mirror of
https://bitbucket.org/chromiumembedded/cef
synced 2025-06-05 21:39:12 +02:00
Fix cookie exclusion for fetch CORS pre-flight requests (fixes #3596)
Cookies (and other credentials) will be excluded when appropriate by downgrading |credentials_mode| from kSameOrigin to kOmit. Improve logic for Origin header inclusion, including a fix for Referrer/Origin calculation in URLRequestJob::ComputeReferrerForPolicy when used with custom standard schemes. Specify correct CookiePartitionKeyCollection when loading cookies. To test: - Run tests from https://browseraudit.com/ with and without `--disable-request-handling-for-testing`. Results are the same. - Run `ceftests --gtest_filter=CorsTest.*`.
This commit is contained in:
39
patch/patches/net_url_request_3596.patch
Normal file
39
patch/patches/net_url_request_3596.patch
Normal file
@@ -0,0 +1,39 @@
|
||||
diff --git net/url_request/url_request_job.cc net/url_request/url_request_job.cc
|
||||
index 0e585570d3fa6..7158d4e8df44e 100644
|
||||
--- net/url_request/url_request_job.cc
|
||||
+++ net/url_request/url_request_job.cc
|
||||
@@ -34,6 +34,7 @@
|
||||
#include "net/ssl/ssl_private_key.h"
|
||||
#include "net/url_request/redirect_util.h"
|
||||
#include "net/url_request/url_request_context.h"
|
||||
+#include "url/url_util.h"
|
||||
|
||||
namespace net {
|
||||
|
||||
@@ -46,6 +47,16 @@ base::Value::Dict SourceStreamSetParams(SourceStream* source_stream) {
|
||||
return event_params;
|
||||
}
|
||||
|
||||
+bool IsSecureScheme(const GURL& url) {
|
||||
+ if (!url.has_scheme()) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (GURL::SchemeIsCryptographic(url.scheme_piece())) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ return base::Contains(url::GetSecureSchemes(), url.scheme_piece());
|
||||
+}
|
||||
+
|
||||
} // namespace
|
||||
|
||||
// Each SourceStreams own the previous SourceStream in the chain, but the
|
||||
@@ -334,8 +345,7 @@ GURL URLRequestJob::ComputeReferrerForPolicy(
|
||||
}
|
||||
|
||||
bool secure_referrer_but_insecure_destination =
|
||||
- original_referrer.SchemeIsCryptographic() &&
|
||||
- !destination.SchemeIsCryptographic();
|
||||
+ IsSecureScheme(original_referrer) && !IsSecureScheme(destination);
|
||||
|
||||
switch (policy) {
|
||||
case ReferrerPolicy::CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE:
|
Reference in New Issue
Block a user