Fix credentials mode for fetch request redirect (fixes #3675)
Also verified that https://browseraudit.com/ gives the same results both with and without `--disable-request-handling-for-testing`.
This commit is contained in:
parent
3c3e543b44
commit
0580f93839
|
@ -359,6 +359,7 @@ class InterceptedRequest : public network::mojom::URLLoader,
|
||||||
GURL redirect_url_;
|
GURL redirect_url_;
|
||||||
GURL header_client_redirect_url_;
|
GURL header_client_redirect_url_;
|
||||||
const net::MutableNetworkTrafficAnnotationTag traffic_annotation_;
|
const net::MutableNetworkTrafficAnnotationTag traffic_annotation_;
|
||||||
|
std::optional<network::mojom::CredentialsMode> original_crendentials_mode_;
|
||||||
|
|
||||||
mojo::Receiver<network::mojom::URLLoader> proxied_loader_receiver_;
|
mojo::Receiver<network::mojom::URLLoader> proxied_loader_receiver_;
|
||||||
mojo::Remote<network::mojom::URLLoaderClient> target_client_;
|
mojo::Remote<network::mojom::URLLoaderClient> target_client_;
|
||||||
|
@ -507,6 +508,7 @@ void InterceptedRequest::Restart() {
|
||||||
// Match logic in CorsURLLoader::StartNetworkRequest.
|
// Match logic in CorsURLLoader::StartNetworkRequest.
|
||||||
const auto response_tainting = CalculateResponseTainting(
|
const auto response_tainting = CalculateResponseTainting(
|
||||||
should_check_cors, request_.mode, tainted_origin);
|
should_check_cors, request_.mode, tainted_origin);
|
||||||
|
original_crendentials_mode_ = request_.credentials_mode;
|
||||||
request_.credentials_mode =
|
request_.credentials_mode =
|
||||||
network::cors::CalculateCredentialsFlag(request_.credentials_mode,
|
network::cors::CalculateCredentialsFlag(request_.credentials_mode,
|
||||||
response_tainting)
|
response_tainting)
|
||||||
|
@ -875,6 +877,14 @@ void InterceptedRequest::ContinueAfterIntercept() {
|
||||||
target_loader_.BindNewPipeAndPassReceiver(), id_, options, request_,
|
target_loader_.BindNewPipeAndPassReceiver(), id_, options, request_,
|
||||||
proxied_client_receiver_.BindNewPipeAndPassRemote(),
|
proxied_client_receiver_.BindNewPipeAndPassRemote(),
|
||||||
traffic_annotation_);
|
traffic_annotation_);
|
||||||
|
if (original_crendentials_mode_) {
|
||||||
|
// Restore the original |credentials_mode| value after calling
|
||||||
|
// CreateLoaderAndStart. This matches the logic in CorsURLLoader::
|
||||||
|
// StartNetworkRequest and allows InterceptedRequest::Restart to compute
|
||||||
|
// the correct |credentials_mode| during a fetch request redirect.
|
||||||
|
request_.credentials_mode = *original_crendentials_mode_;
|
||||||
|
original_crendentials_mode_.reset();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue