Cookies (and other credentials) will be excluded when appropriate by
downgrading |credentials_mode| from kSameOrigin to kOmit.
Improve logic for Origin header inclusion, including a fix for
Referrer/Origin calculation in URLRequestJob::ComputeReferrerForPolicy
when used with custom standard schemes.
Specify correct CookiePartitionKeyCollection when loading cookies.
To test:
- Run tests from https://browseraudit.com/ with and without
`--disable-request-handling-for-testing`. Results are the same.
- Run `ceftests --gtest_filter=CorsTest.*`.
- mac: Xcode 14.0 with macOS SDK 13.0 is now required.
- Remove CefRequestHandler::OnQuotaRequest because persistent quota is no
longer supported (see https://crbug.com/1208141)
This functionality stopped being relevant after the removal of Flash support
in January 2021. The last remaining PPAPI plugin (PDF viewer) will switch to
a non-plugin implementation (PdfUnseasoned) in M100.
- Convert scoped_ptr to std::unique_ptr from <memory>
- Convert arraysize to base::size from include/base/cef_cxx17_backports.h
- Convert NULL to nullptr
- Include include/base/cef_callback.h instead of include/base/cef_bind.h
- Implicit conversion of CefRefPtr<T> or scoped_refptr<T> to T* is gone;
use .get() instead
See the issue for additional details.
The policy->CanAccessDataForOrigin CHECK in NavigationRequest::
GetOriginForURLLoaderFactory was failing because unregistered schemes
(which are already considered non-standard schemes) didn't trigger the
registered non-standard scheme allowance that we previously added in
ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin. This change
modifies GetOriginForURLLoaderFactory to always return an opaque/unique
origin for non-standard schemes resulting in unregistered and non-standard
schemes receiving the same treatment.
New test coverage has been added for this condition, and can be run with:
ceftests --gtest_filter=CorsTest.*CustomUnregistered*
A CORS preflight request is an "OPTIONS" request sent to a server prior to a
cross-origin XMLHttpRequest or Fetch request. The server's response determines
which HTTP request methods are allowed and supported, and whether credentials
such as Cookies and HTTP Authentication should be sent with requests.
A CORS preflight request will only be sent if certain conditions are met. For
example, it will be sent for requests that have potentially unsafe HTTP
methods [1] or request headers [2]. See the NeedsPreflight function in
services/network/cors/cors_url_loader.cc for full details.
CORS preflight functionality is implemented in the network service and will not
be triggered if the client handles the request instead of allowing it to proceed
over the network. Since the preflight request itself also runs in the network
service it cannot be intercepted by the client.
[1] https://fetch.spec.whatwg.org/#cors-safelisted-method
[2] https://fetch.spec.whatwg.org/#cors-safelisted-request-header
The request.trusted_params.isolation_info.site_for_cookies value must
match request.site_for_cookies.
This change also adds unit test coverage for cross-origin GET redirects.
This fixes an IsCanonical() DCHECK failure triggered by calling
CanonicalCookie::Create for a non-cookieable URL.
This change also adds unit test coverage for cross-origin cookie
behavior with sub-resource requests (iframe, XHR, Fetch).
Marshall Greenblatt