<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[204117] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/204117">204117</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2016-08-04 00:56:37 -0700 (Thu, 04 Aug 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>DocumentThreadableLoader should pass the fetch mode to underlying loader code
https://bugs.webkit.org/show_bug.cgi?id=160399
Patch by Youenn Fablet <youenn@apple.com> on 2016-08-04
Reviewed by Alex Christensen.
LayoutTests/imported/w3c:
Updated expectations.
Added new tests to check specifically for Origin header in case of redirections.
Updated server-side redirect.py python script to generate valid Location URLs.
* web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt:
* web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt:
* web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt:
* web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt:
* web-platform-tests/fetch/api/redirect/redirect-location-expected.txt:
* web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt:
* web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt: Added.
* web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt: Added.
* web-platform-tests/fetch/api/redirect/redirect-origin-worker.html: Added.
* web-platform-tests/fetch/api/redirect/redirect-origin.html: Added.
* web-platform-tests/fetch/api/redirect/redirect-origin.js: Added.
(testOriginAfterRedirection):
* web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt:
* web-platform-tests/fetch/api/redirect/redirect-schemes.html: Updated test so that fetches are done in a deterministic order, one after the other is finished.
* web-platform-tests/fetch/api/resources/redirect.py:
(main):
Source/WebCore:
Tests: imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html
imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html
Covered by existing and rebased tests.
DocumentThredableLoader was previously loading resources in NoCors mode and doing the cors checks on it own.
This was duplicating code and increasing the risk of being not consistent.
DocumentThreadableLoader is now passing the fetch mode given by client to underlying loader code.
This allows removing some CORS checks in DocumentThreadableLoader code for redirections.
Updated SubresourceLoader redirection CORS checks to be on par with DocumentThreadableLoader.
In particular, aligning the code with https://fetch.spec.whatwg.org/#http-redirect-fetch.
The error logging situation is not perfect as some errors are properly logged in the console while some others are not.
For instance blockedError (due to forbidden port for instance) reason is not logged on the console.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived): Updating redirection checking as SubresourceLoader is already doing most of the checks.
(WebCore::DocumentThreadableLoader::didReceiveResponse): Removing temp hack as tainting is now computed by underlying loader code.
(WebCore::DocumentThreadableLoader::loadRequest): Removing fetch mode change.
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::willSendRequestInternal): Updating cancellation error and improve error logging.
(WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): Improved the checks and error reporting.
Tried to align as much as possible to https://fetch.spec.whatwg.org/#http-redirect-fetch.
* loader/SubresourceLoader.h:
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::didFail): Added an error message to the console in case of access control error.
LayoutTests:
* TestExpectations:
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt:
* http/tests/workers/worker-redirect-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects-async.html: Fixed bugs in the test and updated comments.
* http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
* http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerredirectexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsworkersworkerredirectexpectedtxt">trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasyncexpectedtxt">trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasynchtml">trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html</a></li>
<li><a href="#trunkLayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsexpectedtxt">trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsxmlhttprequestredirectcrossoriginpostexpectedtxt">trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsxmlhttprequestsimplecrossorigindeniedeventspostexpectedtxt">trunk/LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cChangeLog">trunk/LayoutTests/imported/w3c/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsXMLHttpRequestsendauthenticationcorsbasicsetrequestheaderexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsXMLHttpRequestsendauthenticationcorssetrequestheadernocredexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorsredirectcredentialsexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorsredirectcredentialsworkerexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectlocationexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectlocationworkerexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectschemesexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectschemeshtml">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes.html</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiresourcesredirectpy">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoadercpp">trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderSubresourceLoadercpp">trunk/Source/WebCore/loader/SubresourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderSubresourceLoaderh">trunk/Source/WebCore/loader/SubresourceLoader.h</a></li>
<li><a href="#trunkSourceWebCorexmlXMLHttpRequestcpp">trunk/Source/WebCore/xml/XMLHttpRequest.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginworkerexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginworkerhtml">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginhtml">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginjs">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/ChangeLog 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,5 +1,22 @@
</span><span class="cx"> 2016-08-04 Youenn Fablet <youenn@apple.com>
</span><span class="cx">
</span><ins>+ DocumentThreadableLoader should pass the fetch mode to underlying loader code
+ https://bugs.webkit.org/show_bug.cgi?id=160399
+
+ Reviewed by Alex Christensen.
