<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[195265] releases/WebKitGTK/webkit-2.10</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/195265">195265</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-01-19 00:59:16 -0800 (Tue, 19 Jan 2016)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/195010">r195010</a> - Fix problems with cross-origin redirects
https://bugs.webkit.org/show_bug.cgi?id=116075

Reviewed by Daniel Bates.

LayoutTests/imported/w3c:

Rebasing test expectations.
These tests cannot work as expected as WTR/DRT block access to www2.localhost and example.not.

* web-platform-tests/XMLHttpRequest/send-redirect-bogus-expected.txt:
* web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt:
* web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors-expected.txt:

Source/WebCore:

Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
Same origin redirect responses leading to cross-origin requests were checked as cross-origin redirect responses.
Introduced ClientRequestedCredentials to manage whether credentials are needed or not in the cross-origin request.

In addition to Blink patch, it was needed to update some loaders with the newly introduced ClientRequestedCredentials parameter.
Added the clearing of &quot;Accept-Encoding&quot; header from cross-origin requests as Mac HTTP network layer is adding it for same-origin requests.

Test: http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::startLoadingMainResource): Added new security parameter (from Blink patch).
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived): Updated checks so that same origin redirections are not treated as cross origin redirections (from Blink patch).
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::start):
* loader/NetscapePlugInStreamLoader.cpp:
(WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Added new security parameter.
* loader/ResourceLoaderOptions.h:
(WebCore::ResourceLoaderOptions::ResourceLoaderOptions): Added new security parameter (from Blink patch).
(WebCore::ResourceLoaderOptions::credentialRequest):
(WebCore::ResourceLoaderOptions::setCredentialRequest):
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Ditto.
(WebCore::CachedResourceLoader::defaultCachedResourceOptions): Ditto.
* loader/icon/IconLoader.cpp:
(WebCore::IconLoader::startLoading): Added new security parameter.
* page/EventSource.cpp:
(WebCore::EventSource::connect): Added new security parameter (from Blink patch).
* platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
(WebCore::WebCoreAVCFResourceLoader::startLoading): Added new security parameter.
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading): Ditto.
* platform/network/ResourceHandleTypes.h: Added new security parameter constants (from Blink patch).
* platform/network/ResourceRequestBase.cpp:
(WebCore::ResourceRequestBase::clearHTTPAcceptEncoding): Function to remove &quot;Accept-Encoding&quot; header.
* platform/network/ResourceRequestBase.h: Ditto.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::createRequest): Added new security parameter.

LayoutTests:

Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
This merge adds tests for cross origin requests triggered from same origin redirection responses with and without credentials).
Rebaseline of some tests due to console error messages generated from newly hit CORS checks.

* TestExpectations: Disabled WPT tests that require access to non localhost URLs which are currently blocked by DTR/WTR.
* http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html: Added.
* http/tests/xmlhttprequest/access-control-and-redirects-async.html:
* http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects.html:
* http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt:
* http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi: Added.
* http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasyncexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasynchtml">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectshtml">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects.html</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestredirectcrossorigin2expectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestredirectcrossoriginexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestredirectcrossoriginpostexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestredirectcrossorigintripmineexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestxmlhttprequestunsaferedirectexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestsimportedw3cChangeLog">releases/WebKitGTK/webkit-2.10/LayoutTests/imported/w3c/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloaderDocumentLoadercpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/DocumentLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloaderDocumentThreadableLoadercpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloaderMediaResourceLoadercpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/MediaResourceLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloaderNetscapePlugInStreamLoadercpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NetscapePlugInStreamLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloaderResourceLoaderOptionsh">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/ResourceLoaderOptions.h</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloadercacheCachedResourceLoadercpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloadericonIconLoadercpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/icon/IconLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCorepageEventSourcecpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/page/EventSource.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreplatformnetworkResourceHandleTypesh">releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceHandleTypes.h</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreplatformnetworkResourceRequestBasecpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceRequestBase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreplatformnetworkResourceRequestBaseh">releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceRequestBase.h</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCorexmlXMLHttpRequestcpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/xml/XMLHttpRequest.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasyncsameoriginexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasyncsameoriginhtml">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestresourcesaccesscontrolbasicallownocredentialscgi">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit210LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2016-01-14  Youenn Fablet  &lt;youenn.fablet@crf.canon.fr&gt;
+
+        Fix problems with cross-origin redirects
+        https://bugs.webkit.org/show_bug.cgi?id=116075
+
+        Reviewed by Daniel Bates.
+
+        Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
+        This merge adds tests for cross origin requests triggered from same origin redirection responses with and without credentials).
