CORS preflight with a non-200 response should be a preflight failure
https://bugs.webkit.org/show_bug.cgi?id=111008
Reviewed by Darin Adler.
LayoutTests/imported/w3c:
* web-platform-tests/XMLHttpRequest/data-uri-expected.txt:
Source/WebCore:
Covered by rebased tests.
* Modules/fetch/FetchResponse.h: Making use of ResourceResponse::isSuccessful.
* loader/CrossOriginPreflightChecker.cpp:
(WebCore::CrossOriginPreflightChecker::validatePreflightResponse): Checking that response status is code is
successful. If not, calling preflight failure callback.
(WebCore::CrossOriginPreflightChecker::startPreflight): Putting in manual redirection mode so that redirection
responses are processed as other responses.
* loader/ResourceLoaderOptions.h:
(WebCore::ResourceLoaderOptions::fetchOptions): Adding a non-const getter and fixing const getter to return a
const reference.
(WebCore::ResourceLoaderOptions::setFetchOptions): Passing options by reference.
* platform/network/ResourceResponseBase.cpp:
(WebCore::ResourceResponseBase::isSuccessful): Utility function.
* platform/network/ResourceResponseBase.h:
LayoutTests:
* http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects-async.html:
* http/tests/xmlhttprequest/access-control-basic-get-fail-non-simple-expected.txt:
* http/tests/xmlhttprequest/workers/access-control-basic-get-fail-non-simple-expected.txt:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@202162 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/loader/CrossOriginPreflightChecker.cpp b/Source/WebCore/loader/CrossOriginPreflightChecker.cpp
index c25c102..1ddcade 100644
--- a/Source/WebCore/loader/CrossOriginPreflightChecker.cpp
+++ b/Source/WebCore/loader/CrossOriginPreflightChecker.cpp
@@ -72,9 +72,14 @@
auto cookie = InspectorInstrumentation::willReceiveResourceResponse(frame);
InspectorInstrumentation::didReceiveResourceResponse(cookie, identifier, frame->loader().documentLoader(), response, 0);
+ if (!response.isSuccessful()) {
+ loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), ASCIILiteral("Preflight response is not successful")));
+ return;
+ }
+
String description;
if (!passesAccessControlCheck(response, loader.options().allowCredentials(), loader.securityOrigin(), description)) {
- loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, response.url(), description));
+ loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), description));
return;
}
@@ -82,7 +87,7 @@
if (!result->parse(response, description)
|| !result->allowsCrossOriginMethod(request.httpMethod(), description)
|| !result->allowsCrossOriginHeaders(request.httpHeaderFields(), description)) {
- loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, response.url(), description));
+ loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), description));
return;
}
@@ -111,6 +116,8 @@
// Keep buffering the data for the preflight request.
options.setDataBufferingPolicy(BufferData);
+ options.fetchOptions().redirect = FetchOptions::Redirect::Manual;
+
CachedResourceRequest preflightRequest(createAccessControlPreflightRequest(m_request, m_loader.securityOrigin()), options);
if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
preflightRequest.setInitiator(m_loader.options().initiator);