+
+ * TestExpectations:
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt:
+ * http/tests/workers/worker-redirect-expected.txt:
+ * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
+ * http/tests/xmlhttprequest/access-control-and-redirects-async.html: Fixed bugs in the test and updated comments.
+ * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
+ * http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
+ * http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt:
+
+2016-08-04 Youenn Fablet <youenn@apple.com>
+
</ins><span class="cx"> LayoutTest imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-post-upload.htm failing
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=159724
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/TestExpectations 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -362,6 +362,7 @@
</span><span class="cx"> [ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-worker.html [ Skip ]
</span><span class="cx"> [ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-method-worker.html [ Skip ]
</span><span class="cx"> [ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-mode-worker.html [ Skip ]
</span><ins>+[ Debug ] imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html [ Skip ]
</ins><span class="cx"> [ Debug ] imported/w3c/web-platform-tests/fetch/nosniff/worker.html [ Skip ]
</span><span class="cx">
</span><span class="cx"> webkit.org/b/157068 imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html [ Skip ]
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,4 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the child-src directive of the Content Security Policy.
</del><ins>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html. Domains, protocols and ports must match.
+
</ins><span class="cx"> This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
</span><span class="cx">
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerredirectexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html. Domains, protocols and ports must match.
+
</ins><span class="cx"> This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).
</span><span class="cx">
</span><span class="cx"> PASS worker failed to load script URL.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsworkersworkerredirectexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from frame with URL http://127.0.0.1:8000/workers/worker-redirect.html. Domains, protocols and ports must match.
+
</ins><span class="cx"> Test that loading the worker's script does not allow a cross origin redirect (bug 26146)
</span><span class="cx">
</span><span class="cx"> SUCCESS: threw exception (SecurityError (DOM Exception 18): The operation is insecure.) when attempting to cross origin while loading the worker script.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasyncexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><del>-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=http://localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=http://localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://localhost:8000. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
</del><ins>+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://127.0.0.1:8000 due to access control checks.
</ins><span class="cx"> CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*. Preflight response is not successful
</span><span class="cx"> CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*&%20%20access-control-allow-headers=x-webkit. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
</span><span class="cx"> Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
</span><span class="lines">@@ -9,15 +9,17 @@
</span><span class="cx"> Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi without credentials
</span><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: 0
</span><del>-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://localhost:8000 without credentials
</del><ins>+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials
</ins><span class="cx"> Expecting success: true
</span><del>-FAIL: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://localhost:8000 without credentials
</del><ins>+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials
</ins><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: 0
</span><del>-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi& access-control-allow-origin=http://localhost:8000 without credentials
-Expecting success: false
-PASS: 0
</del><span class="cx"> Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=* without credentials
</span><span class="cx"> Expecting success: false
</span><span class="cx"> PASS: 0
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsasynchtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -48,22 +48,20 @@
</span><span class="cx"> ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi",
</span><span class="cx"> withoutCredentials, noCustomHeader, fails],
</span><span class="cx">
</span><del>-// Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response
-// passes the access check.
-// FIXME: this test fails because the redirect is vetoed. There are continued bugs with redirects when the original
-// request was cross-origin.
</del><ins>+// Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response passes the access check.
</ins><span class="cx"> ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
</span><del>- access-control-allow-origin=http://localhost:8000",
</del><ins>+ access-control-allow-origin=http://127.0.0.1:8000",
</ins><span class="cx"> withoutCredentials, noCustomHeader, succeeds],
</span><span class="cx">
</span><del>-// Receives a redirect response with a URL containing the userinfo production.
</del><ins>+// Receives a redirect response with a URL containing the userinfo production. Although loading should fail according fetch spec,
+// the underlying HTTP stack currently removes credentials from redirection URL, hence loading is successful.
</ins><span class="cx"> ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
</span><del>- access-control-allow-origin=http://localhost:8000",
- withoutCredentials, noCustomHeader, fails],
</del><ins>+ access-control-allow-origin=http://127.0.0.1:8000",
+ withoutCredentials, noCustomHeader, succeeds],
</ins><span class="cx">
</span><span class="cx"> // Receives a redirect response with a URL with an unsupported scheme.
</span><span class="cx"> ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&\
</span><del>- access-control-allow-origin=http://localhost:8000",
</del><ins>+ access-control-allow-origin=http://127.0.0.1:8000",
</ins><span class="cx"> withoutCredentials, noCustomHeader, fails],
</span><span class="cx">
</span><span class="cx"> // 2) Test preflighted cross origin requests that receive redirects.