+        Rebaseline of some tests due to console error messages generated from newly hit CORS checks.
+
+        * TestExpectations: Disabled WPT tests that require access to non localhost URLs which are currently blocked by DTR/WTR.
+        * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
+        * http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt: Added.
+        * http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html: Added.
+        * http/tests/xmlhttprequest/access-control-and-redirects-async.html:
+        * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
+        * http/tests/xmlhttprequest/access-control-and-redirects.html:
+        * http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt:
+        * http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi: Added.
+        * http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:
+
</ins><span class="cx"> 2016-01-13  Daniel Bates  &lt;dabates@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [XSS Auditor] Do not include trailing comment characters in JavaScript snippets
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasyncexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,33 +1,24 @@
</span><span class="cx"> Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
</span><span class="cx"> 
</span><del>-Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi
</del><ins>+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi without credentials
</ins><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: 0
</span><del>-Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=http://localhost:8000&amp;  access-control-allow-credentials=true
-Expecting success: false
-PASS: 0
-Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&amp;  access-control-allow-origin=http://localhost:8000&amp;  access-control-allow-credentials=true
-Expecting success: false
-PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi
-Expecting success: false
-PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=http://localhost:8000
</del><ins>+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=http://localhost:8000 without credentials
</ins><span class="cx"> Expecting success: true
</span><span class="cx"> FAIL: 0
</span><del>-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=http://localhost:8000
</del><ins>+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=http://localhost:8000 without credentials
</ins><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: 0
</span><del>-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&amp;  access-control-allow-origin=http://localhost:8000
</del><ins>+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&amp;  access-control-allow-origin=http://localhost:8000 without credentials
</ins><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: 0
</span><del>-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&amp;  url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=*
</del><ins>+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&amp;  url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=* without credentials
</ins><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: 0
</span><del>-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&amp;  url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=*&amp;  access-control-allow-headers=x-webkit
</del><ins>+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&amp;  url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;  access-control-allow-origin=*&amp;  access-control-allow-headers=x-webkit without credentials
</ins><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: 0
</span><del>-Testing resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt
</del><ins>+Testing resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt without credentials
</ins><span class="cx"> Expecting success: true
</span><span class="cx"> PASS: PASS
</span><span class="cx"> 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasyncsameoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt (0 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt                                (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -0,0 +1,27 @@
</span><ins>+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi. Credentials flag is true, but Access-Control-Allow-Credentials is not &quot;true&quot;.
+Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi with credentials
+Expecting success: false
+PASS: 0
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi with credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi with credentials
+Expecting success: false
+PASS: 0
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasyncsameoriginhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html (0 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html                                (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -0,0 +1,88 @@
</span><ins>+&lt;p&gt;Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.&lt;/p&gt;
+
+&lt;pre id=&quot;console&quot;&gt;&lt;/pre&gt;
+&lt;script&gt;
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
+}
+
+function runTestAsync(url, credentials, addCustomHeader, expectSuccess) {
+    log(&quot;Testing &quot; + url + (credentials ? &quot; with &quot; : &quot; without &quot;) + &quot;credentials&quot;);
+    log(&quot;Expecting success: &quot; + expectSuccess);
+
+    xhr = new XMLHttpRequest();
+    xhr.withCredentials = credentials;
+    xhr.open(&quot;GET&quot;, url, true);
+    if (addCustomHeader)
+        xhr.setRequestHeader(&quot;x-webkit&quot;, &quot;foo&quot;);
+
+    xhr.onload = function() {
+        log((expectSuccess ? &quot;PASS&quot; : &quot;FAIL&quot;) + &quot;: &quot; + xhr.responseText);
+        nextTest();
+    }
+    xhr.onerror = function() {
+        log((expectSuccess ? &quot;FAIL&quot; : &quot;PASS&quot;) + &quot;: &quot; + xhr.status);
+        nextTest();
+    }
+    xhr.send(null);
+}
+
+var withoutCredentials = false;
+var withCredentials = true;
+var noCustomHeader = false;
+var addCustomHeader = true;
+var succeeds = true;
+var fails = false;
+
+var tests = [
+// Test simple same origin requests that receive cross origin redirects.
+
+// Request without credentials is redirected to a cross-origin response with Access-Control-Allow-Origin=*.
+// The redirect response passes the access check.
+[&quot;../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&quot;,
+  withoutCredentials, noCustomHeader, succeeds],
+
+// Request with credentials is redirected to a cross-origin response with Access-Control-Allow-Origin=*.
+// The redirect response fails the access check because credentials were sent.
+[&quot;../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&quot;,
+  withCredentials, noCustomHeader, fails],
+
+// Request without credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin.
