Changeset 47291 in webkit

Timestamp:

Aug 14, 2009 12:25:37 PM (15 years ago)

Author:

eric@webkit.org

Message:

2009-08-14 Aaron Boodman <​aa@chromium.org>

Reviewed by Alexey Proskuryakov.

BUG 28134: Move the remaining parts of Access Control from XMLHttpRequest to ThreadableDocumentLoader.
​https://bugs.webkit.org/show_bug.cgi?id=28134

No new tests added since Access Control was already well tested and this is a pure refactor.

• loader/DocumentThreadableLoader.cpp: Move a lot of the access control code from XHR in, preserving its basic strategy. Also, modify the synchronous path to not be a special case, but reuse more of the async path.

(WebCore::DocumentThreadableLoader::loadResourceSynchronously): Go through the async path and pass additional flags.
(WebCore::DocumentThreadableLoader::create): Group enum params into an options struct.
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Ditto.
(WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Brought mostly from XHR.
(WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight): Ditto.
(WebCore::DocumentThreadableLoader::willSendRequest): Handle preflight case.
(WebCore::DocumentThreadableLoader::didReceiveResponse): Ditto.
(WebCore::DocumentThreadableLoader::didFinishLoading): Ditto.
(WebCore::DocumentThreadableLoader::getShouldUseCredentialStorage): Ditto.
(WebCore::DocumentThreadableLoader::preflightSuccess): Preflight handling.
(WebCore::DocumentThreadableLoader::preflightFailure): Ditto.
(WebCore::DocumentThreadableLoader::loadRequest): Common request function that handles async/sync.

• loader/DocumentThreadableLoader.h: Group enum params into an options struct.
• loader/ThreadableLoader.cpp: Ditto. (WebCore::ThreadableLoader::create): Ditto. (WebCore::ThreadableLoader::loadResourceSynchronously): Ditto.
• loader/ThreadableLoader.h: Ditto. (WebCore::ThreadableLoaderOptions::ThreadableLoaderOptions): Ditto.
• loader/WorkerThreadableLoader.cpp: Ditto. (WebCore::WorkerThreadableLoader::WorkerThreadableLoader):Ditto. (WebCore::WorkerThreadableLoader::loadResourceSynchronously): Ditto. (WebCore::WorkerThreadableLoader::MainThreadBridge::MainThreadBridge): Ditto. (WebCore::WorkerThreadableLoader::MainThreadBridge::mainThreadCreateLoader): Ditto.
• loader/WorkerThreadableLoader.h: Ditto. (WebCore::WorkerThreadableLoader::create): Ditto.
• platform/CrossThreadCopier.h: Allow ThreadableLoaderOptions to be copied across threads. (WebCore::):
• workers/WorkerScriptLoader.cpp: More enum->struct grouping. (WebCore::WorkerScriptLoader::loadSynchronously): More enum->struct grouping. (WebCore::WorkerScriptLoader::loadAsynchronously): More enum->struct grouping.
• xml/XMLHttpRequest.cpp: Remove all the access control code and some supporting state. (WebCore::XMLHttpRequest::XMLHttpRequest): Ditto. (WebCore::XMLHttpRequest::createRequest): Ditto. (WebCore::XMLHttpRequest::didFinishLoading): Ditto. (WebCore::XMLHttpRequest::didReceiveResponse): Ditto. (WebCore::XMLHttpRequest::didReceiveData): Ditto.
• xml/XMLHttpRequest.h: Ditto.

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• loader/DocumentThreadableLoader.cpp (modified) (8 diffs)
• loader/DocumentThreadableLoader.h (modified) (4 diffs)
• loader/ThreadableLoader.cpp (modified) (4 diffs)
• loader/ThreadableLoader.h (modified) (2 diffs)
• loader/WorkerThreadableLoader.cpp (modified) (7 diffs)
• loader/WorkerThreadableLoader.h (modified) (4 diffs)
• platform/CrossThreadCopier.h (modified) (2 diffs)
• workers/WorkerScriptLoader.cpp (modified) (2 diffs)
• xml/XMLHttpRequest.cpp (modified) (26 diffs)
• xml/XMLHttpRequest.h (modified) (4 diffs)

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-08-14  Aaron Boodman  <aa@chromium.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        BUG 28134: Move the remaining parts of Access Control from XMLHttpRequest to ThreadableDocumentLoader.
+        https://bugs.webkit.org/show_bug.cgi?id=28134
+
+        No new tests added since Access Control was already well tested and this is a pure refactor.
+
+        * loader/DocumentThreadableLoader.cpp: Move a lot of the access control code from XHR in, preserving its
+        basic strategy. Also, modify the synchronous path to not be a special case, but reuse more of the async
+        path.
+
+        (WebCore::DocumentThreadableLoader::loadResourceSynchronously): Go through the async path and pass additional flags.
+        (WebCore::DocumentThreadableLoader::create): Group enum params into an options struct.
+        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Ditto.
+        (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Brought mostly from XHR.
+        (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight): Ditto.
+        (WebCore::DocumentThreadableLoader::willSendRequest): Handle preflight case.
+        (WebCore::DocumentThreadableLoader::didReceiveResponse): Ditto.
+        (WebCore::DocumentThreadableLoader::didFinishLoading): Ditto.
+        (WebCore::DocumentThreadableLoader::getShouldUseCredentialStorage): Ditto.
+        (WebCore::DocumentThreadableLoader::preflightSuccess): Preflight handling.
+        (WebCore::DocumentThreadableLoader::preflightFailure): Ditto.
+        (WebCore::DocumentThreadableLoader::loadRequest): Common request function that handles async/sync.
+        * loader/DocumentThreadableLoader.h: Group enum params into an options struct.
+        * loader/ThreadableLoader.cpp: Ditto.
+        (WebCore::ThreadableLoader::create): Ditto.
+        (WebCore::ThreadableLoader::loadResourceSynchronously): Ditto.
+        * loader/ThreadableLoader.h: Ditto.
+        (WebCore::ThreadableLoaderOptions::ThreadableLoaderOptions): Ditto.
+        * loader/WorkerThreadableLoader.cpp: Ditto.
+        (WebCore::WorkerThreadableLoader::WorkerThreadableLoader):Ditto.
+        (WebCore::WorkerThreadableLoader::loadResourceSynchronously): Ditto.
+        (WebCore::WorkerThreadableLoader::MainThreadBridge::MainThreadBridge): Ditto.
+        (WebCore::WorkerThreadableLoader::MainThreadBridge::mainThreadCreateLoader): Ditto.
+        * loader/WorkerThreadableLoader.h: Ditto.
+        (WebCore::WorkerThreadableLoader::create): Ditto.
+        * platform/CrossThreadCopier.h: Allow ThreadableLoaderOptions to be copied across threads.
+        (WebCore::):
+        * workers/WorkerScriptLoader.cpp: More enum->struct grouping.
+        (WebCore::WorkerScriptLoader::loadSynchronously): More enum->struct grouping.
+        (WebCore::WorkerScriptLoader::loadAsynchronously): More enum->struct grouping.
+        * xml/XMLHttpRequest.cpp: Remove all the access control code and some supporting state.
+        (WebCore::XMLHttpRequest::XMLHttpRequest): Ditto.
+        (WebCore::XMLHttpRequest::createRequest): Ditto.
+        (WebCore::XMLHttpRequest::didFinishLoading): Ditto.
+        (WebCore::XMLHttpRequest::didReceiveResponse): Ditto.
+        (WebCore::XMLHttpRequest::didReceiveData): Ditto.
+        * xml/XMLHttpRequest.h: Ditto.
+
 2009-08-14  Darin Adler  <darin@apple.com>
 