</span><span class="lines">@@ -74,7 +72,8 @@
</span><span class="cx"> access-control-allow-origin=*",
</span><span class="cx"> withoutCredentials, addCustomHeader, fails],
</span><span class="cx">
</span><del>-// Successful preflight and receives a redirect response to the actual request and fails.
</del><ins>+// Successful preflight and receives a redirect response to the actual request.
+// Preflight to the redirected URL should fail as it does not allow custom headers.
</ins><span class="cx"> ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&\
</span><span class="cx"> url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
</span><span class="cx"> access-control-allow-origin=*&\
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsxmlhttprequestaccesscontrolandredirectsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,6 +1,8 @@
</span><del>-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
</del><ins>+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
</ins><span class="cx"> CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
</span><del>-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
</del><ins>+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
</ins><span class="cx"> Tests that redirects between origins are never allowed, even when access control is involved.
</span><span class="cx">
</span><span class="cx"> Per the spec, these test cases should be allowed, but cross-origin redirects are currently unsupported in WebCore.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsxmlhttprequestredirectcrossoriginpostexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,4 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
</span><ins>+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:7/ due to access control checks.
</ins><span class="cx"> Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
</span><span class="cx">
</span><span class="cx"> PASS
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsxmlhttprequestsimplecrossorigindeniedeventspostexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-post-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,4 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
</span><ins>+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:7/ due to access control checks.
</ins><span class="cx"> Test that a simple cross-origin request to a server that responds (but does not permit cross-origin requests) is indistinguishable from one that does not exist. Should say PASS:
</span><span class="cx">
</span><span class="cx"> PASS
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/ChangeLog (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/ChangeLog 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,31 @@
</span><ins>+2016-08-04 Youenn Fablet <youenn@apple.com>
+
+ DocumentThreadableLoader should pass the fetch mode to underlying loader code
+ https://bugs.webkit.org/show_bug.cgi?id=160399
+
+ Reviewed by Alex Christensen.
+
+ Updated expectations.
+ Added new tests to check specifically for Origin header in case of redirections.
+ Updated server-side redirect.py python script to generate valid Location URLs.
+
+ * web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt:
+ * web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt:
+ * web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt:
+ * web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt:
+ * web-platform-tests/fetch/api/redirect/redirect-location-expected.txt:
+ * web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt:
+ * web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt: Added.
+ * web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt: Added.
+ * web-platform-tests/fetch/api/redirect/redirect-origin-worker.html: Added.
+ * web-platform-tests/fetch/api/redirect/redirect-origin.html: Added.
+ * web-platform-tests/fetch/api/redirect/redirect-origin.js: Added.
+ (testOriginAfterRedirection):
+ * web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt:
+ * web-platform-tests/fetch/api/redirect/redirect-schemes.html: Updated test so that fetches are done in a deterministic order, one after the other is finished.
+ * web-platform-tests/fetch/api/resources/redirect.py:
+ (main):
+
</ins><span class="cx"> 2016-08-03 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Object.getOwnPropertyNames() on NamedNodeMap fails to return named properties
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsXMLHttpRequestsendauthenticationcorsbasicsetrequestheaderexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-basic-setrequestheader-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,4 +1,5 @@
</span><span class="cx"> Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth2/corsenabled.py
</span><ins>+CONSOLE MESSAGE: line 34: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth2/corsenabled.py due to access control checks.
</ins><span class="cx">
</span><span class="cx"> FAIL XMLHttpRequest: send() - "Basic" authenticated CORS request using setRequestHeader() (expects to succeed) assert_true: responseText should contain the right user and password expected true got false
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsXMLHttpRequestsendauthenticationcorssetrequestheadernocredexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-cors-setrequestheader-no-cred-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,5 +1,7 @@
</span><span class="cx"> Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth7/corsenabled.py
</span><ins>+CONSOLE MESSAGE: line 33: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth7/corsenabled.py due to access control checks.
</ins><span class="cx"> Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth8/corsenabled-no-authorize.py
</span><ins>+CONSOLE MESSAGE: line 33: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth8/corsenabled-no-authorize.py due to access control checks.
