Commit Graph

27 Commits

Author SHA1 Message Date
Marshall Greenblatt cf934a20a7 Fix cookie exclusion for fetch CORS pre-flight requests (fixes #3596)
Cookies (and other credentials) will be excluded when appropriate by
downgrading |credentials_mode| from kSameOrigin to kOmit.

Improve logic for Origin header inclusion, including a fix for
Referrer/Origin calculation in URLRequestJob::ComputeReferrerForPolicy
when used with custom standard schemes.

Specify correct CookiePartitionKeyCollection when loading cookies.

To test:
- Run tests from https://browseraudit.com/ with and without
  `--disable-request-handling-for-testing`. Results are the same.
- Run `ceftests --gtest_filter=CorsTest.*`.
2023-11-20 14:44:43 -05:00
Marshall Greenblatt b2274f534d Update to Chromium version 119.0.6045.0 (#1204232)
Mac: 13.5+ build system w/ 14.0 base SDK (Xcode 15.0) is now required.
2023-10-24 10:56:39 -04:00
Marshall Greenblatt 5042d71408 Remove CEF-specific integer and char16 typedef's (see #3507) 2023-06-01 19:32:36 +03:00
Marshall Greenblatt 4b3c3132cb Update to Chromium version 113.0.5672.0 (#1121455) 2023-04-05 17:48:51 -04:00
Marshall Greenblatt a986b1c226 ceftests: Fix CorsTest.IframeNone failures
The same console message is sometimes output multiple times.
2023-01-04 21:36:29 -05:00
Marshall Greenblatt 3af3eab3e4 Update source files for bracket style 2023-01-04 17:47:17 -05:00
Marshall Greenblatt 216e5b31dd tests: Fix CorsTest.Iframe failures (see issue #3348)
Run test initialization after the server has started.
2022-11-17 12:50:15 -05:00
Marshall Greenblatt 47d69a842a Update to Chromium version 109.0.5414.0 (#1070088)
- mac: Xcode 14.0 with macOS SDK 13.0 is now required.
- Remove CefRequestHandler::OnQuotaRequest because persistent quota is no
  longer supported (see https://crbug.com/1208141)
2022-11-17 12:50:15 -05:00
Marshall Greenblatt 952f2b0829 ceftests: Rename test_server::Observer::OnHttpRequest to OnTestServerRequest (see issue #3348) 2022-08-01 21:14:12 -04:00
Marshall Greenblatt ce18bb98ab ceftests: Deprecate the use of test_server constants (see issue #3348) 2022-08-01 16:20:03 -04:00
Marshall Greenblatt a4d63010c9 ceftests: Refactor test_server to support both HTTP and HTTPS servers (see issue #3348) 2022-08-01 16:20:03 -04:00
Marshall Greenblatt 68be2b8938 ceftests: Generalize the test_server::Observer interface (see issue #3348)
Don't expose CefServer implementation details to consumers.
2022-08-01 15:14:13 -04:00
Marshall Greenblatt ee15eca351 ceftests: Minor code cleanup 2022-05-25 16:42:41 +03:00
Marshall Greenblatt 28c7f04001 Delete cef_web_plugin.h and plugin-related APIs (see issue #3047)
This functionality stopped being relevant after the removal of Flash support
in January 2021. The last remaining PPAPI plugin (PDF viewer) will switch to
a non-plugin implementation (PdfUnseasoned) in M100.
2022-02-18 16:23:11 -05:00
Marshall Greenblatt 529b91bc6e tests: Convert usage of base::Bind to Once or Repeating (see issue #3140) 2021-06-19 17:19:32 -04:00
Marshall Greenblatt 17fc2b3e3b Various fixes related to the C++11/14 update (see issue #3140)
- Convert scoped_ptr to std::unique_ptr from <memory>
- Convert arraysize to base::size from include/base/cef_cxx17_backports.h
- Convert NULL to nullptr
- Include include/base/cef_callback.h instead of include/base/cef_bind.h
- Implicit conversion of CefRefPtr<T> or scoped_refptr<T> to T* is gone;
  use .get() instead