trunk/WebCore/loader/DocumentThreadableLoader.cpp

@@ -33 +33 @@
 
 #include "AuthenticationChallenge.h"
+#include "CrossOriginAccessControl.h"
+#include "CrossOriginPreflightResultCache.h"
 #include "Document.h"
-#include "DocumentThreadableLoader.h"
 #include "Frame.h"
 #include "FrameLoader.h"
@@ -44 +45 @@
 namespace WebCore {
 
-void DocumentThreadableLoader::loadResourceSynchronously(Document* document, const ResourceRequest& request, ThreadableLoaderClient& client, StoredCredentials storedCredentials)
-{
-    bool sameOriginRequest = document->securityOrigin()->canRequest(request.url());
-
-    Vector<char> data;
-    ResourceError error;
-    ResourceResponse response;
-    unsigned long identifier = std::numeric_limits<unsigned long>::max();
-    if (document->frame())
-        identifier = document->frame()->loader()->loadResourceSynchronously(request, storedCredentials, error, response, data);
-
-    // No exception for file:/// resources, see <rdar://problem/4962298>.
-    // Also, if we have an HTTP response, then it wasn't a network error in fact.
-    if (!error.isNull() && !request.url().isLocalFile() && response.httpStatusCode() <= 0) {
-        client.didFail(error);
-        return;
-    }
-
-    // FIXME: This check along with the one in willSendRequest is specific to xhr and
-    // should be made more generic.
-    if (sameOriginRequest && !document->securityOrigin()->canRequest(response.url())) {
-        client.didFailRedirectCheck();
-        return;
-    }
-
-    client.didReceiveResponse(response);
-
-    const char* bytes = static_cast<const char*>(data.data());
-    int len = static_cast<int>(data.size());
-    client.didReceiveData(bytes, len);
-
-    client.didFinishLoading(identifier);
-}
-
-PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document* document, ThreadableLoaderClient* client, const ResourceRequest& request, LoadCallbacks callbacksSetting, ContentSniff contentSniff, StoredCredentials storedCredentials, CrossOriginRedirectPolicy crossOriginRedirectPolicy)
-{
-    ASSERT(document);
-    RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, request, callbacksSetting, contentSniff, storedCredentials, crossOriginRedirectPolicy));
+void DocumentThreadableLoader::loadResourceSynchronously(Document* document, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options)
+{
+    // The loader will be deleted as soon as this function exits.
+    RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, &client, LoadSynchronously, request, options));
+    ASSERT(loader->hasOneRef());
+}
+
+PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document* document, ThreadableLoaderClient* client, const ResourceRequest& request, const ThreadableLoaderOptions& options)
+{
+    RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadAsynchronously, request, options));
     if (!loader->m_loader)
         loader = 0;
@@ -87 +60 @@
 }
 
-DocumentThreadableLoader::DocumentThreadableLoader(Document* document, ThreadableLoaderClient* client, const ResourceRequest& request, LoadCallbacks callbacksSetting, ContentSniff contentSniff, StoredCredentials storedCredentials, CrossOriginRedirectPolicy crossOriginRedirectPolicy)
+DocumentThreadableLoader::DocumentThreadableLoader(Document* document, ThreadableLoaderClient* client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options)
     : m_client(client)
     , m_document(document)
-    , m_allowStoredCredentials(storedCredentials == AllowStoredCredentials)
+    , m_options(options)
     , m_sameOriginRequest(document->securityOrigin()->canRequest(request.url()))
-    , m_denyCrossOriginRedirect(crossOriginRedirectPolicy == DenyCrossOriginRedirect)
+    , m_async(blockingBehavior == LoadAsynchronously)
 {
     ASSERT(document);
     ASSERT(client);
-    ASSERT(storedCredentials == AllowStoredCredentials || storedCredentials == DoNotAllowStoredCredentials);
-    ASSERT(crossOriginRedirectPolicy == DenyCrossOriginRedirect || crossOriginRedirectPolicy == AllowCrossOriginRedirect);
-    m_loader = SubresourceLoader::create(document->frame(), this, request, false, callbacksSetting == SendLoadCallbacks, contentSniff == SniffContent);
+
+    if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
+        bool skipCanLoadCheck = false;
+        loadRequest(request, skipCanLoadCheck);
+        return;
+    }
+
+    if (m_options.crossOriginRequestPolicy == DenyCrossOriginRequests) {
+        m_client->didFail(ResourceError());
+        return;
+    }
+    
+    ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
+
+    if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()))
+        makeSimpleCrossOriginAccessRequest(request);
+    else {
+        m_actualRequest.set(new ResourceRequest(request));
+        m_actualRequest->setAllowHTTPCookies(m_options.allowCredentials);
+
+        if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), request.url(), m_options.allowCredentials, request.httpMethod(), request.httpHeaderFields()))
+            preflightSuccess();
+        else
+            makeCrossOriginAccessRequestWithPreflight(request);
+    }
+}
+
+void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const ResourceRequest& request)
+{
+    ASSERT(isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()));
+
+    // Cross-origin requests are only defined for HTTP. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
+    if (!request.url().protocolInHTTPFamily()) {
+        m_client->didFail(ResourceError());
+        return;
+    }
+
+    // Make a copy of the passed request so that we can modify some details.
+    ResourceRequest crossOriginRequest(request);
+    crossOriginRequest.removeCredentials();
+    crossOriginRequest.setAllowHTTPCookies(m_options.allowCredentials);
+    crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString());
+
+    bool skipCanLoadCheck = false;
+    loadRequest(crossOriginRequest, skipCanLoadCheck);
+}
+
+void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
+{
+    ResourceRequest preflightRequest(request.url());
+    preflightRequest.removeCredentials();
+    preflightRequest.setHTTPOrigin(m_document->securityOrigin()->toString());
+    preflightRequest.setAllowHTTPCookies(m_options.allowCredentials);
+    preflightRequest.setHTTPMethod("OPTIONS");
+    preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod());
+
+    const HTTPHeaderMap& requestHeaderFields = request.httpHeaderFields();
+
+    if (requestHeaderFields.size() > 0) {
+        Vector<UChar> headerBuffer;
+        HTTPHeaderMap::const_iterator it = requestHeaderFields.begin();
+        append(headerBuffer, it->first);
+        ++it;
+
+        HTTPHeaderMap::const_iterator end = requestHeaderFields.end();
+        for (; it != end; ++it) {
+            headerBuffer.append(',');
+            headerBuffer.append(' ');
+            append(headerBuffer, it->first);
+        }
+
+        preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer));
+        preflightRequest.addHTTPHeaderFields(requestHeaderFields);
+    }
+
+    bool skipCanLoadCheck = false;
+    loadRequest(preflightRequest, skipCanLoadCheck);
 }
 
