Google Git
Sign in
chromium / chromium / blink / fd6c29fb3aa725b0b201e4b1f4e67a4390f06b6f
commitfd6c29fb3aa725b0b201e4b1f4e67a4390f06b6f[log] [tgz]
authorrob@robwu.nl <rob@robwu.nl@bbb929c8-8fbe-4397-9dbb-9b2b20218538>Mon Mar 17 21:05:29 2014
committerrob@robwu.nl <rob@robwu.nl@bbb929c8-8fbe-4397-9dbb-9b2b20218538>Mon Mar 17 21:05:29 2014
treea7f950b4af253698c953e6afffb2084ccb79ebe1
parentb5a23324b0c9eac3abc4eaa5886057a7b9ce88b5 [diff]
Restrict CORS wildcard+credentials combination for http(s) only.

CORS-with-credentials are only defined for http(s) resources.

Chromium uses Access-Control-Allow-Origin: * with the intention of
whitelisting resources at certain origins for use in XMLHttpRequest and
images with canvas.
When the includeCredentials flag is set, these requests are blocked, even
though the term "credentials" makes no sense for data:/chrome-extension:-URLs.

This CL relaxes the wildcard check for non-http(s) resources, so that implementors
can choose to use CORS regardless of whether credentials were requested.

BUG=315152
TEST=Layout tests are already in CL https://codereview.chromium.org/54173002/

Review URL: https://codereview.chromium.org/192573011

git-svn-id: svn://svn.chromium.org/blink/trunk@169391 bbb929c8-8fbe-4397-9dbb-9b2b20218538
1 file changed
tree: a7f950b4af253698c953e6afffb2084ccb79ebe1
  1. LayoutTests/
  2. ManualTests/
  3. PerformanceTests/
  4. public/
  5. Source/
  6. Tools/
  7. .clang-format
  8. .gitattributes
  9. .gitignore
  10. codereview.settings
  11. LICENSE
  12. OWNERS
  13. PRESUBMIT.py
  14. WATCHLISTS