Google Git
Sign in
chromium / chromium / blink / 7ea774e478f84f355748108d2aaabca15355d512
commit7ea774e478f84f355748108d2aaabca15355d512[log] [tgz]
authorkbr@chromium.org <kbr@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>Fri May 10 20:19:52 2013
committerkbr@chromium.org <kbr@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>Fri May 10 20:19:52 2013
treeb88ec7290fcb4aab98c82de5989ddbe606b3f87a
parentf70b5f371a732113aec703985c21fc78cb6dd340 [diff]
Fix problems with cross-origin redirects.

Three problems exist in the current code:

1) If a same-origin request causes a redirect to a different origin,
   do not enforce access control checks for the redirect response
   itself, because the request which resulted in the redirect was
   same-origin.

2) If a same-origin request causes a redirect to a different origin,
   use the original request's URL as the origin for the new request;
   do not use a unique security origin.

3) Track whether the client (i.e., XMLHttpRequest) actually requested
   that credentials be sent in the first place. When a same-origin
   request redirects to a different origin, the original request will
   send cookies whether requested or not, because it is same-origin.
   The new cross-origin request should not send cookies unless they
   were requested, so that the access control checks on the response
   will succeed if the server granted "Access-Control-Allow-Origin=*".

BUG=226897

Review URL: https://chromiumcodereview.appspot.com/14557011

git-svn-id: svn://svn.chromium.org/blink/trunk@150130 bbb929c8-8fbe-4397-9dbb-9b2b20218538
19 files changed
tree: b88ec7290fcb4aab98c82de5989ddbe606b3f87a
  1. LayoutTests/
  2. ManualTests/
  3. PerformanceTests/
  4. public/
  5. Source/
  6. Tools/
  7. .gitattributes
  8. .gitignore
  9. codereview.settings
  10. OWNERS
  11. PRESUBMIT.py
  12. WATCHLISTS