Explain the reason why we're using isSimpleOrForbiddenRequest() in makeCrossOriginAccessRequest()

This change was made by https://codereview.chromium.org/379113002 Explain the reason in a comment for readability. R=sigbjornf BUG=none Review URL: https://codereview.chromium.org/675993003 git-svn-id: svn://svn.chromium.org/blink/trunk@184368 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Explain the reason why we're using isSimpleOrForbiddenRequest() in makeCrossOriginAccessRequest()
This change was made by https://codereview.chromium.org/379113002 Explain the reason in a comment for readability. R=sigbjornf BUG=none Review URL: https://codereview.chromium.org/675993003 git-svn-id: svn://svn.chromium.org/blink/trunk@184368 bbb929c8-8fbe-4397-9dbb-9b2b20218538
0e0f3e47 · tyoshino@chromium.org · 8b260b86 · 0e0f3e47
Commit 0e0f3e47 authored Oct 24, 2014 by tyoshino@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp ...ty/WebKit/Source/core/loader/DocumentThreadableLoader.cpp +4 -0

No files found.
--- a/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
@@ -153,6 +153,10 @@ void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques
        return;
    }

+    // We use isSimpleOrForbiddenRequest() here since |request| may have been
+    // modified in the process of loading (not from the user's input). For
+    // example, referrer. We need to accept them. For security, we must reject
+    // forbidden headers/methods at the point we accept user's input. Not here.
    if ((m_options.preflightPolicy == ConsiderPreflight && FetchUtils::isSimpleOrForbiddenRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreventPreflight) {
        ResourceRequest crossOriginRequest(request);
        ResourceLoaderOptions crossOriginOptions(m_resourceLoaderOptions);