+// The redirect response passes the access check.
+[&quot;../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&quot;,
+  withoutCredentials, noCustomHeader, succeeds],
+
+// Request with credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin.
+// The redirect response passes the access check.
+[&quot;../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&quot;,
+  withCredentials, noCustomHeader, succeeds],
+
+// Request without credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin
+// forbidding credentials. The redirect response passes the access check.
+[&quot;../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi&quot;,
+  withoutCredentials, noCustomHeader, succeeds],
+
+// Request with credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin
+// forbidding credentials. The redirect response fails the access check.
+[&quot;../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi&quot;,
+  withCredentials, noCustomHeader, fails],
+
+]
+
+var currentTest = 0;
+
+function nextTest() {
+    if (currentTest &lt; tests.length)
+        runTestAsync.apply(null, tests[currentTest++]);
+    else if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+nextTest();
+&lt;/script&gt;
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasynchtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -12,11 +12,12 @@
</span><span class="cx">     document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-function runTestAsync(url, addCustomHeader, expectSuccess) {
-    log(&quot;Testing &quot; + url);
</del><ins>+function runTestAsync(url, credentials, addCustomHeader, expectSuccess) {
+    log(&quot;Testing &quot; + url + (credentials ? &quot; with &quot; : &quot; without &quot;) + &quot;credentials&quot;);
</ins><span class="cx">     log(&quot;Expecting success: &quot; + expectSuccess);
</span><span class="cx"> 
</span><span class="cx">     xhr = new XMLHttpRequest();
</span><ins>+    xhr.withCredentials = credentials;
</ins><span class="cx">     xhr.open(&quot;GET&quot;, url, true);
</span><span class="cx">     if (addCustomHeader)
</span><span class="cx">         xhr.setRequestHeader(&quot;x-webkit&quot;, &quot;foo&quot;);
</span><span class="lines">@@ -32,72 +33,57 @@
</span><span class="cx">     xhr.send(null);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+var withoutCredentials = false;
+var withCredentials = true;
</ins><span class="cx"> var noCustomHeader = false;
</span><span class="cx"> var addCustomHeader = true;
</span><span class="cx"> var succeeds = true;
</span><span class="cx"> var fails = false;
</span><span class="cx"> 
</span><span class="cx"> var tests = [
</span><del>-// 1) Test simple same origin requests that receive cross origin redirects.
</del><ins>+// 1) Test simple cross origin requests that receive redirects.
</ins><span class="cx"> 
</span><del>-// Request receives a cross-origin redirect response without CORS headers. The redirect response fails the access check.
-[&quot;resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&quot;,
-  noCustomHeader, fails],
-
-// Request receives a cross-origin redirect response with CORS headers. The redirect response passes the access check,
-// but  the resource response fails its access check because the security origin is a globally unique identifier after
-// the redirect and the same origin XHR has 'allowCredentials' true.
-[&quot;resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;\
-  access-control-allow-origin=http://localhost:8000&amp;\
-  access-control-allow-credentials=true&quot;,
-  noCustomHeader, fails],
-
-// Same as above, but to a less permissive resource that only allows the requesting origin.
-[&quot;resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&amp;\
-  access-control-allow-origin=http://localhost:8000&amp;\
-  access-control-allow-credentials=true&quot;,
-  noCustomHeader, fails],
-
-// 2) Test simple cross origin requests that receive redirects.
-
</del><span class="cx"> // Receives a redirect response without CORS headers. The redirect response fails the access check.
</span><span class="cx"> [&quot;http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&quot;,
</span><del>-  noCustomHeader, fails],
</del><ins>+  withoutCredentials, noCustomHeader, fails],
</ins><span class="cx"> 
</span><span class="cx"> // Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response
</span><span class="cx"> // passes the access check.
</span><ins>+// FIXME: this test fails because the redirect is vetoed. There are continued bugs with redirects when the original
+// request was cross-origin.
</ins><span class="cx"> [&quot;http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;\
</span><span class="cx">   access-control-allow-origin=http://localhost:8000&quot;,
</span><del>-  noCustomHeader, succeeds],
</del><ins>+  withoutCredentials, noCustomHeader, succeeds],
</ins><span class="cx"> 
</span><span class="cx"> // Receives a redirect response with a URL containing the userinfo production.
</span><span class="cx"> [&quot;http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;\
</span><span class="cx">   access-control-allow-origin=http://localhost:8000&quot;,
</span><del>-  noCustomHeader, fails],
</del><ins>+  withoutCredentials, noCustomHeader, fails],
</ins><span class="cx"> 
</span><span class="cx"> // Receives a redirect response with a URL with an unsupported scheme.