</ins><span class="cx">
</span><span class="cx"> FAIL CORS request with setRequestHeader auth to URL accepting Authorization header assert_true: responseText should contain the right user and password expected true got false
</span><span class="cx"> PASS CORS request with setRequestHeader auth to URL NOT accepting Authorization header
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorsredirectcredentialsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,48 @@
</span><ins>+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
</ins><span class="cx">
</span><span class="cx"> PASS Redirect 301 from same origin to remote with user and password
</span><span class="cx"> PASS Redirect 301 from same origin to remote with user
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorsredirectcredentialsworkerexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,48 @@
</span><ins>+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27301%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27302%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27303%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27307%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8801/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40localhost%3A8801%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2Fuser%3A%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8800/fetch/api/resources/preflight.py?redirect_status=%5B%27308%27%5D&location=%5B%27http%3A%2F%2F%3Apassword%40127.0.0.1%3A8800%2Ffetch%2Fapi%2Fcors%2F..%2Fresources%2Fpreflight.py%27%5D&count=1 denied by Cross-Origin Resource Sharing policy: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
</ins><span class="cx">
</span><span class="cx"> PASS Redirect 301 from same origin to remote with user and password
</span><span class="cx"> PASS Redirect 301 from same origin to remote with user
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectlocationexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,8 @@
</span><ins>+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
</ins><span class="cx">
</span><span class="cx"> PASS Redirect 301 in "follow" mode without location
</span><span class="cx"> PASS Redirect 301 in "manual" mode without location
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectlocationworkerexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-location-worker-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,8 @@
</span><ins>+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,data%20url denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
</ins><span class="cx">
</span><span class="cx"> PASS Redirect 301 in "follow" mode without location
</span><span class="cx"> PASS Redirect 301 in "manual" mode without location
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt (0 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+
+PASS Same origin to same origin redirection 301
+PASS Same origin to other origin redirection 301
+PASS Other origin to other origin redirection 301
+PASS Other origin to same origin redirection 301
+PASS Same origin to same origin redirection 302
+PASS Same origin to other origin redirection 302
+PASS Other origin to other origin redirection 302
+PASS Other origin to same origin redirection 302
+PASS Same origin to same origin redirection 303
+PASS Same origin to other origin redirection 303
+PASS Other origin to other origin redirection 303
+PASS Other origin to same origin redirection 303
+PASS Same origin to same origin redirection 307
+PASS Same origin to other origin redirection 307
+PASS Other origin to other origin redirection 307
+PASS Other origin to same origin redirection 307
+PASS Same origin to same origin redirection 308
+PASS Same origin to other origin redirection 308
+PASS Other origin to other origin redirection 308
+PASS Other origin to same origin redirection 308
+
</ins></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginworkerexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt (0 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+
+PASS Same origin to same origin redirection 301
+PASS Same origin to other origin redirection 301
+PASS Other origin to other origin redirection 301
+PASS Other origin to same origin redirection 301
+PASS Same origin to same origin redirection 302
+PASS Same origin to other origin redirection 302
+PASS Other origin to other origin redirection 302
+PASS Other origin to same origin redirection 302
+PASS Same origin to same origin redirection 303
+PASS Same origin to other origin redirection 303
+PASS Other origin to other origin redirection 303
+PASS Other origin to same origin redirection 303
+PASS Same origin to same origin redirection 307
+PASS Same origin to other origin redirection 307
+PASS Other origin to other origin redirection 307
+PASS Other origin to same origin redirection 307
+PASS Same origin to same origin redirection 308
+PASS Same origin to other origin redirection 308
+PASS Other origin to other origin redirection 308
+PASS Other origin to same origin redirection 308
+
</ins></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginworkerhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html (0 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!doctype html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Fetch in worker: redirect mode handling</title>
+ <meta name="author" title="Canon Research France" href="https://www.crf.canon.fr">
+ <meta name="help" href="https://fetch.spec.whatwg.org/#concept-filtered-response-opaque-redirect">
+ <meta name="help" href="https://fetch.spec.whatwg.org/#http-network-or-cache-fetch">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <script>
+ fetch_tests_from_worker(new Worker("redirect-origin.js"));
+ </script>
+ </body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html (0 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!doctype html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Fetch: redirect mode handling</title>
+ <meta name="author" title="Canon Research France" href="https://www.crf.canon.fr">
+ <meta name="help" href="https://fetch.spec.whatwg.org/#concept-filtered-response-opaque-redirect">
