[XHR] Use response tainting to calculate CORS-exposed header-name list

XHR uses the same-originness of the request origin and the destination URL to calculate the CORS-exposed header-name list, which leads to wrong results with redirects. Use response tainting as specced. Bug: 959390 Change-Id: Iec448dfe7d2b47d00f0f471391eb7918a1fe7bc4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1598949Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#657626}

[XHR] Use response tainting to calculate CORS-exposed header-name list
XHR uses the same-originness of the request origin and the destination URL to calculate the CORS-exposed header-name list, which leads to wrong results with redirects. Use response tainting as specced. Bug: 959390 Change-Id: Iec448dfe7d2b47d00f0f471391eb7918a1fe7bc4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1598949Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#657626}
08cc019f · Yutaka Hirano · Commit Bot · 09b2b752 · 08cc019f · 08cc019f
Commit 08cc019f authored May 08, 2019 by Yutaka Hirano Committed by Commit Bot May 08, 2019
3 changed files
--- a/third_party/blink/renderer/core/xmlhttprequest/xml_http_request.cc
+++ b/third_party/blink/renderer/core/xmlhttprequest/xml_http_request.cc
@@ -1043,9 +1043,9 @@ void XMLHttpRequest::CreateRequest(scoped_refptr<EncodedFormData> http_body,
    }
  }
-  same_origin_request_ = GetSecurityOrigin()->CanRequest(url_);
+  const bool same_origin_request = GetSecurityOrigin()->CanRequest(url_);
-  if (!same_origin_request_ && with_credentials_) {
+  if (!same_origin_request && with_credentials_) {
    UseCounter::Count(&execution_context,
                      WebFeature::kXMLHttpRequestCrossOriginWithCredentials);
  }
@@ -1053,7 +1053,7 @@ void XMLHttpRequest::CreateRequest(scoped_refptr<EncodedFormData> http_body,
  // We also remember whether upload events should be allowed for this request
  // in case the upload listeners are added after the request is started.
  upload_events_allowed_ =
-      same_origin_request_ || upload_events ||
+      same_origin_request || upload_events ||
      !cors::IsCorsSafelistedMethod(method_) ||
      !cors::ContainsOnlyCorsSafelistedHeaders(request_headers_);
@@ -1489,11 +1489,12 @@ String XMLHttpRequest::getAllResponseHeaders() const {
        !GetSecurityOrigin()->CanLoadLocalResources())
      continue;
-    if (!same_origin_request_ &&
+    if (response_.GetType() == network::mojom::FetchResponseType::kCors &&
        !cors::IsCorsSafelistedResponseHeader(it->key) &&
        access_control_expose_header_set.find(it->key.Ascii().data()) ==
-            access_control_expose_header_set.end())
+            access_control_expose_header_set.end()) {
      continue;
+    }
    string_builder.Append(it->key.LowerASCII());
    string_builder.Append(':');
@@ -1525,7 +1526,8 @@ const AtomicString& XMLHttpRequest::getResponseHeader(
                            : network::mojom::FetchCredentialsMode::kSameOrigin,
          response_);
-  if (!same_origin_request_ && !cors::IsCorsSafelistedResponseHeader(name) &&
+  if (response_.GetType() == network::mojom::FetchResponseType::kCors &&
+      !cors::IsCorsSafelistedResponseHeader(name) &&
      access_control_expose_header_set.find(name.Ascii().data()) ==
          access_control_expose_header_set.end()) {
    LogConsoleError(GetExecutionContext(),

--- a/third_party/blink/renderer/core/xmlhttprequest/xml_http_request.h
+++ b/third_party/blink/renderer/core/xmlhttprequest/xml_http_request.h
@@ -368,7 +368,6 @@ class XMLHttpRequest final : public XMLHttpRequestEventTarget,
  bool error_ = false;
  bool upload_events_allowed_ = true;
  bool upload_complete_ = false;
-  bool same_origin_request_ = true;
  // True iff the ongoing resource loading is using the downloadToBlob
  // option.
  bool downloading_to_blob_ = false;

--- a/third_party/blink/web_tests/external/wpt/xhr/access-control-expose-headers-on-redirect.html
+++ b/third_party/blink/web_tests/external/wpt/xhr/access-control-expose-headers-on-redirect.html
+<!DOCTYPE html>
+<html>
+<head>
+<title>XHR should respect access-control-expose-headers header on redirect</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+<script type="text/javascript">
+async_test((test) => {
+  const xhr = new XMLHttpRequest;
+  xhr.onerror = test.unreached_func("Unexpected error.");
+  xhr.onload = test.step_func_done(() => {
+    assert_equals(xhr.status, 200);
+    assert_equals(xhr.getResponseHeader('foo'), 'bar');
+    assert_equals(xhr.getResponseHeader('hoge'), null);
+  });
+  const destination = get_host_info().HTTP_REMOTE_ORIGIN +
+    '/common/blank.html?pipe=header(access-control-allow-origin,*)|' +
+    'header(access-control-expose-headers,foo)|' +
+    'header(foo,bar)|header(hoge,fuga)';
+  const url =
+    'resources/redirect.py?location=' + encodeURIComponent(destination);
+  xhr.open('GET', url);
+  xhr.send();
+});
+</script>
+</body>
+</html>