</span><span class="cx"> [&quot;http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&amp;\
</span><span class="cx">   access-control-allow-origin=http://localhost:8000&quot;,
</span><del>-  noCustomHeader, fails],
</del><ins>+  withoutCredentials, noCustomHeader, fails],
</ins><span class="cx"> 
</span><del>-// 3) Test preflighted cross origin requests that receive redirects.
</del><ins>+// 2) Test preflighted cross origin requests that receive redirects.
</ins><span class="cx"> 
</span><span class="cx"> // Receives a redirect response to the preflight request and fails.
</span><span class="cx"> [&quot;http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&amp;\
</span><span class="cx">   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;\
</span><span class="cx">   access-control-allow-origin=*&quot;,
</span><del>-  addCustomHeader, fails],
</del><ins>+  withoutCredentials, addCustomHeader, fails],
</ins><span class="cx"> 
</span><span class="cx"> // Successful preflight and receives a redirect response to the actual request and fails.
</span><span class="cx"> [&quot;http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&amp;\
</span><span class="cx">   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&amp;\
</span><span class="cx">   access-control-allow-origin=*&amp;\
</span><span class="cx">   access-control-allow-headers=x-webkit&quot;,
</span><del>-  addCustomHeader, fails],
</del><ins>+  withoutCredentials, addCustomHeader, fails],
</ins><span class="cx"> 
</span><del>-// 4) Test same origin requests with a custom header that receive a same origin redirect.
</del><ins>+// 3) Test same origin requests with a custom header that receive a same origin redirect.
</ins><span class="cx"> [&quot;resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt&quot;,
</span><del>-  addCustomHeader, succeeds],
</del><ins>+  withoutCredentials, addCustomHeader, succeeds],
+
</ins><span class="cx"> ]
</span><span class="cx"> 
</span><span class="cx"> var currentTest = 0;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -6,8 +6,9 @@
</span><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: Error: NETWORK_ERR: XMLHttpRequest Exception 101
</span><span class="cx"> Testing /resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi(async)
</span><del>-Expecting success: false
-PASS: 0
</del><ins>+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
</ins><span class="cx"> Testing http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi (sync)
</span><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: Error: NETWORK_ERR: XMLHttpRequest Exception 101
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestaccesscontrolandredirectshtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects.html (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects.html        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects.html        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> var tests = [
</span><del>-    [&quot;/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&quot;, false, false],
</del><ins>+    [&quot;/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&quot;, false, true],
</ins><span class="cx">     [&quot;http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&quot;, false, false],
</span><span class="cx">     [&quot;http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&quot;, false, false]
</span><span class="cx"> ]
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestredirectcrossorigin2expectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,3 +1,4 @@
</span><ins>+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
</ins><span class="cx"> Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
</span><span class="cx"> 
</span><span class="cx"> PASS
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestredirectcrossoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,3 +1,4 @@
</span><ins>+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
</ins><span class="cx"> Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
</span><span class="cx"> 
</span><span class="cx"> PASS
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestredirectcrossoriginpostexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,3 +1,4 @@
</span><ins>+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
</ins><span class="cx"> Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
</span><span class="cx"> 
</span><span class="cx"> PASS
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestredirectcrossorigintripmineexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,3 +1,13 @@
</span><ins>+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
</ins><span class="cx"> Test that a cross-origin redirect does not result in a non-simple request being sent to the target.
</span><span class="cx"> 
</span><span class="cx"> Asynchronous XMLHttpRequest 307 POST redirect:
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestresourcesaccesscontrolbasicallownocredentialscgi"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi (0 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi                                (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+
+print &quot;Content-Type: text/plain\n&quot;;
+print &quot;Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n&quot;;
+
+print &quot;PASS: Cross-domain access allowed.\n&quot;;
</ins><span class="cx">Property changes on: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestsxmlhttprequestxmlhttprequestunsaferedirectexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,3 +1,4 @@
</span><ins>+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8080/xmlhttprequest/resources/forbidden.txt. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
</ins><span class="cx"> This tests that unsafe redirects won't be allowed when making an XMLHttpRequest.
</span><span class="cx"> Sync XHR started.
</span><span class="cx"> readyState change 1
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestsimportedw3cChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/imported/w3c/ChangeLog (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/imported/w3c/ChangeLog        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/imported/w3c/ChangeLog        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2016-01-14  Youenn Fablet  &lt;youenn.fablet@crf.canon.fr&gt;
+
+        Fix problems with cross-origin redirects
+        https://bugs.webkit.org/show_bug.cgi?id=116075
+
+        Reviewed by Daniel Bates.
+
+        Rebasing test expectations.
