mirror of
https://bitbucket.org/chromiumembedded/cef
synced 2025-06-05 21:39:12 +02:00
Fix cookie exclusion for fetch CORS pre-flight requests (fixes #3596)
Cookies (and other credentials) will be excluded when appropriate by downgrading |credentials_mode| from kSameOrigin to kOmit. Improve logic for Origin header inclusion, including a fix for Referrer/Origin calculation in URLRequestJob::ComputeReferrerForPolicy when used with custom standard schemes. Specify correct CookiePartitionKeyCollection when loading cookies. To test: - Run tests from https://browseraudit.com/ with and without `--disable-request-handling-for-testing`. Results are the same. - Run `ceftests --gtest_filter=CorsTest.*`.
This commit is contained in:
@ -678,5 +678,11 @@ patches = [
|
||||
# https://chromium-review.googlesource.com/c/chromium/src/+/4829483
|
||||
# https://bugs.chromium.org/p/chromium/issues/detail?id=1470837#c22
|
||||
'name': 'rfh_navigation_4829483'
|
||||
},
|
||||
{
|
||||
# Fix Referrer & Origin calculation for secure referrer (custom standard
|
||||
# scheme) with insecure destination.
|
||||
# https://github.com/chromiumembedded/cef/issues/3596
|
||||
'name': 'net_url_request_3596'
|
||||
}
|
||||
]
|
||||
|
39
patch/patches/net_url_request_3596.patch
Normal file
39
patch/patches/net_url_request_3596.patch
Normal file
@ -0,0 +1,39 @@
|
||||
diff --git net/url_request/url_request_job.cc net/url_request/url_request_job.cc
|
||||
index 0e585570d3fa6..7158d4e8df44e 100644
|
||||
--- net/url_request/url_request_job.cc
|
||||
+++ net/url_request/url_request_job.cc
|
||||
@@ -34,6 +34,7 @@
|
||||
#include "net/ssl/ssl_private_key.h"
|
||||
#include "net/url_request/redirect_util.h"
|
||||
#include "net/url_request/url_request_context.h"
|
||||
+#include "url/url_util.h"
|
||||
|
||||
namespace net {
|
||||
|
||||
@@ -46,6 +47,16 @@ base::Value::Dict SourceStreamSetParams(SourceStream* source_stream) {
|
||||
return event_params;
|
||||
}
|
||||
|
||||
+bool IsSecureScheme(const GURL& url) {
|
||||
+ if (!url.has_scheme()) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (GURL::SchemeIsCryptographic(url.scheme_piece())) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ return base::Contains(url::GetSecureSchemes(), url.scheme_piece());
|
||||
+}
|
||||
+
|
||||
} // namespace
|
||||
|
||||
// Each SourceStreams own the previous SourceStream in the chain, but the
|
||||
@@ -334,8 +345,7 @@ GURL URLRequestJob::ComputeReferrerForPolicy(
|
||||
}
|
||||
|
||||
bool secure_referrer_but_insecure_destination =
|
||||
- original_referrer.SchemeIsCryptographic() &&
|
||||
- !destination.SchemeIsCryptographic();
|
||||
+ IsSecureScheme(original_referrer) && !IsSecureScheme(destination);
|
||||
|
||||
switch (policy) {
|
||||
case ReferrerPolicy::CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE:
|
Reference in New Issue
Block a user