Allow some schemes to opt-out of CORS https://bugs.webkit.org/show_bug.cgi?id=167795 Patch by Youenn Fablet <youennf@gmail.com> on 2017-02-06 Reviewed by Alex Christensen. Source/WebCore: Test: http/tests/security/bypassing-cors-checks-for-extension-urls.html Adding the possibility to opt out of CORS for DocumentThreadableLoader clients (fetch and XHR). This is made specific to the case of user extension URLs for pages running user scripts. Introducing a boolean flag in Page for that purpose. Introducing a helper routine in SchemeRegistry to centralize the various user script extension schemes. * loader/DocumentThreadableLoader.cpp: (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): * page/Frame.cpp: (WebCore::Frame::injectUserScripts): * page/Page.h: (WebCore::Page::setAsRunningUserScripts): (WebCore::Page::isRunningUserScripts): * platform/SchemeRegistry.cpp: (WebCore::SchemeRegistry::isUserExtensionScheme): * platform/SchemeRegistry.h: * testing/Internals.cpp: (WebCore::Internals::setAsRunningUserScripts): * testing/Internals.h: * testing/Internals.idl: LayoutTests: * http/tests/security/bypassing-cors-checks-for-extension-urls-expected.txt: Added. * http/tests/security/bypassing-cors-checks-for-extension-urls.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@211758 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: 5bd2ba68365392af85bbde1d8527d220cb72cfef [log] [tgz]
author: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Feb 07 00:25:00 2017 +0000
committer: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Feb 07 00:25:00 2017 +0000
tree: 8f9abea3dd14a3299b051e90694c7abe41c5411d
parent: a9579db8289bb6c4f7d814e198e7123982050038 [diff] [blame]
diff --git a/Source/WebCore/loader/DocumentThreadableLoader.cpp b/Source/WebCore/loader/DocumentThreadableLoader.cpp
index 0c970a1..508fb73 100644
--- a/Source/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/Source/WebCore/loader/DocumentThreadableLoader.cpp

@@ -110,6 +110,11 @@
     if (m_async && m_options.mode == FetchOptions::Mode::Cors)
         m_originalHeaders = request.httpHeaderFields();
 
+    if (document.page() && document.page()->isRunningUserScripts() && SchemeRegistry::isUserExtensionScheme(request.url().protocol().toStringWithoutCopying())) {
+        m_options.mode = FetchOptions::Mode::NoCors;
+        m_options.filteringPolicy = ResponseFilteringPolicy::Disable;
+    }
+
     // As per step 11 of https://fetch.spec.whatwg.org/#main-fetch, data scheme (if same-origin data-URL flag is set) and about scheme are considered same-origin.
     if (request.url().protocolIsData())
         m_sameOriginRequest = options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set;
commit	5bd2ba68365392af85bbde1d8527d220cb72cfef	[log] [tgz]
author	commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Tue Feb 07 00:25:00 2017 +0000
committer	commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Tue Feb 07 00:25:00 2017 +0000
tree	8f9abea3dd14a3299b051e90694c7abe41c5411d
parent	a9579db8289bb6c4f7d814e198e7123982050038 [diff] [blame]