+        These tests cannot work as expected as WTR/DRT block access to www2.localhost and example.not.
+
+        * web-platform-tests/XMLHttpRequest/send-redirect-bogus-expected.txt:
+        * web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt:
+        * web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors-expected.txt:
+
</ins><span class="cx"> 2015-12-09  Keith Rollin  &lt;krollin@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         form.elements should reflect the element ordering after the HTML tree builder algorithm
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1,3 +1,49 @@
</span><ins>+2016-01-14  Youenn Fablet  &lt;youenn.fablet@crf.canon.fr&gt;
+
+        Fix problems with cross-origin redirects
+        https://bugs.webkit.org/show_bug.cgi?id=116075
+
+        Reviewed by Daniel Bates.
+
+        Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
+        Same origin redirect responses leading to cross-origin requests were checked as cross-origin redirect responses.
+        Introduced ClientRequestedCredentials to manage whether credentials are needed or not in the cross-origin request.
+
+        In addition to Blink patch, it was needed to update some loaders with the newly introduced ClientRequestedCredentials parameter.
+        Added the clearing of &quot;Accept-Encoding&quot; header from cross-origin requests as Mac HTTP network layer is adding it for same-origin requests.
+
+        Test: http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::startLoadingMainResource): Added new security parameter (from Blink patch).
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::redirectReceived): Updated checks so that same origin redirections are not treated as cross origin redirections (from Blink patch).
+        * loader/MediaResourceLoader.cpp:
+        (WebCore::MediaResourceLoader::start):
+        * loader/NetscapePlugInStreamLoader.cpp:
+        (WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Added new security parameter.
+        * loader/ResourceLoaderOptions.h:
+        (WebCore::ResourceLoaderOptions::ResourceLoaderOptions): Added new security parameter (from Blink patch).
+        (WebCore::ResourceLoaderOptions::credentialRequest):
+        (WebCore::ResourceLoaderOptions::setCredentialRequest):
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Ditto.
+        (WebCore::CachedResourceLoader::defaultCachedResourceOptions): Ditto.
+        * loader/icon/IconLoader.cpp:
+        (WebCore::IconLoader::startLoading): Added new security parameter.
+        * page/EventSource.cpp:
+        (WebCore::EventSource::connect): Added new security parameter (from Blink patch).
+        * platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
+        (WebCore::WebCoreAVCFResourceLoader::startLoading): Added new security parameter.
+        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+        (WebCore::WebCoreAVFResourceLoader::startLoading): Ditto.
+        * platform/network/ResourceHandleTypes.h: Added new security parameter constants (from Blink patch).
+        * platform/network/ResourceRequestBase.cpp:
+        (WebCore::ResourceRequestBase::clearHTTPAcceptEncoding): Function to remove &quot;Accept-Encoding&quot; header.
+        * platform/network/ResourceRequestBase.h: Ditto.
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::createRequest): Added new security parameter.
+
</ins><span class="cx"> 2016-01-13  Daniel Bates  &lt;dabates@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Cleanup: XSS Auditor should avoid re-evaluating the parsed script tag
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloaderDocumentLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/DocumentLoader.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/DocumentLoader.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/DocumentLoader.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -1456,7 +1456,7 @@
</span><span class="cx">     // If this is a reload the cache layer might have made the previous request conditional. DocumentLoader can't handle 304 responses itself.
</span><span class="cx">     request.makeUnconditional();
</span><span class="cx"> 
</span><del>-    static NeverDestroyed&lt;ResourceLoaderOptions&gt; mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, IncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck);
</del><ins>+    static NeverDestroyed&lt;ResourceLoaderOptions&gt; mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, IncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck);
</ins><span class="cx">     CachedResourceRequest cachedResourceRequest(request, mainResourceLoadOptions);
</span><span class="cx">     cachedResourceRequest.setInitiator(*this);
</span><span class="cx">     m_mainResource = m_cachedResourceLoader-&gt;requestMainResource(cachedResourceRequest);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/DocumentThreadableLoader.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/DocumentThreadableLoader.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/DocumentThreadableLoader.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -182,7 +182,8 @@
</span><span class="cx">         return;
</span><span class="cx"> 
</span><span class="cx">     // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported
</span><del>-    // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check.
</del><ins>+    // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the
+    // original request was not same-origin.
