*this);
     }
-    
+
     CachedImage* oldImage = m_image.get();
     if (newImage != oldImage) {
@@ -283 +283 @@
         return;
 
-    if (element().hasAttributeWithoutSynchronization(HTMLNames::crossoriginAttr) && !resource->passesSameOriginPolicyCheck(*element().document().securityOrigin())) {
+    if (resource->resourceError().isAccessControl()) {
         clearImageWithoutConsideringPendingLoadEvent();
 

trunk/Source/WebCore/loader/SubresourceLoader.cpp

@@ -278 +278 @@
     }
 
+    String errorDescription;
+    if (!checkResponseCrossOriginAccessControl(response, errorDescription)) {
+        if (m_frame && m_frame->document())
+            m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorDescription);
+        cancel(ResourceError(String(), 0, request().url(), errorDescription, ResourceError::Type::AccessControl));
+        return;
+    }
+
     m_resource->responseReceived(response);
     if (reachedTerminalState())
@@ -402 +410 @@
     }
     frame->page()->diagnosticLoggingClient().logDiagnosticMessageWithValue(DiagnosticLoggingKeys::resourceKey(), DiagnosticLoggingKeys::loadedKey(), resourceType, ShouldSample::Yes);
+}
+
+bool SubresourceLoader::checkResponseCrossOriginAccessControl(const ResourceResponse& response, String& errorDescription)
+{
+    if (!m_resource->isCrossOrigin() || options().mode != FetchOptions::Mode::Cors)
+        return true;
+
+    ASSERT(m_origin);
+    return passesAccessControlCheck(response, options().allowCredentials, *m_origin, errorDescription);
 }
 

trunk/Source/WebCore/loader/SubresourceLoader.h

@@ -93 +93 @@
 
     bool checkForHTTPStatusCodeError();
+    bool checkResponseCrossOriginAccessControl(const ResourceResponse&, String&);
     bool checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse&, ResourceRequest& newRequest, String&);
 

trunk/Source/WebCore/loader/cache/CachedImage.cpp

@@ -115 +115 @@
 }
 
+void CachedImage::setBodyDataFrom(const CachedResource& resource)
+{
+    ASSERT(resource.type() == type());
+    const CachedImage& image = static_cast<const CachedImage&>(resource);
+
+    setLoading(false);
+    m_image = image.m_image;
+
+    if (m_image && is<SVGImage>(*m_image))
+        m_svgImageCache = std::make_unique<SVGImageCache>(&downcast<SVGImage>(*m_image));
+}
+
 void CachedImage::didAddClient(CachedResourceClient* client)
 {
@@ -121 +133 @@
         m_image->setData(m_data.copyRef(), true);
     }
-    
+
     ASSERT(client->resourceClientType() == CachedImageClient::expectedType());
     if (m_image && !m_image->isNull())

trunk/Source/WebCore/loader/cache/CachedImage.h

@@ -92 +92 @@
     void clear();
 
+    CachedImage(CachedImage&, const ResourceRequest&, SessionID);
+
+    void setBodyDataFrom(const CachedResource&) final;
+
     void createImage();
     void clearImage();

trunk/Source/WebCore/loader/cache/CachedResource.cpp

@@ -237 +237 @@
 }
 
-void CachedResource::addAdditionalRequestHeaders(CachedResourceLoader& cachedResourceLoader)
-{
-    addAdditionalRequestHeadersToRequest(m_resourceRequest, cachedResourceLoader, *this);
+void CachedResource::addAdditionalRequestHeaders(CachedResourceLoader& loader)
+{
+    addAdditionalRequestHeadersToRequest(m_resourceRequest, loader, *this);
+}
+
+void CachedResource::computeOrigin(CachedResourceLoader& loader)
+{
+    if (type() == MainResource)
+        return;
+
+    ASSERT(loader.document());
+    if (m_resourceRequest.hasHTTPOrigin())
+        m_origin = SecurityOrigin::createFromString(m_resourceRequest.httpOrigin());
+    else
+        m_origin = loader.document()->securityOrigin();
+    ASSERT(m_origin);
+
+    if (!(m_resourceRequest.url().protocolIsData() && m_options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set) && !m_origin->canRequest(m_resourceRequest.url()))
+        setCrossOrigin();
+
+    addAdditionalRequestHeaders(loader);
 }
 