+ <meta name="help" href="https://fetch.spec.whatwg.org/#http-network-or-cache-fetch">
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <script src="/common/utils.js"></script>
+ <script src="../resources/utils.js"></script>
+ <script src="../resources/get-host-info.sub.js"></script>
+ <script src="redirect-origin.js"></script>
+ </body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectoriginjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.js (0 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.js (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.js 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -0,0 +1,40 @@
</span><ins>+if (this.document === undefined) {
+ importScripts("/common/utils.js");
+ importScripts("/resources/testharness.js");
+ importScripts("../resources/utils.js");
+ importScripts("../resources/get-host-info.sub.js");
+}
+
+function testOriginAfterRedirection(desc, redirectUrl, redirectLocation, redirectStatus, expectedOrigin) {
+ var uuid_token = token();
+ var url = redirectUrl;
+ var urlParameters = "?token=" + uuid_token + "&max_age=0";
+ urlParameters += "&redirect_status=" + redirectStatus;
+ urlParameters += "&location=" + encodeURIComponent(redirectLocation);
+
+ var requestInit = {"mode": "cors", "redirect": "follow"};
+
+ promise_test(function(test) {
+ return fetch(RESOURCES_DIR + "clean-stash.py?token=" + uuid_token).then(function(resp) {
+ assert_equals(resp.status, 200, "Clean stash response's status is 200");
+ return fetch(url + urlParameters, requestInit).then(function(response) {
+ assert_equals(response.status, 200, "Inspect header response's status is 200");
+ assert_equals(response.headers.get("x-request-origin"), expectedOrigin, "Check origin header");
+ });
+ });
+ }, desc);
+}
+
+var redirectUrl = RESOURCES_DIR + "redirect.py";
+var corsRedirectUrl = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "redirect.py";
+var locationUrl = get_host_info().HTTP_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "inspect-headers.py?headers=origin";
+var corsLocationUrl = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "inspect-headers.py?cors&headers=origin";
+
+for (var code of [301, 302, 303, 307, 308]) {
+ testOriginAfterRedirection("Same origin to same origin redirection " + code, redirectUrl, locationUrl, code, null);
+ testOriginAfterRedirection("Same origin to other origin redirection " + code, redirectUrl, corsLocationUrl, code, get_host_info().HTTP_ORIGIN);
+ testOriginAfterRedirection("Other origin to other origin redirection " + code, corsRedirectUrl, corsLocationUrl, code, get_host_info().HTTP_ORIGIN);
+ testOriginAfterRedirection("Other origin to same origin redirection " + code, corsRedirectUrl, locationUrl + "&cors", code, "null");
+}
+
+done();
</ins></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectschemesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes-expected.txt 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,4 +1,9 @@
</span><del>-CONSOLE MESSAGE: Not allowed to load local resource: blob:djfksfjs?l=blob:djfksfjs&count=1
</del><ins>+CONSOLE MESSAGE: Cross-origin redirection to mailto:a@a.com denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to data:,HI denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to facetime:a@a.org denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to about:blank denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Cross-origin redirection to about:unicorn denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Not allowed to load local resource: blob:djfksfjs
</ins><span class="cx">
</span><span class="cx"> PASS Fetch: handling different schemes in redirects
</span><span class="cx"> PASS Fetch: handling different schemes in redirects 1
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiredirectredirectschemeshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes.html (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes.html 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-schemes.html 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -6,18 +6,18 @@
</span><span class="cx"> <div id=log></div>
</span><span class="cx"> <script>
</span><span class="cx"> // All non-HTTP(S) schemes cannot survive redirects
</span><del>- var url = "../resources/redirect.py?location=",
- tests = [
- fetch(url + "mailto:a@a.com"),
- fetch(url + "data:,HI"),
- fetch(url + "facetime:a@a.org"),
- fetch(url + "about:blank"),
- fetch(url + "about:unicorn"),
- fetch(url + "blob:djfksfjs")
</del><ins>+ var url = "../resources/redirect.py?location=";
+ var tests = [
+ url + "mailto:a@a.com",
+ url + "data:,HI",
+ url + "facetime:a@a.org",
+ url + "about:blank",
+ url + "about:unicorn",
+ url + "blob:djfksfjs"
</ins><span class="cx"> ];
</span><del>- tests.forEach(function(f) {
- promise_test(function(t) {
- return promise_rejects(t, new TypeError(), f)
</del><ins>+ tests.forEach(function(url) {
+ promise_test(function(test) {
+ return promise_rejects(test, new TypeError(), fetch(url))
</ins><span class="cx"> })
</span><span class="cx"> })
</span><span class="cx"> </script>
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapiresourcesredirectpy"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,6 @@
</span><ins>+from urllib import urlencode
+from urlparse import urlparse
+
</ins><span class="cx"> def main(request, response):
</span><span class="cx"> stashed_data = {'count': 0, 'preflight': "0"}
</span><span class="cx"> status = 302
</span><span class="lines">@@ -28,13 +31,16 @@
</span><span class="cx">
</span><span class="cx"> stashed_data['count'] += 1
</span><span class="cx">
</span><del>- #keep url parameters in location
- url_parameters = "?" + "&".join(map(lambda x: x[0][0] + "=" + x[1][0], request.GET.items()))
- #make sure location changes during redirection loop
- url_parameters += "&count=" + str(stashed_data['count'])
-
</del><span class="cx"> if "location" in request.GET:
</span><del>- headers.append(("Location", request.GET['location'] + url_parameters))
</del><ins>+ url = request.GET['location']
+ scheme = urlparse(url).scheme
+ if scheme == "" or scheme == "http" or scheme == "https":
+ url += "&" if '?' in url else "?"