@@ -124 +171 @@
 
     // FIXME: This needs to be fixed to follow the redirect correctly even for cross-domain requests.
-    if (m_denyCrossOriginRedirect && !m_document->securityOrigin()->canRequest(request.url())) {
+    if (m_options.crossOriginRedirectPolicy == DenyCrossOriginRedirect && !m_document->securityOrigin()->canRequest(request.url())) {
         RefPtr<DocumentThreadableLoader> protect(this);
         m_client->didFailRedirectCheck();
@@ -144 +191 @@
     ASSERT_UNUSED(loader, loader == m_loader);
 
-    m_client->didReceiveResponse(response);
+    if (m_actualRequest) {
+        if (!passesAccessControlCheck(response, m_options.allowCredentials, m_document->securityOrigin())) {
+            preflightFailure();
+            return;
+        }
+
+        OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult(new CrossOriginPreflightResultCacheItem(m_options.allowCredentials));
+        if (!preflightResult->parse(response)
+            || !preflightResult->allowsCrossOriginMethod(m_actualRequest->httpMethod())
+            || !preflightResult->allowsCrossOriginHeaders(m_actualRequest->httpHeaderFields())) {
+            preflightFailure();
+            return;
+        }
+
+        CrossOriginPreflightResultCache::shared().appendEntry(m_document->securityOrigin()->toString(), m_actualRequest->url(), preflightResult.release());
+    } else {
+        if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessControl) {
+            if (!passesAccessControlCheck(response, m_options.allowCredentials, m_document->securityOrigin())) {
+                m_client->didFail(ResourceError());
+                return;
+            }
+        }
+
+        m_client->didReceiveResponse(response);
+    }
 }
 
@@ -159 +230 @@
     ASSERT(loader == m_loader);
     ASSERT(m_client);
-    m_client->didFinishLoading(loader->identifier());
+    didFinishLoading(loader->identifier());
+}
+
+void DocumentThreadableLoader::didFinishLoading(unsigned long identifier)
+{
+    if (m_actualRequest) {
+        ASSERT(!m_sameOriginRequest);
+        ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
+        preflightSuccess();
+    } else
+        m_client->didFinishLoading(identifier);
 }
 
@@ -175 +256 @@
     ASSERT_UNUSED(loader, loader == m_loader);
 
-    if (!m_allowStoredCredentials) {
+    if (!m_options.allowCredentials) {
         shouldUseCredentialStorage = false;
         return true;
@@ -201 +282 @@
 }
 
+void DocumentThreadableLoader::preflightSuccess()
+{
+    OwnPtr<ResourceRequest> actualRequest;
+    actualRequest.swap(m_actualRequest);
+
+    bool skipCanLoadCheck = true;  // ok to skip load check since we already asked about the preflight request
+    loadRequest(*actualRequest, skipCanLoadCheck);
+}
+
+void DocumentThreadableLoader::preflightFailure()
+{
+    m_client->didFail(ResourceError());
+}
+
+void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, bool skipCanLoadCheck)
+{
+    if (m_async) {
+        // Don't sniff content or send load callbacks for the preflight request.
+        bool sendLoadCallbacks = m_options.sendLoadCallbacks && !m_actualRequest;
+        bool sniffContent = m_options.sniffContent && !m_actualRequest;
+        m_loader = SubresourceLoader::create(m_document->frame(), this, request, skipCanLoadCheck, sendLoadCallbacks, sniffContent);
+        return;
+    }
+    
+    // FIXME: ThreadableLoaderOptions.sniffContent is not supported for synchronous requests.
+    StoredCredentials storedCredentials = m_options.allowCredentials ? AllowStoredCredentials : DoNotAllowStoredCredentials;
+
+    Vector<char> data;
+    ResourceError error;
+    ResourceResponse response;
+    unsigned long identifier = std::numeric_limits<unsigned long>::max();
+    if (m_document->frame())
+        identifier = m_document->frame()->loader()->loadResourceSynchronously(request, storedCredentials, error, response, data);
+
+    // No exception for file:/// resources, see <rdar://problem/4962298>.
+    // Also, if we have an HTTP response, then it wasn't a network error in fact.
+    if (!error.isNull() && !request.url().isLocalFile() && response.httpStatusCode() <= 0) {
+        m_client->didFail(error);
+        return;
+    }
+
+    // FIXME: This check along with the one in willSendRequest is specific to xhr and
+    // should be made more generic.
+    if (m_sameOriginRequest && !m_document->securityOrigin()->canRequest(response.url())) {
+        m_client->didFailRedirectCheck();
+        return;
+    }
+
+    didReceiveResponse(0, response);
+
+    const char* bytes = static_cast<const char*>(data.data());
+    int len = static_cast<int>(data.size());
+    didReceiveData(0, bytes, len);
+
+    didFinishLoading(identifier);
+}
+
 } // namespace WebCore

trunk/WebCore/loader/DocumentThreadableLoader.h

@@ -34 +34 @@
 #include "SubresourceLoaderClient.h"
 #include "ThreadableLoader.h"
+#include <wtf/OwnPtr.h>
 #include <wtf/PassRefPtr.h>
 #include <wtf/RefCounted.h>
@@ -45 +46 @@
     class DocumentThreadableLoader : public RefCounted<DocumentThreadableLoader>, public ThreadableLoader, private SubresourceLoaderClient  {
     public:
-        static void loadResourceSynchronously(Document*, const ResourceRequest&, ThreadableLoaderClient&, StoredCredentials);
-        static PassRefPtr<DocumentThreadableLoader> create(Document*, ThreadableLoaderClient*, const ResourceRequest&, LoadCallbacks, ContentSniff, StoredCredentials, CrossOriginRedirectPolicy);
+        static void loadResourceSynchronously(Document*, const ResourceRequest&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
+        static PassRefPtr<DocumentThreadableLoader> create(Document*, ThreadableLoaderClient*, const ResourceRequest&, const ThreadableLoaderOptions&);
         virtual ~DocumentThreadableLoader();
 
@@ -59 +60 @@
 
     private:
-        DocumentThreadableLoader(Document*, ThreadableLoaderClient*, const ResourceRequest&, LoadCallbacks, ContentSniff, StoredCredentials, CrossOriginRedirectPolicy);
+        enum BlockingBehavior {
+            LoadSynchronously,
+            LoadAsynchronously
+        };
+
+        DocumentThreadableLoader(Document*, ThreadableLoaderClient*, BlockingBehavior blockingBehavior, const ResourceRequest&, const ThreadableLoaderOptions& options);
+
         virtual void willSendRequest(SubresourceLoader*, ResourceRequest&, const ResourceResponse& redirectResponse);
         virtual void didSendData(SubresourceLoader*, unsigned long long bytesSent, unsigned long long totalBytesToBeSent);
@@ -72 +79 @@
         virtual void receivedCancellation(SubresourceLoader*, const AuthenticationChallenge&);
 