</ins><span class="cx">     if (m_options.crossOriginRequestPolicy == UseAccessControl) {
</span><span class="cx">         bool allowRedirect = false;
</span><span class="cx">         if (m_simpleRequest) {
</span><span class="lines">@@ -190,7 +191,7 @@
</span><span class="cx">             allowRedirect = SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())
</span><span class="cx">                             &amp;&amp; request.url().user().isEmpty()
</span><span class="cx">                             &amp;&amp; request.url().pass().isEmpty()
</span><del>-                            &amp;&amp; passesAccessControlCheck(redirectResponse, m_options.allowCredentials(), securityOrigin(), accessControlErrorDescription);
</del><ins>+                            &amp;&amp; (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials(), securityOrigin(), accessControlErrorDescription));
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         if (allowRedirect) {
</span><span class="lines">@@ -199,18 +200,26 @@
</span><span class="cx"> 
</span><span class="cx">             RefPtr&lt;SecurityOrigin&gt; originalOrigin = SecurityOrigin::createFromString(redirectResponse.url());
</span><span class="cx">             RefPtr&lt;SecurityOrigin&gt; requestOrigin = SecurityOrigin::createFromString(request.url());
</span><del>-            // If the request URL origin is not same origin with the original URL origin, set source origin to a globally unique identifier.
-            if (!originalOrigin-&gt;isSameSchemeHostPort(requestOrigin.get()))
</del><ins>+            // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin,
+            // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request
+            // should be the original URL origin.)
+            if (!m_sameOriginRequest &amp;&amp; !originalOrigin-&gt;isSameSchemeHostPort(requestOrigin.get()))
</ins><span class="cx">                 m_options.securityOrigin = SecurityOrigin::createUnique();
</span><del>-            // Force any subsequent requests to use these checks.
</del><ins>+            // Force any subsequent request to use these checks.
</ins><span class="cx">             m_sameOriginRequest = false;
</span><span class="cx"> 
</span><ins>+            // Since the request is no longer same-origin, if the user didn't request credentials in
+            // the first place, update our state so we neither request them nor expect they must be allowed.
+            if (m_options.credentialRequest() == ClientDidNotRequestCredentials)
+                m_options.setAllowCredentials(DoNotAllowStoredCredentials);
+
</ins><span class="cx">             // Remove any headers that may have been added by the network layer that cause access control to fail.
</span><span class="cx">             request.clearHTTPContentType();
</span><span class="cx">             request.clearHTTPReferrer();
</span><span class="cx">             request.clearHTTPOrigin();
</span><span class="cx">             request.clearHTTPUserAgent();
</span><span class="cx">             request.clearHTTPAccept();
</span><ins>+            request.clearHTTPAcceptEncoding();
</ins><span class="cx">             makeCrossOriginAccessRequest(request);
</span><span class="cx">             return;
</span><span class="cx">         }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloaderMediaResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/MediaResourceLoader.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/MediaResourceLoader.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/MediaResourceLoader.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -61,7 +61,7 @@
</span><span class="cx">     StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalIgnoringCase(m_crossOriginMode, &quot;use-credentials&quot;) ? AllowStoredCredentials : DoNotAllowStoredCredentials;
</span><span class="cx"> 
</span><span class="cx">     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
</span><del>-    CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck));
</del><ins>+    CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck));
</ins><span class="cx"> 
</span><span class="cx">     if (!m_crossOriginMode.isNull())
</span><span class="cx">         updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloaderNetscapePlugInStreamLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NetscapePlugInStreamLoader.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NetscapePlugInStreamLoader.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NetscapePlugInStreamLoader.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx"> // FIXME: Skip Content Security Policy check when associated plugin element is in a user agent shadow tree.
</span><span class="cx"> // See &lt;https://bugs.webkit.org/show_bug.cgi?id=146663&gt;.