+ #keep url parameters in location
+ url += urlencode(request.GET.items())
+ #make sure location changes during redirection loop
+ url += "&count=" + str(stashed_data['count'])
+ headers.append(("Location", url))
</ins><span class="cx">
</span><span class="cx"> if token:
</span><span class="cx"> request.server.stash.put(request.GET.first("token"), stashed_data)
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/Source/WebCore/ChangeLog 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -1,3 +1,37 @@
</span><ins>+2016-08-04 Youenn Fablet <youenn@apple.com>
+
+ DocumentThreadableLoader should pass the fetch mode to underlying loader code
+ https://bugs.webkit.org/show_bug.cgi?id=160399
+
+ Reviewed by Alex Christensen.
+
+ Tests: imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin-worker.html
+ imported/w3c/web-platform-tests/fetch/api/redirect/redirect-origin.html
+ Covered by existing and rebased tests.
+
+ DocumentThredableLoader was previously loading resources in NoCors mode and doing the cors checks on it own.
+ This was duplicating code and increasing the risk of being not consistent.
+ DocumentThreadableLoader is now passing the fetch mode given by client to underlying loader code.
+ This allows removing some CORS checks in DocumentThreadableLoader code for redirections.
+
+ Updated SubresourceLoader redirection CORS checks to be on par with DocumentThreadableLoader.
+ In particular, aligning the code with https://fetch.spec.whatwg.org/#http-redirect-fetch.
+
+ The error logging situation is not perfect as some errors are properly logged in the console while some others are not.
+ For instance blockedError (due to forbidden port for instance) reason is not logged on the console.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived): Updating redirection checking as SubresourceLoader is already doing most of the checks.
+ (WebCore::DocumentThreadableLoader::didReceiveResponse): Removing temp hack as tainting is now computed by underlying loader code.
+ (WebCore::DocumentThreadableLoader::loadRequest): Removing fetch mode change.
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal): Updating cancellation error and improve error logging.
+ (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): Improved the checks and error reporting.
+ Tried to align as much as possible to https://fetch.spec.whatwg.org/#http-redirect-fetch.
+ * loader/SubresourceLoader.h:
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::didFail): Added an error message to the console in case of access control error.
+
</ins><span class="cx"> 2016-08-03 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Object.getOwnPropertyNames() on NamedNodeMap fails to return named properties
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -220,43 +220,36 @@
</span><span class="cx"> if (isAllowedRedirect(request.url()))
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported
- // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the
- // original request was not same-origin.
- if (m_options.mode == FetchOptions::Mode::Cors) {
- bool allowRedirect = false;
- if (m_simpleRequest) {
- String accessControlErrorDescription;
- allowRedirect = isValidCrossOriginRedirectionURL(request.url())
- && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription));
- }
</del><ins>+ // Force any subsequent request to use these checks.
+ m_sameOriginRequest = false;
</ins><span class="cx">
</span><del>- if (allowRedirect) {
- if (m_resource)
- clearResource();
</del><ins>+ ASSERT(m_resource);
+ ASSERT(m_resource->loader());
+ ASSERT(m_options.mode == FetchOptions::Mode::Cors);
</ins><span class="cx">
</span><del>- RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::createFromString(redirectResponse.url());
- RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::createFromString(request.url());
- // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin,
- // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request
- // should be the original URL origin.)
- if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(requestOrigin.get()))
- m_origin = SecurityOrigin::createUnique();
- // Force any subsequent request to use these checks.
- m_sameOriginRequest = false;
</del><ins>+ // FIXME: We could remove that restriction, since we can use preflighting.