+        void didFinishLoading(unsigned long identifier);
+        void makeSimpleCrossOriginAccessRequest(const ResourceRequest& request);
+        void makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request);
+        void preflightSuccess();
+        void preflightFailure();
+
+        void loadRequest(const ResourceRequest&, bool skipCanLoadCheck);
+
         RefPtr<SubresourceLoader> m_loader;
         ThreadableLoaderClient* m_client;
         Document* m_document;
-        bool m_allowStoredCredentials;
+        ThreadableLoaderOptions m_options;
         bool m_sameOriginRequest;
-        bool m_denyCrossOriginRedirect;
+        bool m_async;
+        OwnPtr<ResourceRequest> m_actualRequest;  // non-null during Access Control preflight checks
     };
 

trunk/WebCore/loader/ThreadableLoader.cpp

@@ -41 +41 @@
 namespace WebCore {
 
-PassRefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext* context, ThreadableLoaderClient* client, const ResourceRequest& request, LoadCallbacks callbacksSetting, ContentSniff contentSniff, StoredCredentials storedCredentials, CrossOriginRedirectPolicy crossOriginRedirectPolicy) 
+PassRefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext* context, ThreadableLoaderClient* client, const ResourceRequest& request, const ThreadableLoaderOptions& options) 
 {
     ASSERT(client);
@@ -48 +48 @@
 #if ENABLE(WORKERS)
     if (context->isWorkerContext())
-        return WorkerThreadableLoader::create(static_cast<WorkerContext*>(context), client, WorkerRunLoop::defaultMode(), request, callbacksSetting, contentSniff, storedCredentials, crossOriginRedirectPolicy);
+        return WorkerThreadableLoader::create(static_cast<WorkerContext*>(context), client, WorkerRunLoop::defaultMode(), request, options);
 #endif // ENABLE(WORKERS)
 
     ASSERT(context->isDocument());
-    return DocumentThreadableLoader::create(static_cast<Document*>(context), client, request, callbacksSetting, contentSniff, storedCredentials, crossOriginRedirectPolicy);
+    return DocumentThreadableLoader::create(static_cast<Document*>(context), client, request, options);
 }
 
-void ThreadableLoader::loadResourceSynchronously(ScriptExecutionContext* context, const ResourceRequest& request, ThreadableLoaderClient& client, StoredCredentials storedCredentials)
+void ThreadableLoader::loadResourceSynchronously(ScriptExecutionContext* context, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options)
 {
     ASSERT(context);
@@ -61 +61 @@
 #if ENABLE(WORKERS)
     if (context->isWorkerContext()) {
-        WorkerThreadableLoader::loadResourceSynchronously(static_cast<WorkerContext*>(context), request, client, storedCredentials, DenyCrossOriginRedirect);
+        WorkerThreadableLoader::loadResourceSynchronously(static_cast<WorkerContext*>(context), request, client, options);
         return;
     }
@@ -67 +67 @@
 
     ASSERT(context->isDocument());
-    DocumentThreadableLoader::loadResourceSynchronously(static_cast<Document*>(context), request, client, storedCredentials);
+    DocumentThreadableLoader::loadResourceSynchronously(static_cast<Document*>(context), request, client, options);
 }
 

trunk/WebCore/loader/ThreadableLoader.h

@@ -44 +44 @@
     class ThreadableLoaderClient;
 
-    enum LoadCallbacks {
-        SendLoadCallbacks,
-        DoNotSendLoadCallbacks
-    };
-
-    enum ContentSniff {
-        SniffContent,
-        DoNotSniffContent
-    };
-
     enum StoredCredentials {
         AllowStoredCredentials,
         DoNotAllowStoredCredentials
     };
-
+    
+    enum CrossOriginRequestPolicy {
+        DenyCrossOriginRequests,
+        UseAccessControl,
+        AllowCrossOriginRequests
+    };
+    
     enum CrossOriginRedirectPolicy {
         DenyCrossOriginRedirect,
         AllowCrossOriginRedirect
+    };
+    
+    struct ThreadableLoaderOptions {
+        ThreadableLoaderOptions() : sendLoadCallbacks(false), sniffContent(false), allowCredentials(false), forcePreflight(false), crossOriginRequestPolicy(DenyCrossOriginRequests), crossOriginRedirectPolicy(AllowCrossOriginRedirect) { }
+        bool sendLoadCallbacks;
+        bool sniffContent;
+        bool allowCredentials;  // Whether HTTP credentials and cookies are sent with the request.
+        bool forcePreflight;  // If AccessControl is used, whether to force a preflight.
+        CrossOriginRequestPolicy crossOriginRequestPolicy;
+        CrossOriginRedirectPolicy crossOriginRedirectPolicy;
     };
 
@@ -68 +74 @@
     class ThreadableLoader : public Noncopyable {
     public:
-        static void loadResourceSynchronously(ScriptExecutionContext*, const ResourceRequest&, ThreadableLoaderClient&, StoredCredentials);
-        static PassRefPtr<ThreadableLoader> create(ScriptExecutionContext*, ThreadableLoaderClient*, const ResourceRequest&, LoadCallbacks, ContentSniff, StoredCredentials, CrossOriginRedirectPolicy);
+        static void loadResourceSynchronously(ScriptExecutionContext*, const ResourceRequest&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
+        static PassRefPtr<ThreadableLoader> create(ScriptExecutionContext*, ThreadableLoaderClient*, const ResourceRequest&, const ThreadableLoaderOptions&);
 
         virtual void cancel() = 0;

trunk/WebCore/loader/WorkerThreadableLoader.cpp

@@ -54 +54 @@
 static const char loadResourceSynchronouslyMode[] = "loadResourceSynchronouslyMode";
 
-WorkerThreadableLoader::WorkerThreadableLoader(WorkerContext* workerContext, ThreadableLoaderClient* client, const String& taskMode, const ResourceRequest& request, LoadCallbacks callbacksSetting,
-                                               ContentSniff contentSniff, StoredCredentials storedCredentials, CrossOriginRedirectPolicy crossOriginRedirectPolicy)
+WorkerThreadableLoader::WorkerThreadableLoader(WorkerContext* workerContext, ThreadableLoaderClient* client, const String& taskMode, const ResourceRequest& request, const ThreadableLoaderOptions& options)
     : m_workerContext(workerContext)
     , m_workerClientWrapper(ThreadableLoaderClientWrapper::create(client))
-    , m_bridge(*(new MainThreadBridge(m_workerClientWrapper, m_workerContext->thread()->workerLoaderProxy(), taskMode, request, callbacksSetting, contentSniff, storedCredentials, crossOriginRedirectPolicy)))
+    , m_bridge(*(new MainThreadBridge(m_workerClientWrapper, m_workerContext->thread()->workerLoaderProxy(), taskMode, request, options)))
 {
 }
@@ -67 +66 @@
 }
 
