Fail preflight request when redirect is received

BUG=510650,525479
R=japhet

Review URL: https://codereview.chromium.org/1304183006

git-svn-id: svn://svn.chromium.org/blink/trunk@201547 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/http/tests/fetch/script-tests/fetch.js

@@ -112,6 +112,27 @@ promise_test(function(t) {
         });
   }, 'Manual redirect fetch returns opaque redirect response');
 
+promise_test(function(t) {
+    var redirect_target_url =
+      OTHER_ORIGIN + '/fetch/resources/fetch-status.php?status=200';
+    var redirect_original_url =
+      OTHER_ORIGIN + '/serviceworker/resources/redirect.php?Redirect=' +
+      redirect_target_url;
+
+    var request = new Request(redirect_original_url,
+                              {headers: [['X-Fetch-Test', 'A']],
+                               redirect: 'manual'});
+
+    // Cross-origin request with non-simple header initiates CORS preflight
+    // request.
+    return fetch(request)
+      .then(
+        t.unreached_func('Even in manual redirect mode, fetch with preflight' +
+                         ' must fail when redirect response is received'),
+        function() {});
+  }, 'Even in manual redirect mode, fetch with preflight must fail when' +
+     ' redirect response is received');
+
 promise_test(function(t) {
     var redirect_target_url =
       BASE_ORIGIN + '/fetch/resources/fetch-status.php?status=200';
@@ -126,10 +147,10 @@ promise_test(function(t) {
 
     return fetch(request)
       .then(
-        t.unreached_func('Redirect response must cause an error when redirct' +
+        t.unreached_func('Redirect response must cause an error when redirect' +
                          ' mode is error.'),
         function() {});
-  }, 'Redirect response must cause an error when redirct mode is error.');
+  }, 'Redirect response must cause an error when redirect mode is error.');
 
 promise_test(function(test) {
     var url = BASE_ORIGIN + '/fetch/resources/doctype.html';

third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt

@@ -2,7 +2,7 @@ CONSOLE ERROR: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/r
 CONSOLE ERROR: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=http://localhost:8000. The 'Access-Control-Allow-Origin' header has a value 'http://localhost:8000' that is not equal to the supplied origin. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
 CONSOLE ERROR: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=http://localhost:8000. The request was redirected to a URL ('http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi') containing userinfo, which is disallowed for cross-origin requests.
 CONSOLE ERROR: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://localhost:8000. The request was redirected to a URL ('foo://bar.cgi') which has a disallowed scheme for cross-origin requests.
-CONSOLE ERROR: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*. The request was redirected to 'http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi', which is disallowed for cross-origin requests that require preflight.
+CONSOLE ERROR: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*. Response for preflight is invalid (redirect)
 CONSOLE ERROR: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*&%20%20access-control-allow-headers=x-webkit. The request was redirected to 'http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi', which is disallowed for cross-origin requests that require preflight.
 Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
 

third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

@@ -314,6 +314,19 @@ void DocumentThreadableLoader::redirectReceived(Resource* resource, ResourceRequ
 
     RefPtr<DocumentThreadableLoader> protect(this);
 
+    if (m_actualRequest) {
+        reportResponseReceived(resource->identifier(), redirectResponse);
+
+        clearResource();
+        request = ResourceRequest();
+
+        m_requestStartedSeconds = 0.0;
+
+        handlePreflightFailure(redirectResponse.url().string(), "Response for preflight is invalid (redirect)");
+
+        return;
+    }
+
     if (m_redirectMode == WebURLRequest::FetchRedirectModeManual) {
         // We use |m_redirectMode| to check the original redirect mode.
         // |request| is a new request for redirect. So we don't set the redirect