Fix problems with cross-origin redirects.
Three problems exist in the current code:
1) If a same-origin request causes a redirect to a different origin,
do not enforce access control checks for the redirect response
itself, because the request which resulted in the redirect was
2) If a same-origin request causes a redirect to a different origin,
use the original request's URL as the origin for the new request;
do not use a unique security origin.
3) Track whether the client (i.e., XMLHttpRequest) actually requested
that credentials be sent in the first place. When a same-origin
request redirects to a different origin, the original request will
send cookies whether requested or not, because it is same-origin.
The new cross-origin request should not send cookies unless they
were requested, so that the access control checks on the response
will succeed if the server granted "Access-Control-Allow-Origin=*".
Review URL: https://chromiumcodereview.appspot.com/14557011
git-svn-id: svn://svn.chromium.org/blink/trunk@150130 bbb929c8-8fbe-4397-9dbb-9b2b20218538
19 files changed