-void WorkerThreadableLoader::loadResourceSynchronously(WorkerContext* workerContext, const ResourceRequest& request, ThreadableLoaderClient& client, StoredCredentials storedCredentials, CrossOriginRedirectPolicy crossOriginRedirectPolicy)
+void WorkerThreadableLoader::loadResourceSynchronously(WorkerContext* workerContext, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options)
 {
     WorkerRunLoop& runLoop = workerContext->thread()->runLoop();
@@ -75 +74 @@
     mode.append(String::number(runLoop.createUniqueId()));
 
-    ContentSniff contentSniff = request.url().isLocalFile() ? SniffContent : DoNotSniffContent;
-    RefPtr<WorkerThreadableLoader> loader = WorkerThreadableLoader::create(workerContext, &client, mode, request, DoNotSendLoadCallbacks, contentSniff, storedCredentials, crossOriginRedirectPolicy);
-
+    RefPtr<WorkerThreadableLoader> loader = WorkerThreadableLoader::create(workerContext, &client, mode, request, options);
     MessageQueueWaitResult result = MessageQueueMessageReceived;
     while (!loader->done() && result != MessageQueueTerminated)
@@ -92 +89 @@
 
 WorkerThreadableLoader::MainThreadBridge::MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper> workerClientWrapper, WorkerLoaderProxy& loaderProxy, const String& taskMode,
-                                                           const ResourceRequest& request, LoadCallbacks callbacksSetting, ContentSniff contentSniff, StoredCredentials storedCredentials,
-                                                           CrossOriginRedirectPolicy crossOriginRedirectPolicy)
+                                                           const ResourceRequest& request, const ThreadableLoaderOptions& options)
     : m_workerClientWrapper(workerClientWrapper)
     , m_loaderProxy(loaderProxy)
@@ -99 +95 @@
 {
     ASSERT(m_workerClientWrapper.get());
-    m_loaderProxy.postTaskToLoader(createCallbackTask(&MainThreadBridge::mainThreadCreateLoader, this, request, callbacksSetting, contentSniff, storedCredentials, crossOriginRedirectPolicy));
+    m_loaderProxy.postTaskToLoader(createCallbackTask(&MainThreadBridge::mainThreadCreateLoader, this, request, options));
 }
 
@@ -106 +102 @@
 }
 
-void WorkerThreadableLoader::MainThreadBridge::mainThreadCreateLoader(ScriptExecutionContext* context, MainThreadBridge* thisPtr, auto_ptr<CrossThreadResourceRequestData> requestData, LoadCallbacks callbacksSetting, ContentSniff contentSniff, StoredCredentials storedCredentials, CrossOriginRedirectPolicy crossOriginRedirectPolicy)
+void WorkerThreadableLoader::MainThreadBridge::mainThreadCreateLoader(ScriptExecutionContext* context, MainThreadBridge* thisPtr, auto_ptr<CrossThreadResourceRequestData> requestData, ThreadableLoaderOptions options)
 {
     ASSERT(isMainThread());
@@ -118 +114 @@
     // will return a 0 value.  Either this should return 0 or the other code path should do a callback with
     // a failure.
-    thisPtr->m_mainThreadLoader = ThreadableLoader::create(context, thisPtr, *request, callbacksSetting, contentSniff, storedCredentials, crossOriginRedirectPolicy);
+    thisPtr->m_mainThreadLoader = ThreadableLoader::create(context, thisPtr, *request, options);
     ASSERT(thisPtr->m_mainThreadLoader);
 }

trunk/WebCore/loader/WorkerThreadableLoader.h

@@ -56 +56 @@
     class WorkerThreadableLoader : public RefCounted<WorkerThreadableLoader>, public ThreadableLoader {
     public:
-        static void loadResourceSynchronously(WorkerContext*, const ResourceRequest&, ThreadableLoaderClient&, StoredCredentials, CrossOriginRedirectPolicy);
-        static PassRefPtr<WorkerThreadableLoader> create(WorkerContext* workerContext, ThreadableLoaderClient* client, const String& taskMode, const ResourceRequest& request, LoadCallbacks callbacksSetting, ContentSniff contentSniff, StoredCredentials storedCredentials, CrossOriginRedirectPolicy crossOriginRedirectPolicy)
+        static void loadResourceSynchronously(WorkerContext*, const ResourceRequest&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
+        static PassRefPtr<WorkerThreadableLoader> create(WorkerContext* workerContext, ThreadableLoaderClient* client, const String& taskMode, const ResourceRequest& request, const ThreadableLoaderOptions& options)
         {
-            return adoptRef(new WorkerThreadableLoader(workerContext, client, taskMode, request, callbacksSetting, contentSniff, storedCredentials, crossOriginRedirectPolicy));
+            return adoptRef(new WorkerThreadableLoader(workerContext, client, taskMode, request, options));
         }
 
@@ -98 +98 @@
         public:
             // All executed on the worker context's thread.
-            MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper>, WorkerLoaderProxy&, const String& taskMode, const ResourceRequest&, LoadCallbacks, ContentSniff, StoredCredentials, CrossOriginRedirectPolicy);
+            MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper>, WorkerLoaderProxy&, const String& taskMode, const ResourceRequest&, const ThreadableLoaderOptions&);
             void cancel();
             void destroy();
@@ -110 +110 @@
             ~MainThreadBridge();
 
-            static void mainThreadCreateLoader(ScriptExecutionContext*, MainThreadBridge*, std::auto_ptr<CrossThreadResourceRequestData>, LoadCallbacks, ContentSniff, StoredCredentials, CrossOriginRedirectPolicy);
+            static void mainThreadCreateLoader(ScriptExecutionContext*, MainThreadBridge*, std::auto_ptr<CrossThreadResourceRequestData>, ThreadableLoaderOptions);
             static void mainThreadCancel(ScriptExecutionContext*, MainThreadBridge*);
             virtual void didSendData(unsigned long long bytesSent, unsigned long long totalBytesToBeSent);
@@ -134 +134 @@
         };
 
-        WorkerThreadableLoader(WorkerContext*, ThreadableLoaderClient*, const String& taskMode, const ResourceRequest&, LoadCallbacks, ContentSniff, StoredCredentials, CrossOriginRedirectPolicy);
+        WorkerThreadableLoader(WorkerContext*, ThreadableLoaderClient*, const String& taskMode, const ResourceRequest&, const ThreadableLoaderOptions&);
 
