[Fetch API] Activate credentials mode
https://bugs.webkit.org/show_bug.cgi?id=160292
Patch by Youenn Fablet <youenn@apple.com> on 2016-07-29
Reviewed by Alex Christensen.
LayoutTests/imported/w3c:
* web-platform-tests/fetch/api/cors/cors-cookies-expected.txt:
* web-platform-tests/fetch/api/cors/cors-cookies-worker-expected.txt:
* web-platform-tests/fetch/api/cors/cors-cookies.js: Fixin otherRemote computation.
(corsCookies): ensuring cookie clean-up is done in case of error before going to the next test.
* web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt:
* web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt:
* web-platform-tests/fetch/api/credentials/cookies-expected.txt:
* web-platform-tests/fetch/api/credentials/cookies-worker-expected.txt:
Source/WebCore:
Covered by updated and rebased tests.
Previously the allowCredentials option was computed by DocumentThreadableLoader clients.
This option is really similar to the credentials flag in the fetch specification and should be handled at lower levels.
In the future, it might be good to retire that option.
In case of Omit mode, we need to explicitely disable cookies in DocumentThreadableLoader.
This should be updated so that ResourceLoader does it, depending on credential flag being set or not.
Updated DocumentThreadableLoader clients to only use FetchOptions::Credentials.
This allows to link code more easely to specification.
* Modules/fetch/FetchLoader.cpp:
(WebCore::FetchLoader::start): Removing use of allowCredentials option. Using FetchOptions::Credentials instead.
* fileapi/FileReaderLoader.cpp:
(WebCore::FileReaderLoader::start): Ditto.
* inspector/InspectorNetworkAgent.cpp:
(WebCore::InspectorNetworkAgent::loadResource): Ditto.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Computing allowCredentials from FetchOptions::Credentials.
(WebCore::DocumentThreadableLoader::loadRequest): Enabling cookie only if allowed to use credentials. This is in
particular useful for FetchOptions::Credentials::Omit mode.
* page/EventSource.cpp:
(WebCore::EventSource::connect): Removing use of allowCredentials option. Using FetchOptions::Credentials instead.
* workers/WorkerScriptLoader.cpp:
(WebCore::WorkerScriptLoader::loadSynchronously): Ditto.
(WebCore::WorkerScriptLoader::loadAsynchronously): Ditto.
* xml/XMLHttpRequest.cpp: Ditto.
(WebCore::XMLHttpRequest::createRequest):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@203900 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/loader/DocumentThreadableLoader.cpp b/Source/WebCore/loader/DocumentThreadableLoader.cpp
index ee08189..cf925b2 100644
--- a/Source/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/Source/WebCore/loader/DocumentThreadableLoader.cpp
@@ -96,6 +96,8 @@
ASSERT_WITH_SECURITY_IMPLICATION(isAllowedByContentSecurityPolicy(request.url()));
+ m_options.setAllowCredentials((m_options.credentials == FetchOptions::Credentials::Include || (m_options.credentials == FetchOptions::Credentials::SameOrigin && m_sameOriginRequest)) ? AllowStoredCredentials : DoNotAllowStoredCredentials);
+
if (m_sameOriginRequest || m_options.mode == FetchOptions::Mode::NoCors) {
loadRequest(request, DoSecurityCheck);
return;
@@ -370,6 +372,8 @@
CachedResourceRequest newRequest(request, options);
if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
newRequest.setInitiator(m_options.initiator);
+ newRequest.mutableResourceRequest().setAllowCookies(m_options.allowCredentials() == AllowStoredCredentials);
+
ASSERT(!m_resource);
m_resource = m_document.cachedResourceLoader().requestRawResource(newRequest);
if (m_resource)
@@ -378,6 +382,9 @@
return;
}
+ // If credentials mode is 'Omit', we should disable cookie sending.
+ ASSERT(m_options.credentials != FetchOptions::Credentials::Omit);
+
// FIXME: ThreadableLoaderOptions.sniffContent is not supported for synchronous requests.
RefPtr<SharedBuffer> data;
ResourceError error;