@@ -301 +319 @@
     m_resourceRequest.setPriority(loadPriority());
 
-    if (type() != MainResource) {
-        if (m_resourceRequest.hasHTTPOrigin())
-            m_origin = SecurityOrigin::createFromString(m_resourceRequest.httpOrigin());
-        else
-            m_origin = cachedResourceLoader.document()->securityOrigin();
-        ASSERT(m_origin);
-
-        if (!(m_resourceRequest.url().protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set)  && m_origin && !m_origin->canRequest(m_resourceRequest.url()))
-            setCrossOrigin();
-
-        addAdditionalRequestHeaders(cachedResourceLoader);
-    }
+    computeOrigin(cachedResourceLoader);
 
     // FIXME: It's unfortunate that the cache layer and below get to know anything about fragment identifiers.
@@ -331 +338 @@
 
     m_status = Pending;
+}
+
+void CachedResource::loadFrom(const CachedResource& resource, const ResourceLoaderOptions& options, CachedResourceLoader& cachedResourceLoader)
+{
+    ASSERT(url() == resource.url());
+    ASSERT(type() == resource.type());
+    ASSERT(resource.status() == Status::Cached);
+
+    m_options = options;
+    computeOrigin(cachedResourceLoader);
+
+    if (isCrossOrigin() && options.mode == FetchOptions::Mode::Cors) {
+        ASSERT(m_origin);
+        String errorMessage;
+        if (!WebCore::passesAccessControlCheck(resource.response(), m_options.allowCredentials, *m_origin, errorMessage)) {
+            setResourceError(ResourceError(String(), 0, url(), errorMessage, ResourceError::Type::AccessControl));
+            return;
+        }
+    }
+
+    setBodyDataFrom(resource);
 }
 

trunk/Source/WebCore/loader/cache/CachedResource.h

@@ -210 +210 @@
     ResourceResponse::Tainting responseTainting() const { return m_responseTainting; }
 
+    void loadFrom(const CachedResource&, const ResourceLoaderOptions&, CachedResourceLoader&);
+
     SecurityOrigin* origin() const { return m_origin.get(); }
 
@@ -306 +308 @@
     virtual void checkNotify();
     virtual bool mayTryReplaceEncodedData() const { return false; }
+    virtual void setBodyDataFrom(const CachedResource&) { }
 
     std::chrono::microseconds freshnessLifetime(const ResourceResponse&) const;
 
     void addAdditionalRequestHeaders(CachedResourceLoader&);
+    void computeOrigin(CachedResourceLoader&);
     void failBeforeStarting();
 