         RefPtr<WorkerContext> m_workerContext;

trunk/WebCore/platform/CrossThreadCopier.h

@@ -47 +47 @@
     struct CrossThreadResourceResponseData;
     struct CrossThreadResourceRequestData;
+    struct ThreadableLoaderOptions;
 
     template<typename T> struct CrossThreadCopierPassThrough {
@@ -64 +65 @@
     // Pointers get passed through without any significant changes.
     template<typename T> struct CrossThreadCopierBase<false, T*> : public CrossThreadCopierPassThrough<T*> {
+    };
+
+    template<> struct CrossThreadCopierBase<false, ThreadableLoaderOptions> : public CrossThreadCopierPassThrough<ThreadableLoaderOptions> {
     };
 

trunk/WebCore/workers/WorkerScriptLoader.cpp

@@ -60 +60 @@
 
     ASSERT(scriptExecutionContext->isWorkerContext());
-    WorkerThreadableLoader::loadResourceSynchronously(static_cast<WorkerContext*>(scriptExecutionContext), *request, *this, AllowStoredCredentials, crossOriginRedirectPolicy);
+
+    ThreadableLoaderOptions options;
+    options.allowCredentials = true;
+    options.crossOriginRequestPolicy = AllowCrossOriginRequests;
+    options.crossOriginRedirectPolicy = crossOriginRedirectPolicy;
+
+    WorkerThreadableLoader::loadResourceSynchronously(static_cast<WorkerContext*>(scriptExecutionContext), *request, *this, options);
 }
     
@@ -73 +79 @@
         return;
 
-    m_threadableLoader = ThreadableLoader::create(scriptExecutionContext, this, *request, DoNotSendLoadCallbacks, DoNotSniffContent, AllowStoredCredentials, crossOriginRedirectPolicy);
+    ThreadableLoaderOptions options;
+    options.allowCredentials = true;
+    options.crossOriginRequestPolicy = AllowCrossOriginRequests;
+    options.crossOriginRedirectPolicy = crossOriginRedirectPolicy;
+
+    m_threadableLoader = ThreadableLoader::create(scriptExecutionContext, this, *request, options);
 }
 

trunk/WebCore/xml/XMLHttpRequest.cpp

@@ -26 +26 @@
 #include "CString.h"
 #include "CrossOriginAccessControl.h"
-#include "CrossOriginPreflightResultCache.h"
 #include "DOMImplementation.h"
 #include "Document.h"
@@ -94 +93 @@
     for (unsigned i = 0; i < length; i++) {
         UChar c = name[i];
-        
+
         if (c >= 127 || c <= 32)
             return false;
-        
+
         if (c == '(' || c == ')' || c == '<' || c == '>' || c == '@' ||
             c == ',' || c == ';' || c == ':' || c == '\\' || c == '\"' ||
@@ -104 +103 @@
             return false;
     }
-    
+
     return true;
 }
-    
+
 static bool isValidHeaderValue(const String& name)
 {
-    // FIXME: This should really match name against 
+    // FIXME: This should really match name against
     // field-value in section 4.2 of RFC 2616.
-        
+
     return !name.contains('\r') && !name.contains('\n');
 }
@@ -144 +143 @@
     , m_createdDocument(false)
     , m_error(false)
+    , m_uploadEventsAllowed(true)
     , m_uploadComplete(false)
     , m_sameOriginRequest(true)
-    , m_inPreflight(false)
     , m_didTellLoaderAboutRequest(false)
     , m_receivedLength(0)
@@ -208 +207 @@
             m_responseXML->finishParsing();
             m_responseXML->close();
-            
+
             if (!m_responseXML->wellFormed())
                 m_responseXML = 0;
@@ -237 +236 @@
             if (*listenerIter == eventListener)
                 return;
-        
+
         listeners.append(eventListener);
         m_eventListeners.add(eventType, listeners);
@@ -323 +322 @@
         return;
     }
-    
+
     // Method names are case sensitive. But since Firefox uppercases method names it knows, we'll do the same.
     String methodUpper(method.upper());
-    
+
     if (methodUpper == "TRACE" || methodUpper == "TRACK" || methodUpper == "CONNECT") {
         ec = SECURITY_ERR;
@@ -336 +335 @@
     if (methodUpper == "COPY" || methodUpper == "DELETE" || methodUpper == "GET" || methodUpper == "HEAD"
         || methodUpper == "INDEX" || methodUpper == "LOCK" || methodUpper == "M-POST" || methodUpper == "MKCOL" || methodUpper == "MOVE"
-        || methodUpper == "OPTIONS" || methodUpper == "POST" || methodUpper == "PROPFIND" || methodUpper == "PROPPATCH" || methodUpper == "PUT" 
+        || methodUpper == "OPTIONS" || methodUpper == "POST" || methodUpper == "PROPFIND" || methodUpper == "PROPPATCH" || methodUpper == "PUT"
         || methodUpper == "UNLOCK")
         m_method = methodUpper;
@@ -358 +357 @@
     KURL urlWithCredentials(url);
     urlWithCredentials.setUser(user);
-    
+
     open(method, urlWithCredentials, async, ec);
 }
@@ -367 +366 @@
     urlWithCredentials.setUser(user);
     urlWithCredentials.setPass(password);
-    
+
     open(method, urlWithCredentials, async, ec);
 }
@@ -464 +463 @@
 void XMLHttpRequest::createRequest(ExceptionCode& ec)
 {
-    // Upload event listeners should be disallowed for simple cross-origin requests, because POSTing to an URL that does not
-    // permit cross origin requests should look exactly like POSTing to an URL that does not respond at all. If a listener exists
-    // when creating the request, it will force preflight.
+    // The presence of upload event listeners forces us to use preflighting because POSTing to an URL that does not
+    // permit cross origin requests should look exactly like POSTing to an URL that does not respond at all.
     // Also, only async requests support upload progress events.
-    m_uploadEventsAllowed = false;
+    bool forcePreflight = false;
     if (m_async) {
         dispatchLoadStartEvent();
         if (m_requestEntityBody && m_upload) {
-            m_uploadEventsAllowed = m_upload->hasListeners();
+            forcePreflight = m_upload->hasListeners();
             m_upload->dispatchLoadStartEvent();
         }
@@ -479 +477 @@
     m_sameOriginRequest = scriptExecutionContext()->securityOrigin()->canRequest(m_url);
 
-    if (!m_sameOriginRequest) {
-        makeCrossOriginAccessRequest(ec);
-        return;
-    }
-
-    m_uploadEventsAllowed = true;
-
-    makeSameOriginRequest(ec);
-}
-
-void XMLHttpRequest::makeSameOriginRequest(ExceptionCode& ec)
-{
-    ASSERT(m_sameOriginRequest);
+    // We also remember whether upload events should be allowed for this request in case the upload listeners are
+    // added after the request is started.
+    m_uploadEventsAllowed = !isSimpleCrossOriginAccessRequest(m_method, m_requestHeaders);
 
     ResourceRequest request(m_url);
@@ -505 +493 @@
         request.addHTTPHeaderFields(m_requestHeaders);
 
