Fix cookie exclusion for fetch CORS pre-flight requests (fixes #3596)

Cookies (and other credentials) will be excluded when appropriate by
downgrading |credentials_mode| from kSameOrigin to kOmit.

Improve logic for Origin header inclusion, including a fix for
Referrer/Origin calculation in URLRequestJob::ComputeReferrerForPolicy
when used with custom standard schemes.

Specify correct CookiePartitionKeyCollection when loading cookies.

To test:
- Run tests from https://browseraudit.com/ with and without
  `--disable-request-handling-for-testing`. Results are the same.
- Run `ceftests --gtest_filter=CorsTest.*`.
This commit is contained in:
Marshall Greenblatt
2023-11-16 18:19:27 -05:00
parent a9f1ce090a
commit cf934a20a7
10 changed files with 166 additions and 32 deletions

View File

@@ -249,11 +249,19 @@ void LoadCookies(const CefBrowserContext::Getter& browser_context_getter,
return;
}
net::CookiePartitionKeyCollection partition_key_collection;
if (request.trusted_params.has_value() &&
!request.trusted_params->isolation_info.IsEmpty()) {
partition_key_collection = net::CookiePartitionKeyCollection::FromOptional(
net::CookiePartitionKey::FromNetworkIsolationKey(
request.trusted_params->isolation_info.network_isolation_key()));
}
CEF_POST_TASK(
CEF_UIT,
base::BindOnce(LoadCookiesOnUIThread, browser_context_getter, request.url,
GetCookieOptions(request, /*for_loading_cookies=*/true),
net::CookiePartitionKeyCollection(), allow_cookie_callback,
std::move(partition_key_collection), allow_cookie_callback,
std::move(done_callback)));
}