Improve handling of CORS redirects for some resource loads.
To align with what CORS requires for redirects, have CORS-enabled
resource loading perform access control checks on redirects.
The ResourceLoader delegates the access control check to its host's
canAccessRedirect() implementation:
bool ResourceLoaderHost::canAccessRedirect(Resource*, ResourceRequest&, const ResourceResponse&, ResourceLoaderOptions&);
which is passed the redirect request + response along with other
arguments needed to make a yes/no decision on following the redirect.
To correctly handle redirects to another origin, the
canAccessRedirect() predicate is also responsible for updating the
'source origin' as the redirect is followed. This and other redirect
steps are taken care of by the helper method
CrossOriginAccessControl::handleRedirect()
The included tests cover redirects over <img> and <script>, for the
various redirect responses possible (wrt CORS.) Rely on existing
redirect tests for HTML imports.
Notice that the redirect handling added here does not apply to
resource types and loaders that implement their special (and extended)
handling of CORS + redirects -- e.g., XMLHttpRequest fetches.
R=abarth@chromium.org
BUG=274843
Review URL: https://codereview.chromium.org/149643003
git-svn-id: svn://svn.chromium.org/blink/trunk@166508 bbb929c8-8fbe-4397-9dbb-9b2b20218538
33 files changed
