commit bc6bf7bbd165a3e7c050fd09d69765209a3d50e7
author Yutaka Hirano <yhirano@chromium.org> Tue May 21 07:05:27 2019
committer Blink WPT Bot <blink-w3c-test-autoroller@chromium.org> Tue May 21 07:20:07 2019
tree 44727e2e9a9a8f2df3d436b769c38dc6c215a1f2
parent 85b782c55c3d861b8869c22efa2fa837c6a4ad0a

Fix accidental origin header removal in redirects

net/ implementation removes an origin when it sees a redirect which
changes request's method. This break CORS when the CORS flag is set -
because in that case we need an origin header.

This CL fixes it.

Bug: 965018
Change-Id: I3137d3b781c0cb293fbb282901b8bb52b3c13651
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1621419
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#661638}

fetch/api/redirect/redirect-origin.any.js

diff --git a/fetch/api/redirect/redirect-origin.any.js b/fetch/api/redirect/redirect-origin.any.js
index 3edb1bd..b81b916 100644
--- a/fetch/api/redirect/redirect-origin.any.js
+++ b/fetch/api/redirect/redirect-origin.any.js
@@ -2,7 +2,7 @@
 // META: script=../resources/utils.js
 // META: script=/common/get-host-info.sub.js
 
-function testOriginAfterRedirection(desc, redirectUrl, redirectLocation, redirectStatus, expectedOrigin) {
+function testOriginAfterRedirection(desc, method, redirectUrl, redirectLocation, redirectStatus, expectedOrigin) {
     var uuid_token = token();
     var url = redirectUrl;
     var urlParameters = "?token=" + uuid_token + "&max_age=0";
@@ -28,10 +28,15 @@
 var corsLocationUrl =  get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "inspect-headers.py?cors&headers=origin";
 
 for (var code of [301, 302, 303, 307, 308]) {
-    testOriginAfterRedirection("Same origin to same origin redirection " + code, redirectUrl, locationUrl, code, null);
-    testOriginAfterRedirection("Same origin to other origin redirection " + code, redirectUrl, corsLocationUrl, code, get_host_info().HTTP_ORIGIN);
-    testOriginAfterRedirection("Other origin to other origin redirection " + code, corsRedirectUrl, corsLocationUrl, code, get_host_info().HTTP_ORIGIN);
-    testOriginAfterRedirection("Other origin to same origin redirection " + code, corsRedirectUrl, locationUrl + "&cors", code, "null");
+    testOriginAfterRedirection("Same origin to same origin redirection " + code, 'GET', redirectUrl, locationUrl, code, null);
+    testOriginAfterRedirection("Same origin to other origin redirection " + code, 'GET', redirectUrl, corsLocationUrl, code, get_host_info().HTTP_ORIGIN);
+    testOriginAfterRedirection("Other origin to other origin redirection " + code, 'GET', corsRedirectUrl, corsLocationUrl, code, get_host_info().HTTP_ORIGIN);
+    testOriginAfterRedirection("Other origin to same origin redirection " + code, 'GET', corsRedirectUrl, locationUrl + "&cors", code, "null");
+
+    testOriginAfterRedirection("Same origin to same origin redirection[POST] " + code, 'POST', redirectUrl, locationUrl, code, null);
+    testOriginAfterRedirection("Same origin to other origin redirection[POST] " + code, 'POST', redirectUrl, corsLocationUrl, code, get_host_info().HTTP_ORIGIN);
+    testOriginAfterRedirection("Other origin to other origin redirection[POST] " + code, 'POST', corsRedirectUrl, corsLocationUrl, code, get_host_info().HTTP_ORIGIN);
+    testOriginAfterRedirection("Other origin to same origin redirection[POST] " + code, 'POST', corsRedirectUrl, locationUrl + "&cors", code, "null");
 }
 
 done();