+ if (!m_simpleRequest) {
+ reportCrossOriginResourceSharingError(*m_client, redirectResponse.url());
+ request = ResourceRequest();
+ return;
+ }
</ins><span class="cx">
</span><del>- if (m_options.credentials == FetchOptions::Credentials::SameOrigin)
- m_options.allowCredentials = DoNotAllowStoredCredentials;
</del><ins>+ // Loader might have modified the origin to a unique one, let's reuse it for subsequent loads.
+ m_origin = m_resource->loader()->origin();
</ins><span class="cx">
</span><del>- cleanRedirectedRequestForAccessControl(request);
</del><ins>+ // Except in case where preflight is needed, loading should be able to continue on its own.
+ // But we also handle credentials here if it is restricted to SameOrigin.
+ if (m_options.credentials != FetchOptions::Credentials::SameOrigin)
+ return;
</ins><span class="cx">
</span><del>- makeCrossOriginAccessRequest(ResourceRequest(request));
- return;
- }
- }
</del><ins>+ m_options.allowCredentials = DoNotAllowStoredCredentials;
</ins><span class="cx">
</span><del>- reportCrossOriginResourceSharingError(*m_client, redirectResponse.url());
- request = ResourceRequest();
</del><ins>+ clearResource();
+
+ // We need to clean the request again as SubresourceLoader may not always do the cleaning,
+ // especially in the case of a cross-origin load but redirection sticking to the same origin.
+ cleanRedirectedRequestForAccessControl(request);
+ makeCrossOriginAccessRequest(ResourceRequest(request));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void DocumentThreadableLoader::dataSent(CachedResource* resource, unsigned long long bytesSent, unsigned long long totalBytesToBeSent)
</span><span class="lines">@@ -285,12 +278,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ASSERT(response.type() != ResourceResponse::Type::Error);
</span><del>- if (response.type() == ResourceResponse::Type::Default) {
- // FIXME: To be removed once the real fetch mode is passed to underlying loaders.
- if (options().mode == FetchOptions::Mode::Cors && tainting == ResourceResponse::Tainting::Opaque)
- tainting = ResourceResponse::Tainting::Cors;
</del><ins>+ if (response.type() == ResourceResponse::Type::Default)
</ins><span class="cx"> m_client->didReceiveResponse(identifier, ResourceResponse::filterResponse(response, tainting));
</span><del>- } else {
</del><ins>+ else {
</ins><span class="cx"> ASSERT(response.isNull() && response.type() == ResourceResponse::Type::Opaqueredirect);
</span><span class="cx"> m_client->didReceiveResponse(identifier, response);
</span><span class="cx"> }
</span><span class="lines">@@ -369,9 +359,6 @@
</span><span class="cx"> ThreadableLoaderOptions options = m_options;
</span><span class="cx"> options.clientCredentialPolicy = m_sameOriginRequest ? ClientCredentialPolicy::MayAskClientForCredentials : ClientCredentialPolicy::CannotAskClientForCredentials;
</span><span class="cx">
</span><del>- // Set to NoCors as CORS checks are done in DocumentThreadableLoader
- options.mode = FetchOptions::Mode::NoCors;
-
</del><span class="cx"> CachedResourceRequest newRequest(WTFMove(request), options);
</span><span class="cx"> if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
</span><span class="cx"> newRequest.setInitiator(m_options.initiator);
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubresourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -203,8 +203,12 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (!checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest)) {
- cancel();
</del><ins>+ String errorDescription;
+ if (!checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest, errorDescription)) {
+ String errorMessage = "Cross-origin redirection to " + newRequest.url().string() + " denied by Cross-Origin Resource Sharing policy: " + errorDescription;
+ if (m_frame && m_frame->document())
+ m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage);
+ cancel(ResourceError(String(), 0, request().url(), errorMessage, ResourceError::Type::AccessControl));
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -397,36 +401,46 @@
</span><span class="cx"> frame->page()->diagnosticLoggingClient().logDiagnosticMessageWithValue(DiagnosticLoggingKeys::resourceKey(), DiagnosticLoggingKeys::loadedKey(), resourceType, ShouldSample::Yes);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest)
</del><ins>+bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest, String& errorMessage)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(options().mode != FetchOptions::Mode::SameOrigin);
</span><span class="cx">
</span><del>- bool shouldCheckCrossOrigin = options().mode == FetchOptions::Mode::Cors && m_resource->isCrossOrigin();
</del><ins>+ bool crossOriginFlag = m_resource->isCrossOrigin();
+ bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url());
</ins><span class="cx">
</span><del>- if (!(m_origin && m_origin->canRequest(newRequest.url())))
</del><ins>+ if (isNextRequestCrossOrigin)
</ins><span class="cx"> m_resource->setCrossOrigin();
</span><span class="cx">
</span><del>- if (!shouldCheckCrossOrigin)
</del><ins>+ if (options().mode != FetchOptions::Mode::Cors)
</ins><span class="cx"> return true;
</span><span class="cx">
</span><ins>+ // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 8 & 9.