-    if (m_async)
-        loadRequestAsynchronously(request);
-    else
-        loadRequestSynchronously(request, ec);
-}
-
-void XMLHttpRequest::makeCrossOriginAccessRequest(ExceptionCode& ec)
-{
-    ASSERT(!m_sameOriginRequest);
-
-    if (!m_uploadEventsAllowed && isSimpleCrossOriginAccessRequest(m_method, m_requestHeaders))
-        makeSimpleCrossOriginAccessRequest(ec);
-    else
-        makeCrossOriginAccessRequestWithPreflight(ec);
-}
-
-void XMLHttpRequest::makeSimpleCrossOriginAccessRequest(ExceptionCode& ec)
-{
-    ASSERT(isSimpleCrossOriginAccessRequest(m_method, m_requestHeaders));
-
-    // Cross-origin requests are only defined for HTTP. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
-    if (!m_url.protocolInHTTPFamily()) {
-        ec = XMLHttpRequestException::NETWORK_ERR;
-        networkError();
-        return;
-    }
-
-    KURL url = m_url;
-    url.setUser(String());
-    url.setPass(String());
-
-    ResourceRequest request(url);
-    request.setHTTPMethod(m_method);
-    request.setAllowHTTPCookies(m_includeCredentials);
-    request.setHTTPOrigin(scriptExecutionContext()->securityOrigin()->toString());
-
-    if (m_requestHeaders.size() > 0)
-        request.addHTTPHeaderFields(m_requestHeaders);
-
-    if (m_requestEntityBody) {
-        ASSERT(m_method != "GET");
-        ASSERT(m_method != "HEAD");
-        request.setHTTPBody(m_requestEntityBody.release());
-    }
-
-    if (m_async)
-        loadRequestAsynchronously(request);
-    else
-        loadRequestSynchronously(request, ec);
-}
-
-void XMLHttpRequest::makeCrossOriginAccessRequestWithPreflight(ExceptionCode& ec)
-{
-    String origin = scriptExecutionContext()->securityOrigin()->toString();
-    KURL url = m_url;
-    url.setUser(String());
-    url.setPass(String());
-
-    if (!CrossOriginPreflightResultCache::shared().canSkipPreflight(origin, url, m_includeCredentials, m_method, m_requestHeaders)) {
-        m_inPreflight = true;
-        ResourceRequest preflightRequest(url);
-        preflightRequest.setHTTPMethod("OPTIONS");
-        preflightRequest.setHTTPHeaderField("Origin", origin);
-        preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", m_method);
-
-        if (m_requestHeaders.size() > 0) {
-            Vector<UChar> headerBuffer;
-            HTTPHeaderMap::const_iterator it = m_requestHeaders.begin();
-            append(headerBuffer, it->first);
-            ++it;
-
-            HTTPHeaderMap::const_iterator end = m_requestHeaders.end();
-            for (; it != end; ++it) {
-                headerBuffer.append(',');
-                headerBuffer.append(' ');
-                append(headerBuffer, it->first);
-            }
-
-            preflightRequest.setHTTPHeaderField("Access-Control-Request-Headers", String::adopt(headerBuffer));
-            preflightRequest.addHTTPHeaderFields(m_requestHeaders);
-        }
-
-        if (m_async) {
-            m_uploadEventsAllowed = true;
-            loadRequestAsynchronously(preflightRequest);
-            return;
-        }
-
-        loadRequestSynchronously(preflightRequest, ec);
-        m_inPreflight = false;
-
-        if (ec)
-            return;
-    }
-
-    // Send the actual request.
-    ResourceRequest request(url);
-    request.setHTTPMethod(m_method);
-    request.setAllowHTTPCookies(m_includeCredentials);
-    request.setHTTPHeaderField("Origin", origin);
-
-    if (m_requestHeaders.size() > 0)
-        request.addHTTPHeaderFields(m_requestHeaders);
-
-    if (m_requestEntityBody) {
-        ASSERT(m_method != "GET");
-        ASSERT(m_method != "HEAD");
-        request.setHTTPBody(m_requestEntityBody.release());
-    }
+    ThreadableLoaderOptions options;
+    options.sendLoadCallbacks = true;
+    options.sniffContent = false;
+    options.forcePreflight = forcePreflight;
+    options.allowCredentials = m_sameOriginRequest || m_includeCredentials;
+    options.crossOriginRequestPolicy = UseAccessControl;
+    options.crossOriginRedirectPolicy = DenyCrossOriginRedirect;
+
+    m_exceptionCode = 0;
+    m_error = false;
 
     if (m_async) {
-        m_uploadEventsAllowed = true;
-        loadRequestAsynchronously(request);
-        return;
-    }
-
-    loadRequestSynchronously(request, ec);
-}
-
-void XMLHttpRequest::handleAsynchronousPreflightResult()
-{
-    ASSERT(m_inPreflight);
-    ASSERT(m_async);
-
-    m_inPreflight = false;
-
-    KURL url = m_url;
-    url.setUser(String());
-    url.setPass(String());
-
-    ResourceRequest request(url);
-    request.setHTTPMethod(m_method);
-    request.setAllowHTTPCookies(m_includeCredentials);
-    request.setHTTPOrigin(scriptExecutionContext()->securityOrigin()->toString());
-
-    if (m_requestHeaders.size() > 0)
-        request.addHTTPHeaderFields(m_requestHeaders);
-
-    if (m_requestEntityBody) {
-        ASSERT(m_method != "GET");
-        ASSERT(m_method != "HEAD");
-        request.setHTTPBody(m_requestEntityBody.release());
-    }
-
-    m_uploadEventsAllowed = true;
-    loadRequestAsynchronously(request);
-}
-
-void XMLHttpRequest::loadRequestSynchronously(ResourceRequest& request, ExceptionCode& ec)
-{
-    ASSERT(!m_async);
-
-    m_loader = 0;
-    m_exceptionCode = 0;
-    StoredCredentials storedCredentials = (m_sameOriginRequest || m_includeCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials;
-
-    ThreadableLoader::loadResourceSynchronously(scriptExecutionContext(), request, *this, storedCredentials);
+        request.setReportUploadProgress(true);
+        setPendingActivity(this);
+        m_loader = ThreadableLoader::create(scriptExecutionContext(), this, request, options);
+    } else
+        ThreadableLoader::loadResourceSynchronously(scriptExecutionContext(), request, *this, options);
+
     if (!m_exceptionCode && m_error)
         m_exceptionCode = XMLHttpRequestException::NETWORK_ERR;
@@ -667 +516 @@
 }
 