</span><span class="cx"> NetscapePlugInStreamLoader::NetscapePlugInStreamLoader(Frame* frame, NetscapePlugInStreamLoaderClient* client)
</span><del>-    : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck))
</del><ins>+    : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck))
</ins><span class="cx">     , m_client(client)
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(CONTENT_EXTENSIONS)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloaderResourceLoaderOptionsh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/ResourceLoaderOptions.h (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/ResourceLoaderOptions.h        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/ResourceLoaderOptions.h        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -78,18 +78,20 @@
</span><span class="cx">         , m_dataBufferingPolicy(BufferData)
</span><span class="cx">         , m_allowCredentials(DoNotAllowStoredCredentials)
</span><span class="cx">         , m_clientCredentialPolicy(DoNotAskClientForAnyCredentials)
</span><ins>+        , m_credentialRequest(ClientDidNotRequestCredentials)
</ins><span class="cx">         , m_securityCheck(DoSecurityCheck)
</span><span class="cx">         , m_requestOriginPolicy(UseDefaultOriginRestrictionsForType)
</span><span class="cx">         , m_certificateInfoPolicy(DoNotIncludeCertificateInfo)
</span><span class="cx">     {
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCredentialPolicy credentialPolicy, SecurityCheckPolicy securityCheck, RequestOriginPolicy requestOriginPolicy, CertificateInfoPolicy certificateInfoPolicy, ContentSecurityPolicyImposition contentSecurityPolicyImposition)
</del><ins>+    ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCredentialPolicy credentialPolicy, CredentialRequest credentialRequest, SecurityCheckPolicy securityCheck, RequestOriginPolicy requestOriginPolicy, CertificateInfoPolicy certificateInfoPolicy, ContentSecurityPolicyImposition contentSecurityPolicyImposition)
</ins><span class="cx">         : m_sendLoadCallbacks(sendLoadCallbacks)
</span><span class="cx">         , m_sniffContent(sniffContent)
</span><span class="cx">         , m_dataBufferingPolicy(dataBufferingPolicy)
</span><span class="cx">         , m_allowCredentials(allowCredentials)
</span><span class="cx">         , m_clientCredentialPolicy(credentialPolicy)
</span><ins>+        , m_credentialRequest(credentialRequest)
</ins><span class="cx">         , m_securityCheck(securityCheck)
</span><span class="cx">         , m_requestOriginPolicy(requestOriginPolicy)
</span><span class="cx">         , m_certificateInfoPolicy(certificateInfoPolicy)
</span><span class="lines">@@ -107,6 +109,8 @@
</span><span class="cx">     void setAllowCredentials(StoredCredentials allow) { m_allowCredentials = allow; }
</span><span class="cx">     ClientCredentialPolicy clientCredentialPolicy() const { return static_cast&lt;ClientCredentialPolicy&gt;(m_clientCredentialPolicy); }
</span><span class="cx">     void setClientCredentialPolicy(ClientCredentialPolicy policy) { m_clientCredentialPolicy = policy; }
</span><ins>+    CredentialRequest credentialRequest() { return static_cast&lt;CredentialRequest&gt;(m_credentialRequest); }
+    void setCredentialRequest(CredentialRequest credentialRequest) { m_credentialRequest = credentialRequest; }
</ins><span class="cx">     SecurityCheckPolicy securityCheck() const { return static_cast&lt;SecurityCheckPolicy&gt;(m_securityCheck); }
</span><span class="cx">     void setSecurityCheck(SecurityCheckPolicy check) { m_securityCheck = check; }
</span><span class="cx">     RequestOriginPolicy requestOriginPolicy() const { return static_cast&lt;RequestOriginPolicy&gt;(m_requestOriginPolicy); }
</span><span class="lines">@@ -121,6 +125,7 @@
</span><span class="cx">     unsigned m_dataBufferingPolicy : 1;
</span><span class="cx">     unsigned m_allowCredentials : 1; // Whether HTTP credentials and cookies are sent with the request.
</span><span class="cx">     unsigned m_clientCredentialPolicy : 2; // When we should ask the client for credentials (if we allow credentials at all).
</span><ins>+    unsigned m_credentialRequest: 1; // Whether the client (e.g. XHR) wanted credentials in the first place.
</ins><span class="cx">     unsigned m_securityCheck : 1;
</span><span class="cx">     unsigned m_requestOriginPolicy : 2;
</span><span class="cx">     unsigned m_certificateInfoPolicy : 1; // Whether the response should include certificate info.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/cache/CachedResourceLoader.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/cache/CachedResourceLoader.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/cache/CachedResourceLoader.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -233,7 +233,7 @@
</span><span class="cx">     memoryCache.add(*userSheet);
</span><span class="cx">     // FIXME: loadResource calls setOwningCachedResourceLoader() if the resource couldn't be added to cache. Does this function need to call it, too?