See the issue for additional details.
2021-06-18 13:42:31 -04:00
Marshall Greenblatt 00dca9601e Update to Chromium version 92.0.4515.0 (#885287) 2021-06-10 16:42:44 -04:00
Marshall Greenblatt 511e10d594 ceftests: Add missing newline at end of file 2021-04-23 21:00:43 -04:00
Marshall Greenblatt fc7f9ff505 Fix crash when navigating to an unregistered scheme (fixes issue #3105)
The policy->CanAccessDataForOrigin CHECK in NavigationRequest::
GetOriginForURLLoaderFactory was failing because unregistered schemes
(which are already considered non-standard schemes) didn't trigger the
registered non-standard scheme allowance that we previously added in
ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin. This change
modifies GetOriginForURLLoaderFactory to always return an opaque/unique
origin for non-standard schemes resulting in unregistered and non-standard
schemes receiving the same treatment.

New test coverage has been added for this condition, and can be run with:
ceftests --gtest_filter=CorsTest.*CustomUnregistered*
2021-04-12 16:18:37 -04:00
Marshall Greenblatt 1cddbeb12f chrome: Fix CorsTest.RedirectPost307HttpSchemeToCustomNonStandardScheme failure (see issue #2969) 2021-04-05 14:49:30 -04:00
Marshall Greenblatt 74db00fc89 Update to Chromium version 90.0.4430.0 (#857950)
- Linux ARM builds require use_vaapi=false (see https://crbug.com/1185348)
- Windows official builds require use_thin_lto=false (see https://crbug.com/1177001)
2021-03-18 11:23:00 -04:00
Marshall Greenblatt e618f44667 Windows: Fix warning C4458: declaration of 'method' hides class member 2020-10-15 14:21:06 -04:00
Marshall Greenblatt cc56720bd2 Support CORS preflight requests with OutOfBlinkCors (fixes issue #3006)
A CORS preflight request is an "OPTIONS" request sent to a server prior to a
cross-origin XMLHttpRequest or Fetch request. The server's response determines
which HTTP request methods are allowed and supported, and whether credentials
such as Cookies and HTTP Authentication should be sent with requests.

A CORS preflight request will only be sent if certain conditions are met. For
example, it will be sent for requests that have potentially unsafe HTTP
methods [1] or request headers [2]. See the NeedsPreflight function in
services/network/cors/cors_url_loader.cc for full details.

CORS preflight functionality is implemented in the network service and will not
be triggered if the client handles the request instead of allowing it to proceed
over the network. Since the preflight request itself also runs in the network
service it cannot be intercepted by the client.

[1] https://fetch.spec.whatwg.org/#cors-safelisted-method
[2] https://fetch.spec.whatwg.org/#cors-safelisted-request-header
2020-09-11 19:21:53 -04:00
Marshall Greenblatt 88faf1023a Fix incorrect Origin and Cookie headers for POST redirects (fixes issue #2806)
This change also adds unit test coverage for cross-origin POST redirects.
2020-09-09 18:30:12 -04:00
Marshall Greenblatt 42f517ec69 Fix DCHECK failure in the URLLoader constructor.
The request.trusted_params.isolation_info.site_for_cookies value must
match request.site_for_cookies.

This change also adds unit test coverage for cross-origin GET redirects.
2020-09-09 18:29:21 -04:00
Marshall Greenblatt 4791109a28 Don't save or load cookies for non-cookieable scheme requests.
This fixes an IsCanonical() DCHECK failure triggered by calling
CanonicalCookie::Create for a non-cookieable URL.

This change also adds unit test coverage for cross-origin cookie
behavior with sub-resource requests (iframe, XHR, Fetch).
2020-09-09 18:29:15 -04:00
Marshall Greenblatt 6b1e5335bc Add support and enable out-of-Blink CORS (fixes issue #2716)
It can still be disabled for a short time by passing
`--disable-features=OutOfBlinkCors` on the command-line.
2020-08-26 16:25:25 -04:00