The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/131650a98e8d7dc8019b74c6221c8ac3db951c64

commit 131650a98e8d7dc8019b74c6221c8ac3db951c64
Author: tyoshino <tyoshino@chromium.org>
Date: Tue Oct 18 11:23:54 2016

Increase coverage for img element's crossOrigin attribute's behavior on redirect

Even after  http://crbug.com/563328  was fixed, the behavior is not fully
conforming to the spec. Newly added tests will clarify the issue and
ensure it's working for the other cases.

R=yhirano@chromium.org
BUG=646277

Review-Url: https://codereview.chromium.org/2333153002
Cr-Commit-Position: refs/heads/master@{#425941}

[delete] https://crrev.com/ecd17f57b2d87cf4ecbeb6bc2c8a44cd6c7df099/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-credentials-expected.txt
[modify] https://crrev.com/131650a98e8d7dc8019b74c6221c8ac3db951c64/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-credentials.html
[add] https://crrev.com/131650a98e8d7dc8019b74c6221c8ac3db951c64/third_party/WebKit/LayoutTests/http/tests/security/img-redirect-to-crossorigin-credentials.html

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0

commit 64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0
Author: tyoshino <tyoshino@chromium.org>
Date: Wed Dec 07 07:40:09 2016

Stop using ResourceController in ResourceThrottle

The following classes are subclasses of the ResourceController
interface:
- AsyncRevalidationDriver
- DetachableResourceHandler
- InterceptingResourceHandler
- MimeSniffingResourceHandler
- ResourceLoader
- ThrottlingResourceHandler

The following classes out of them sets themselves as the controller for
the next handler:
- DetachableResourceHandler
- InterceptingResourceHandler
- MimeSniffingResourceHandler
- ResourceLoader

Classes implementing LayeredResourceHandler pass the controller given
to SetController() call through to the next handler.

With this mechanism, we can chain handlers, let each handler
communicate defer signal via the ResourceHandler interface methods,
and let the left most handler to propagate cancel/resume signal to the
right most handler (it's ResourceLoader. possibly intercepted by the
4 classes). This is easy to understand.

On the other hand, the AsyncRevalidationDriver and
ThrottlingResourceHandler are diverting the ResourceController
interface for defining their own interface to allow the throttles they
have to resume handlers deferred due to throttling. Not for
communication with the next handler.

Moreover, the ResourceThrottle is exposing the ResourceController
instance to its subclasses and letting them directly operate on the
instance. This is making the ResourceController interface and handler
chain hard to understand e.g. by making the cross reference on
codesearch list a lot of callers.

I'd like to make this cleaner by:
- adding methods on ResourceThrottle that hides the details of
  communication with the associated handler,
- introduce a dedicated interface ResourceThrottle::Delegate between
  the ResourceThrottle and the handlers than diverting the
  ResourceController interface.

Motivation:
- I plan to change AsyncResourceHandler::OnFollowRedirect() to take
  more arguments to reflect changes in parameters made by Blink (See
  crbug.com/646277 and crbug.com/665766 for the details why we need to
  do this).
- I want to construct a path to propagate it to the URLRequest, but
  ResourceController::Resume() is used for various kinds of resuming.
  I want to separate redirect handling logic in Resume() into a separate
  method on ResourceController than adding arguments to Resume().
- Found that ResourceController is used for various purposes. Before
  fixing the issue, I wanted to clean it up for readability.

R=reillyg@chromium.org,boliu@chromium.org,jochen@chromium.org
BUG=646277

Review-Url: https://codereview.chromium.org/2535723005
Cr-Commit-Position: refs/heads/master@{#436889}

[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/android_webview/browser/renderer_host/aw_resource_dispatcher_host_delegate.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/chromeos/login/signin/merge_session_resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/component_updater/component_updater_resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/download/download_resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/download/download_resource_throttle_unittest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/extensions/api/streams_private/streams_private_apitest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/extensions/api/web_navigation/web_navigation_apitest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/extensions/user_script_listener.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/extensions/user_script_listener_unittest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/loader/data_reduction_proxy_resource_throttle_android.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/loader/safe_browsing_resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/loader/safe_browsing_resource_throttle.h
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/prerender/prerender_contents.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/prerender/prerender_resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/prerender/prerender_resource_throttle.h
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/prerender/prerender_resource_throttle_unittest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/chrome/browser/supervised_user/supervised_user_resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/components/web_restrictions/browser/web_restrictions_resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/components/web_restrictions/browser/web_restrictions_resource_throttle_unittest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/async_revalidation_driver.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/async_revalidation_driver.h
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/async_revalidation_driver_unittest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/cross_site_resource_handler_browsertest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/navigation_resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/resource_dispatcher_host_unittest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/resource_scheduler.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/resource_scheduler_unittest.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/throttling_resource_handler.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/browser/loader/throttling_resource_handler.h
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/public/browser/resource_throttle.cc
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/content/public/browser/resource_throttle.h
[modify] https://crrev.com/64fa092bc4ccdcb1c0cc08b93d6c1bd49363adb0/extensions/browser/extension_request_limiting_throttle.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3b3ee8e99fca8912ad38f2bdc6137189c5043790

commit 3b3ee8e99fca8912ad38f2bdc6137189c5043790
Author: tyoshino <tyoshino@chromium.org>
Date: Wed Dec 07 16:04:07 2016

Unexport resource_controller.h

This is a follow up for https://codereview.chromium.org/2535723005/
suggested by mmenke@.

ResourceController is no longer used by any file outside of
content/browser/. Move it to content/browser/loader/.

BUG=646277
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2554273002
Cr-Commit-Position: refs/heads/master@{#436967}

[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/BUILD.gn
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/download/download_resource_handler.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/frame_host/navigation_controller_impl_browsertest.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/DEPS
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/async_resource_handler.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/detachable_resource_handler.h
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/intercepting_resource_handler.h
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/intercepting_resource_handler_unittest.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/mime_sniffing_resource_handler.h
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/mime_sniffing_resource_handler_unittest.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/mojo_async_resource_handler.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/mojo_async_resource_handler_unittest.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/navigation_resource_handler.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/redirect_to_file_resource_handler.cc
[rename] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/resource_controller.h
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/resource_loader.h
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/stream_writer.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/browser/loader/throttling_resource_handler.cc
[modify] https://crrev.com/3b3ee8e99fca8912ad38f2bdc6137189c5043790/content/public/browser/BUILD.gn

Is there an actual security bug here?

tyoshino@ already left the project, but I think we still have this problem, credentials are leaked on CORS redirects, and it violates the CORS spec.

Redirect targets were controlled by the server owner. So this wasn't a serious problem, but...

This will be an issue that the OOR-CORS project can help to fix it easily.