</span><span class="cx"> 
</span><del>-    userSheet-&gt;load(*this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck));
</del><ins>+    userSheet-&gt;load(*this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck));
</ins><span class="cx">     
</span><span class="cx">     return userSheet;
</span><span class="cx"> }
</span><span class="lines">@@ -1138,7 +1138,7 @@
</span><span class="cx"> 
</span><span class="cx"> const ResourceLoaderOptions&amp; CachedResourceLoader::defaultCachedResourceOptions()
</span><span class="cx"> {
</span><del>-    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck);
</del><ins>+    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck);
</ins><span class="cx">     return options;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloadericonIconLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/icon/IconLoader.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/icon/IconLoader.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/icon/IconLoader.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx">         return;
</span><span class="cx"> 
</span><span class="cx">     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
</span><del>-    CachedResourceRequest request(ResourceRequest(m_frame.loader().icon().url()), ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForAnyCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck));
</del><ins>+    CachedResourceRequest request(ResourceRequest(m_frame.loader().icon().url()), ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForAnyCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck));
</ins><span class="cx"> 
</span><span class="cx">     request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
</span><span class="cx">     request.setInitiator(cachedResourceRequestInitiators().icon);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCorepageEventSourcecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/page/EventSource.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/page/EventSource.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/page/EventSource.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -126,6 +126,7 @@
</span><span class="cx">     options.setSendLoadCallbacks(SendCallbacks);
</span><span class="cx">     options.setSniffContent(DoNotSniffContent);
</span><span class="cx">     options.setAllowCredentials((origin-&gt;canRequest(m_url) || m_withCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials);
</span><ins>+    options.setCredentialRequest(m_withCredentials ? ClientRequestedCredentials : ClientDidNotRequestCredentials);
</ins><span class="cx">     options.preflightPolicy = PreventPreflight;
</span><span class="cx">     options.crossOriginRequestPolicy = UseAccessControl;
</span><span class="cx">     options.setDataBufferingPolicy(DoNotBufferData);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreplatformnetworkResourceHandleTypesh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceHandleTypes.h (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceHandleTypes.h        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceHandleTypes.h        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -39,6 +39,15 @@
</span><span class="cx">     DoNotAskClientForAnyCredentials
</span><span class="cx"> };
</span><span class="cx"> 
</span><ins>+// APIs like XMLHttpRequest and EventSource let the user decide
+// whether to send credentials, but they're always sent for
+// same-origin requests. Additional information is needed to handle
+// cross-origin redirects correctly.
+enum CredentialRequest {
+    ClientRequestedCredentials,
+    ClientDidNotRequestCredentials
+};
+
</ins><span class="cx"> } // namespace WebCore
</span><span class="cx"> 
</span><span class="cx"> #endif // ResourceHandleTypes_h
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreplatformnetworkResourceRequestBasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceRequestBase.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceRequestBase.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceRequestBase.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -378,6 +378,16 @@
</span><span class="cx">         m_platformRequestUpdated = false;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void ResourceRequestBase::clearHTTPAcceptEncoding()
+{
+    updateResourceRequest();
+
+    m_httpHeaderFields.remove(HTTPHeaderName::AcceptEncoding);
+
+    if (url().protocolIsInHTTPFamily())
+        m_platformRequestUpdated = false;
+}
+
</ins><span class="cx"> void ResourceRequestBase::setResponseContentDispositionEncodingFallbackArray(const String&amp; encoding1, const String&amp; encoding2, const String&amp; encoding3)
</span><span class="cx"> {
</span><span class="cx">     updateResourceRequest(); 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreplatformnetworkResourceRequestBaseh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceRequestBase.h (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceRequestBase.h        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/platform/network/ResourceRequestBase.h        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -115,6 +115,8 @@
</span><span class="cx">         void setHTTPAccept(const String&amp;);
</span><span class="cx">         void clearHTTPAccept();
</span><span class="cx"> 
</span><ins>+        void clearHTTPAcceptEncoding();
+
</ins><span class="cx">         const Vector&lt;String&gt;&amp; responseContentDispositionEncodingFallbackArray() const { return m_responseContentDispositionEncodingFallbackArray; }
</span><span class="cx">         WEBCORE_EXPORT void setResponseContentDispositionEncodingFallbackArray(const String&amp; encoding1, const String&amp; encoding2 = String(), const String&amp; encoding3 = String());
</span><span class="cx"> 
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCorexmlXMLHttpRequestcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/xml/XMLHttpRequest.cpp (195264 => 195265)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/xml/XMLHttpRequest.cpp        2016-01-19 08:58:49 UTC (rev 195264)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/xml/XMLHttpRequest.cpp        2016-01-19 08:59:16 UTC (rev 195265)
</span><span class="lines">@@ -764,6 +764,7 @@
</span><span class="cx">     options.setSniffContent(DoNotSniffContent);
</span><span class="cx">     options.preflightPolicy = uploadEvents ? ForcePreflight : ConsiderPreflight;
</span><span class="cx">     options.setAllowCredentials((m_sameOriginRequest || m_includeCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials);
</span><ins>+    options.setCredentialRequest(m_includeCredentials ? ClientRequestedCredentials : ClientDidNotRequestCredentials);
</ins><span class="cx">     options.crossOriginRequestPolicy = UseAccessControl;
</span><span class="cx">     options.securityOrigin = securityOrigin();
</span><span class="cx">     options.initiator = cachedResourceRequestInitiators().xmlhttprequest;
</span></span></pre>
</div>
</div>

</body>
</html>