+ if (m_resource->isCrossOrigin() && !isValidCrossOriginRedirectionURL(newRequest.url())) {
+ errorMessage = ASCIILiteral("URL is either a non-HTTP URL or contains credentials.");
+ return false;
+ }
+
</ins><span class="cx"> ASSERT(m_origin);
</span><del>- String errorDescription;
- bool responsePassesCORS = m_origin->canRequest(previousRequest.url())
- || passesAccessControlCheck(redirectResponse, options().allowCredentials, *m_origin, errorDescription);
- if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) {
- if (m_frame && m_frame->document()) {
- String errorMessage = "Cross-origin redirection denied by Cross-Origin Resource Sharing policy: " +
- (!responsePassesCORS ? errorDescription : "Redirected to either a non-HTTP URL or a URL that contains credentials.");
- m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage);
- }
</del><ins>+ if (crossOriginFlag && !passesAccessControlCheck(redirectResponse, options().allowCredentials, *m_origin, errorMessage))
</ins><span class="cx"> return false;
</span><ins>+
+ bool redirectingToNewOrigin = false;
+ if (m_resource->isCrossOrigin()) {
+ if (!crossOriginFlag && isNextRequestCrossOrigin)
+ redirectingToNewOrigin = true;
+ else
+ redirectingToNewOrigin = !SecurityOrigin::create(previousRequest.url())->canRequest(newRequest.url());
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- // If the request URL origin is not the same as the original origin, the request origin should be set to a globally unique identifier.
- m_origin = SecurityOrigin::createUnique();
- cleanRedirectedRequestForAccessControl(newRequest);
- updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials);
</del><ins>+ // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 10.
+ if (crossOriginFlag && redirectingToNewOrigin)
+ m_origin = SecurityOrigin::createUnique();
</ins><span class="cx">
</span><ins>+ if (redirectingToNewOrigin) {
+ cleanRedirectedRequestForAccessControl(newRequest);
+ updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials);
+ }
+
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubresourceLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubresourceLoader.h (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubresourceLoader.h 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/Source/WebCore/loader/SubresourceLoader.h 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -51,6 +51,7 @@
</span><span class="cx"> bool isSubresourceLoader() override;
</span><span class="cx"> CachedResource* cachedResource();
</span><span class="cx">
</span><ins>+ SecurityOrigin* origin() { return m_origin.get(); }
</ins><span class="cx"> #if PLATFORM(IOS)
</span><span class="cx"> bool startLoading() override;
</span><span class="cx">
</span><span class="lines">@@ -91,7 +92,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> bool checkForHTTPStatusCodeError();
</span><del>- bool checkRedirectionCrossOriginAccessControl(const ResourceRequest&, const ResourceResponse&, ResourceRequest& newRequest);
</del><ins>+ bool checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse&, ResourceRequest& newRequest, String&);
</ins><span class="cx">
</span><span class="cx"> void didReceiveDataOrBuffer(const char*, int, RefPtr<SharedBuffer>&&, long long encodedDataLength, DataPayloadType);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorexmlXMLHttpRequestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (204116 => 204117)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-08-04 06:53:26 UTC (rev 204116)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-08-04 07:56:37 UTC (rev 204117)
</span><span class="lines">@@ -977,6 +977,9 @@
</span><span class="cx"> if (error.domain() == errorDomainWebKitInternal) {
</span><span class="cx"> String message = makeString("XMLHttpRequest cannot load ", error.failingURL().string(), ". ", error.localizedDescription());
</span><span class="cx"> logConsoleError(scriptExecutionContext(), message);
</span><ins>+ } else if (error.isAccessControl()) {
+ String message = makeString("XMLHttpRequest cannot load ", error.failingURL().string(), " due to access control checks.");
+ logConsoleError(scriptExecutionContext(), message);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> m_exceptionCode = NETWORK_ERR;
</span></span></pre>
</div>
</div>
</body>
</html>