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -540 +540 @@
 }
 
+bool CachedResourceLoader::updateCachedResourceWithCurrentRequest(CachedResourceRequest& request, CachedResourceHandle<CachedResource>& resourceHandle)
+{
+    ASSERT(resourceHandle);
+
+    CachedResource& resource = *resourceHandle;
+
+    // FIXME: We should progressively extend this to other reusable resources
+    if (resource.type() != CachedResource::Type::ImageResource)
+        return false;
+
+    bool shouldUpdate = resource.options().mode != request.options().mode || request.resourceRequest().httpOrigin() != resource.resourceRequest().httpOrigin();
+
+    if (!shouldUpdate)
+        return false;
+
+    // FIXME: For being loaded requests, we currently do not use the same resource, as this may induce errors in the resource response tainting.
+    // We should find a way to improve this.
+    if (resource.status() != CachedResource::Cached) {
+        request.setCachingPolicy(CachingPolicy::DisallowCaching);
+        resourceHandle = loadResource(resource.type(), request);
+        return true;
+    }
+
+    resourceHandle = createResource(resource.type(), request.mutableResourceRequest(), request.charset(), sessionID());
+    resourceHandle->loadFrom(resource, request.options(), *this);
+    return true;
+}
+
 static inline void logMemoryCacheResourceRequest(Frame* frame, const String& description, const String& value = String())
 {
@@ -636 +664 @@
         break;
     case Use:
-        if (!shouldContinueAfterNotifyingLoadedFromMemoryCache(request, resource.get()))
-            return nullptr;
-        logMemoryCacheResourceRequest(frame(), DiagnosticLoggingKeys::inMemoryCacheKey(), DiagnosticLoggingKeys::usedKey());
-        memoryCache.resourceAccessed(*resource);
+        if (!updateCachedResourceWithCurrentRequest(request, resource)) {
+            if (!shouldContinueAfterNotifyingLoadedFromMemoryCache(request, resource.get()))
+                return nullptr;
+            logMemoryCacheResourceRequest(frame(), DiagnosticLoggingKeys::inMemoryCacheKey(), DiagnosticLoggingKeys::usedKey());
+            memoryCache.resourceAccessed(*resource);
 #if ENABLE(WEB_TIMING)
-        if (document() && RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled()) {
-            // FIXME (161170): The networkLoadTiming shouldn't be stored on the ResourceResponse.
-            resource->response().networkLoadTiming().reset();
-            loadTiming.setResponseEnd(monotonicallyIncreasingTime());
-            m_resourceTimingInfo.storeResourceTimingInitiatorInformation(resource, request, frame());
-            m_resourceTimingInfo.addResourceTiming(resource.get(), *document(), loadTiming);
-        }
-#endif
+            if (document() && RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled()) {
+                // FIXME (161170): The networkLoadTiming shouldn't be stored on the ResourceResponse.
+                resource->response().networkLoadTiming().reset();
+                loadTiming.setResponseEnd(monotonicallyIncreasingTime());
+                m_resourceTimingInfo.storeResourceTimingInitiatorInformation(resource, request, frame());
+                m_resourceTimingInfo.addResourceTiming(resource.get(), *document(), loadTiming);
+            }
+#endif
+        }
         break;
     }
@@ -801 +831 @@
     if (cachedResourceRequest.defer() == CachedResourceRequest::DeferredByClient)
         return Reload;
-    
+
     // Don't reload resources while pasting.
     if (m_allowStaleResources)
         return Use;
-    
+
     // Always use preloads.
     if (existingResource->isPreloaded())

trunk/Source/WebCore/loader/cache/CachedResourceLoader.h

@@ -156 +156 @@
     enum RevalidationPolicy { Use, Revalidate, Reload, Load };
     RevalidationPolicy determineRevalidationPolicy(CachedResource::Type, CachedResourceRequest&, CachedResource* existingResource) const;
-    
+
+    bool updateCachedResourceWithCurrentRequest(CachedResourceRequest&, CachedResourceHandle<CachedResource>&);
     bool shouldContinueAfterNotifyingLoadedFromMemoryCache(const CachedResourceRequest&, CachedResource*);
     bool checkInsecureContent(CachedResource::Type, const URL&) const;

trunk/Source/WebCore/loader/cache/CachedResourceRequest.h

@@ -62 +62 @@
     const AtomicString& initiatorName() const;
     bool allowsCaching() const { return m_options.cachingPolicy == CachingPolicy::AllowCaching; }
+    void setCachingPolicy(CachingPolicy policy) { m_options.cachingPolicy = policy; }
 
     void setAsPotentiallyCrossOrigin(const String&, Document&);

trunk/Source/WebCore/style/StylePendingResources.cpp

@@ -55 +55 @@
         options.mode = FetchOptions::Mode::Cors;
         options.allowCredentials = DoNotAllowStoredCredentials;
+        options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
     }