[OOR-CORS] Do not send cookies and authentication data via preflight

load_flags is set from fetch_credentials_mode in renderer/loader but
for preflight requests we need to set it manually.

Bug: 736308
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I7ff8b945c091bf1195dd83318d74945c5020aece
Reviewed-on: https://chromium-review.googlesource.com/1095124
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Adam Rice <ricea@chromium.org>
Cr-Commit-Position: refs/heads/master@{#566785}

services/network/cors/preflight_controller.cc

@@ -9,6 +9,7 @@
 #include "base/bind.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
+#include "net/base/load_flags.h"
 #include "net/http/http_request_headers.h"
 #include "services/network/public/cpp/cors/cors.h"
 #include "services/network/public/cpp/cors/cors_error_status.h"
@@ -81,6 +82,9 @@ std::unique_ptr<ResourceRequest> CreatePreflightRequest(
 
   preflight_request->fetch_credentials_mode =
       mojom::FetchCredentialsMode::kOmit;
+  preflight_request->load_flags |= net::LOAD_DO_NOT_SAVE_COOKIES;
+  preflight_request->load_flags |= net::LOAD_DO_NOT_SEND_COOKIES;
+  preflight_request->load_flags |= net::LOAD_DO_NOT_SEND_AUTH_DATA;
 
   preflight_request->headers.SetHeader(
       cors::header_names::kAccessControlRequestMethod, request.method);

services/network/cors/preflight_controller_unittest.cc

@@ -9,6 +9,7 @@
 
 #include "base/run_loop.h"
 #include "base/test/scoped_task_environment.h"
+#include "net/base/load_flags.h"
 #include "net/http/http_request_headers.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/embedded_test_server/http_request.h"
@@ -71,6 +72,21 @@ TEST(PreflightControllerCreatePreflightRequestTest, ExcludeSimpleHeaders) {
       cors::header_names::kAccessControlRequestHeaders, &header));
 }
 
+TEST(PreflightControllerCreatePreflightRequestTest, Credentials) {
+  ResourceRequest request;
+  request.request_initiator = url::Origin();
+  request.headers.SetHeader("Orange", "Orange");
+
+  std::unique_ptr<ResourceRequest> preflight =
+      PreflightController::CreatePreflightRequestForTesting(request);
+
+  EXPECT_EQ(mojom::FetchCredentialsMode::kOmit,
+            preflight->fetch_credentials_mode);
+  EXPECT_TRUE(preflight->load_flags & net::LOAD_DO_NOT_SAVE_COOKIES);
+  EXPECT_TRUE(preflight->load_flags & net::LOAD_DO_NOT_SEND_COOKIES);
+  EXPECT_TRUE(preflight->load_flags & net::LOAD_DO_NOT_SEND_AUTH_DATA);
+}
+
 TEST(PreflightControllerCreatePreflightRequestTest,
      ExcludeSimpleContentTypeHeader) {
   ResourceRequest request;

third_party/WebKit/LayoutTests/TestExpectations

@@ -1804,18 +1804,6 @@ crbug.com/831509 virtual/outofblink-cors/external/wpt/service-workers/service-wo
 crbug.com/832071 virtual/outofblink-cors/external/wpt/service-workers/service-worker/worker-client-id.https.html [ Failure ]
 
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/chromium/error-messages.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/auth-base-https-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/auth-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/auth.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cookie-base-https-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cookie-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cookie.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cors-preflight-base-https-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cors-preflight-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cors-preflight.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cors-preflight2-base-https-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cors-preflight2-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/cors-preflight2.html [ Failure Timeout ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/redirect-base-https-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/redirect-credentials-base-https-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/redirect-credentials-other-https.html [ Failure ]
@@ -1825,18 +1813,6 @@ crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/redirect-loop.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/redirect-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker/thorough/redirect.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/auth-base-https-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/auth-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/auth.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cookie-base-https-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cookie-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cookie.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cors-preflight-base-https-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cors-preflight-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cors-preflight.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cors-preflight2-base-https-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cors-preflight2-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/cors-preflight2.html [ Failure Timeout ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/redirect-base-https-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/redirect-credentials-base-https-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/redirect-credentials-other-https.html [ Failure ]
@@ -1846,18 +1822,6 @@ crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/redirect-loop.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/redirect-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/serviceworker-proxied/thorough/redirect.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/auth-base-https-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/auth-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/auth.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cookie-base-https-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cookie-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cookie.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cors-preflight-base-https-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cors-preflight-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cors-preflight.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cors-preflight2-base-https-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cors-preflight2-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/cors-preflight2.html [ Failure Timeout ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/redirect-base-https-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/redirect-credentials-base-https-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/redirect-credentials-other-https.html [ Failure ]
@@ -1867,18 +1831,6 @@ crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/redire
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/redirect-loop.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/redirect-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/window/thorough/redirect.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/auth-base-https-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/auth-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/auth.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cookie-base-https-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cookie-other-https.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cookie.html [ Failure ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cors-preflight-base-https-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cors-preflight-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cors-preflight.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cors-preflight2-base-https-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cors-preflight2-other-https.html [ Failure Timeout ]
-crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/cors-preflight2.html [ Failure Timeout ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/redirect-base-https-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/redirect-credentials-base-https-other-https.html [ Failure ]
 crbug.com/736308 virtual/outofblink-cors/http/tests/fetch/workers/thorough/redirect-credentials-other-https.html [ Failure ]