-void XMLHttpRequest::loadRequestAsynchronously(ResourceRequest& request)
-{
-    ASSERT(m_async);
-    m_exceptionCode = 0;
-    // SubresourceLoader::create can return null here, for example if we're no longer attached to a page.
-    // This is true while running onunload handlers.
-    // FIXME: We need to be able to send XMLHttpRequests from onunload, <http://bugs.webkit.org/show_bug.cgi?id=10904>.
-    // FIXME: Maybe create can return null for other reasons too?
-    LoadCallbacks callbacks = m_inPreflight ? DoNotSendLoadCallbacks : SendLoadCallbacks;
-    StoredCredentials storedCredentials = (m_sameOriginRequest || m_includeCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials;
-
-    if (m_upload)
-        request.setReportUploadProgress(true);
-
-    m_loader = ThreadableLoader::create(scriptExecutionContext(), this, request, callbacks, DoNotSniffContent, storedCredentials, DenyCrossOriginRedirect);
-
-    if (m_loader) {
-        // Neither this object nor the JavaScript wrapper should be deleted while
-        // a request is in progress because we need to keep the listeners alive,
-        // and they are referenced by the JavaScript wrapper.
-        setPendingActivity(this);
-        
-        // For now we should only balance the nonCached request count for main-thread XHRs and not
-        // Worker XHRs, as the Cache is not thread-safe.
-        // This will become irrelevant after https://bugs.webkit.org/show_bug.cgi?id=27165 is resolved.
-        if (!scriptExecutionContext()->isWorkerContext()) {
-            ASSERT(isMainThread());
-            ASSERT(!m_didTellLoaderAboutRequest);
-            cache()->loader()->nonCacheRequestInFlight(m_url);
-            m_didTellLoaderAboutRequest = true;
-        }
-    }
-}
-
 void XMLHttpRequest::abort()
 {
@@ -712 +527 @@
     // Clear headers as required by the spec
     m_requestHeaders.clear();
-    
+
     if ((m_state <= OPENED && !sendFlag) || m_state == DONE)
         m_state = UNSENT;
@@ -795 +610 @@
 }
 
-void XMLHttpRequest::dropProtection()        
+void XMLHttpRequest::dropProtection()
 {
 #if USE(JSC)
@@ -855 +670 @@
 void XMLHttpRequest::setRequestHeaderInternal(const AtomicString& name, const String& value)
 {
-    pair<HTTPHeaderMap::iterator, bool> result = m_requestHeaders.add(name, value); 
+    pair<HTTPHeaderMap::iterator, bool> result = m_requestHeaders.add(name, value);
     if (!result.second)
         result.first->second += ", " + value;
@@ -940 +755 @@
     if (mimeType.isEmpty())
         mimeType = "text/xml";
-    
+
     return mimeType;
 }
@@ -982 +797 @@
         m_didTellLoaderAboutRequest = false;
     }
-    
+
     // If we are already in an error state, for instance we called abort(), bail out early.
     if (m_error)
@@ -1012 +827 @@
         return;
 
-    if (m_inPreflight) {
-        didFinishLoadingPreflight();
-        return;
-    }
-
     if (m_state < HEADERS_RECEIVED)
         changeState(HEADERS_RECEIVED);
@@ -1034 +844 @@
     if (hadLoader)
         dropProtection();
-}
-
-void XMLHttpRequest::didFinishLoadingPreflight()
-{
-    ASSERT(m_inPreflight);
-    ASSERT(!m_sameOriginRequest);
-
-    // FIXME: this can probably be moved to didReceiveResponsePreflight.
-    if (m_async)
-        handleAsynchronousPreflightResult();
-
-    if (m_loader)
-        unsetPendingActivity(this);
 }
 
@@ -1066 +863 @@
 void XMLHttpRequest::didReceiveResponse(const ResourceResponse& response)
 {
-    if (m_inPreflight) {
-        didReceiveResponsePreflight(response);
-        return;
-    }
-
-    if (!m_sameOriginRequest) {
-        if (!passesAccessControlCheck(response, m_includeCredentials, scriptExecutionContext()->securityOrigin())) {
-            networkError();
-            return;
-        }
-    }
-
     m_response = response;
     m_responseEncoding = extractCharsetFromMediaType(m_mimeTypeOverride);
@@ -1084 +869 @@
 }
 
-void XMLHttpRequest::didReceiveResponsePreflight(const ResourceResponse& response)
-{
-    ASSERT(m_inPreflight);
-    ASSERT(!m_sameOriginRequest);
-
-    if (!passesAccessControlCheck(response, m_includeCredentials, scriptExecutionContext()->securityOrigin())) {
-        networkError();
-        return;
-    }
-
-    OwnPtr<CrossOriginPreflightResultCacheItem> preflightResult(new CrossOriginPreflightResultCacheItem(m_includeCredentials));
-    if (!preflightResult->parse(response)
-        || !preflightResult->allowsCrossOriginMethod(m_method)
-        || !preflightResult->allowsCrossOriginHeaders(m_requestHeaders)) {
-        networkError();
-        return;
-    }
-
-    CrossOriginPreflightResultCache::shared().appendEntry(scriptExecutionContext()->securityOrigin()->toString(), m_url, preflightResult.release());
-}
-
 void XMLHttpRequest::didReceiveAuthenticationCancellation(const ResourceResponse& failureResponse)
 {
@@ -1112 +876 @@
 void XMLHttpRequest::didReceiveData(const char* data, int len)
 {
-    if (m_inPreflight || m_error)
+    if (m_error)
         return;
 
     if (m_state < HEADERS_RECEIVED)
         changeState(HEADERS_RECEIVED);
-  
+
     if (!m_decoder) {
         if (!m_responseEncoding.isEmpty())
@@ -1211 +975 @@
 void XMLHttpRequest::dispatchProgressEvent(long long expectedLength)
 {
-    dispatchXMLHttpRequestProgressEvent(m_onProgressListener.get(), eventNames().progressEvent, expectedLength && m_receivedLength <= expectedLength, 
+    dispatchXMLHttpRequestProgressEvent(m_onProgressListener.get(), eventNames().progressEvent, expectedLength && m_receivedLength <= expectedLength,
                                         static_cast<unsigned>(m_receivedLength), static_cast<unsigned>(expectedLength));
 }
@@ -1236 +1000 @@
 }
 
-} // namespace WebCore 
+} // namespace WebCore

trunk/WebCore/xml/XMLHttpRequest.h

@@ -118 +118 @@
 private:
     XMLHttpRequest(ScriptExecutionContext*);
-    
+
     virtual void refEventTarget() { ref(); }
     virtual void derefEventTarget() { deref(); }
@@ -136 +136 @@
     virtual void didReceiveAuthenticationCancellation(const ResourceResponse&);
 
-    // Special versions for the preflight
-    void didReceiveResponsePreflight(const ResourceResponse&);
-    void didFinishLoadingPreflight();
-
     void updateAndDispatchOnProgress(unsigned int len);
 
@@ -159 +155 @@
 
     void createRequest(ExceptionCode&);
-
-    void makeSameOriginRequest(ExceptionCode&);
-    void makeCrossOriginAccessRequest(ExceptionCode&);
-
-    void makeSimpleCrossOriginAccessRequest(ExceptionCode&);
-    void makeCrossOriginAccessRequestWithPreflight(ExceptionCode&);
-    void handleAsynchronousPreflightResult();
-
-    void loadRequestSynchronously(ResourceRequest&, ExceptionCode&);
-    void loadRequestAsynchronously(ResourceRequest&);
 
     void genericError();
@@ -224 +210 @@
 
     bool m_sameOriginRequest;
-    bool m_allowAccess;
-    bool m_inPreflight;
     bool m_didTellLoaderAboutRequest;
 
     // Used for onprogress tracking
     long long m_receivedLength;
-    
+
     unsigned m_lastSendLineNumber;
     String m_lastSendURL;