New issue
Advanced search Search tips

Issue 878339 link

Starred by 1 user
Status: Fixed
Owner:
yhirano@chromium.org
Closed: Aug 31
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 870173



Sign in to add a comment

OOR-CORS: Console errors on blocked resource redirects are missed

Project Member Reported by toyoshim@chromium.org, Aug 28 
E.g. virtual/outofblink-cors/http/tests/security/img-crossorigin-redirect-anonymous.html


expected:

CONSOLE ERROR: Access to image at 'http://localhost:8000/security/resources/abe.png' (redirected from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://localhost:8000/security/resources/abe.png') from origin 'http://127.0.0.1:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
CONSOLE ERROR: Access to image at 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://localhost:8000/security/resources/abe-allow-credentials.php' from origin 'http://127.0.0.1:8000' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
CONSOLE ERROR: Access to image at 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://127.0.0.1:8000/security/resources/abe-allow-credentials.php' from origin 'http://127.0.0.1:8000' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
Testing the handling of CORS-enabled fetch in the presence of 'anonymous' redirects.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".


PASS/FAIL descriptions are of the form, 'CORS request type': 'redirect CORS type' => 'resource'

PASS: Anonymous request: anonymous => no-CORS image resource.
PASS: Anonymous request: anonymous => anonymous-CORS image resource.
PASS: Credentialled request: anonymous => credentialled image resource (same origin.)
PASS: Credentialled request: anonymous => credentialled image resource (cross origin.)
PASS successfullyParsed is true

TEST COMPLETE


actual:

Testing the handling of CORS-enabled fetch in the presence of 'anonymous' redirects.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".


PASS/FAIL descriptions are of the form, 'CORS request type': 'redirect CORS type' => 'resource'

PASS: Anonymous request: anonymous => no-CORS image resource.
PASS: Anonymous request: anonymous => anonymous-CORS image resource.
PASS: Credentialled request: anonymous => credentialled image resource (same origin.)
PASS: Credentialled request: anonymous => credentialled image resource (cross origin.)
PASS successfullyParsed is true

TEST COMPLETE

Comment 1 by toyoshim@chromium.org, Aug 28 

virtual for security isn't submitted yet, but can you confirm if this is not an intentional change?

Comment 2 by yhirano@chromium.org, Aug 29 

That is addressed in https://chromium-review.googlesource.com/c/chromium/src/+/1154246, I think ("Now CORS erros from CORSURLLoader are printed on the devtools console.").
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 31 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/61e0b32989f28f831922af32a465030f4c632204

commit 61e0b32989f28f831922af32a465030f4c632204
Author: Yutaka Hirano <yhirano@chromium.org>
Date: Fri Aug 31 03:36:42 2018

Replace CORSStatus with response type

blink::Resource has a field cors_status_ to store the result of CORS
check. This CL replaces the concept with "response type", a concept
defined in the fetch spec as
https://fetch.spec.whatwg.org/#concept-response-type. Actually, that
field has existed for long for service worker, but this CL starts using
it for network fetch. Using response type enables us to have the
consistent logic among several implementations, namely, CORSURLLoader,
ResourceLoader and ThreadableLoader.

https://html.spec.whatwg.org/#cors-same-origin and
https://html.spec.whatwg.org/#cors-cross-origin are now implemented so
various resource clients should use them.

Side effects:
 - blink::ResourceLoader now dispatches a ResourceError with a CORS
   error for CORS violations instead of an abort error.
 - Now CORS erros from CORSURLLoader are printed on the devtools
   console.

Bug: 736308,  878339 
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: I8777904654c0478d092ad90a2a919d5eb5dcc2bd
Reviewed-on: https://chromium-review.googlesource.com/1154246
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Fredrik Hubinette <hubbe@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#587935}
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/media/blink/BUILD.gn
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/media/blink/DEPS
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/media/blink/resource_multibuffer_data_provider.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/services/network/cors/cors_url_loader.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/services/network/cors/cors_url_loader.h
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/services/network/public/cpp/cors/cors.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/services/network/public/cpp/cors/cors.h
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/services/network/public/cpp/cors/cors_unittest.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/core/css/remote_font_face_source.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/core/loader/resource/image_resource.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/core/loader/resource/script_resource.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/core/loader/threadable_loader.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/core/loader/threadable_loader.h
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/cors/cors.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/cors/cors.h
[delete] https://crrev.com/3279bfda61401e969fa047bbe002c32d46ef9735/third_party/blink/renderer/platform/loader/cors/cors_status.h
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/fetch/resource.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/fetch/resource.h
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/fetch/resource_loader.h
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/fetch/resource_loader_test.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/fetch/resource_response.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/fetch/resource_response.h
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/subresource_integrity.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/subresource_integrity_test.cc
[modify] https://crrev.com/61e0b32989f28f831922af32a465030f4c632204/third_party/blink/renderer/platform/loader/testing/mock_fetch_context.h

Comment 4 by yhirano@chromium.org, Aug 31

Status: Fixed (was: Assigned)

Sign in to add a comment