Set CORS preflight's `Sec-Fetch-Mode` to `cors`.

Spec change: https://github.com/whatwg/fetch/pull/916 Bug: 979946 Change-Id: Ic1cd8691c9b06371b94de29a5648fb6c8d7bebed Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1702311 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#678272}

Set CORS preflight's `Sec-Fetch-Mode` to `cors`.
Spec change: https://github.com/whatwg/fetch/pull/916 Bug: 979946 Change-Id: Ic1cd8691c9b06371b94de29a5648fb6c8d7bebed Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1702311 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#678272}
9fdf93be · Mike West · Commit Bot · 334d80f2 · 9fdf93be · 9fdf93be
Commit 9fdf93be authored Jul 17, 2019 by Mike West Committed by Commit Bot Jul 17, 2019
5 changed files
--- a/services/network/cors/preflight_controller.cc
+++ b/services/network/cors/preflight_controller.cc
@@ -92,6 +92,7 @@ std::unique_ptr<ResourceRequest> CreatePreflightRequest(
  preflight_request->headers.SetHeader(
      header_names::kAccessControlRequestMethod, request.method);
+  preflight_request->headers.SetHeader("Sec-Fetch-Mode", "cors");
  std::string request_headers = CreateAccessControlRequestHeadersHeader(
      request.headers, request.is_revalidating);

--- a/services/network/cors/preflight_controller_unittest.cc
+++ b/services/network/cors/preflight_controller_unittest.cc
@@ -110,6 +110,21 @@ TEST(PreflightControllerCreatePreflightRequestTest,
      header_names::kAccessControlRequestHeaders, &header));
 }
+TEST(PreflightControllerCreatePreflightRequestTest, IncludeSecFetchModeHeader) {
+  ResourceRequest request;
+  request.mode = mojom::RequestMode::kCors;
+  request.credentials_mode = mojom::CredentialsMode::kOmit;
+  request.request_initiator = url::Origin();
+  request.headers.SetHeader("X-Custom-Header", "foobar");
+  std::unique_ptr<ResourceRequest> preflight =
+      PreflightController::CreatePreflightRequestForTesting(request);
+  std::string header;
+  EXPECT_TRUE(preflight->headers.GetHeader("Sec-Fetch-Mode", &header));
+  EXPECT_EQ("cors", header);
+}
 TEST(PreflightControllerCreatePreflightRequestTest, IncludeNonSimpleHeader) {
  ResourceRequest request;
  request.mode = mojom::RequestMode::kCors;

--- a/third_party/blink/renderer/core/loader/threadable_loader.cc
+++ b/third_party/blink/renderer/core/loader/threadable_loader.cc
@@ -165,6 +165,7 @@ ThreadableLoader::CreateAccessControlPreflightRequest(
  preflight_request->SetHttpMethod(http_names::kOPTIONS);
  preflight_request->SetHttpHeaderField(http_names::kAccessControlRequestMethod,
                                        request.HttpMethod());
+  preflight_request->SetMode(network::mojom::RequestMode::kCors);
  preflight_request->SetPriority(request.Priority());
  preflight_request->SetRequestContext(request.GetRequestContext());
  preflight_request->SetCredentialsMode(network::mojom::CredentialsMode::kOmit);

--- a/third_party/blink/web_tests/external/wpt/fetch/sec-metadata/fetch-preflight.tentative.https.sub.html
+++ b/third_party/blink/web_tests/external/wpt/fetch/sec-metadata/fetch-preflight.tentative.https.sub.html
+<!DOCTYPE html>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/fetch/sec-metadata/resources/helper.js></script>
+<script>
+  // Site
+  promise_test(t => {
+    return fetch("https://{{hosts[][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py",
+                 {
+                   mode: "cors",
+                   headers: { 'x-test': 'testing' }
+                 })
+        .then(r => r.json())
+        .then(j => {
+          assert_header_equals(j, {
+            "dest": "empty",
+            "site": "same-site",
+            "user": "",
+            "mode": "cors",
+          });
+        });
+  }, "Same-site fetch with preflight");
+  promise_test(t => {
+    return fetch("https://{{hosts[alt][www]}}:{{ports[https][0]}}/fetch/sec-metadata/resources/echo-as-json.py",
+                 {
+                   mode: "cors",
+                   headers: { 'x-test': 'testing' }
+                 })
+        .then(r => r.json())
+        .then(j => {
+          assert_header_equals(j, {
+            "dest": "empty",
+            "site": "cross-site",
+            "user": "",
+            "mode": "cors",
+          });
+        });
+  }, "Cross-site fetch with preflight");
+</script>
--- a/third_party/blink/web_tests/external/wpt/fetch/sec-metadata/resources/echo-as-json.py
+++ b/third_party/blink/web_tests/external/wpt/fetch/sec-metadata/resources/echo-as-json.py
@@ -7,11 +7,21 @@ def main(request, response):
    if "origin" in request.headers:
        headers.append(("Access-Control-Allow-Origin", request.headers["origin"]))
+    body = ""
+    # If we're in a preflight, verify that `Sec-Fetch-Mode` is `cors`.
+    if request.method == 'OPTIONS':
+        if request.headers.get("sec-fetch-mode") != "cors":
+            return (403, "Failed"), [], body
+        headers.append(("Access-Control-Allow-Methods", "*"))
+        headers.append(("Access-Control-Allow-Headers", "*"))
+    else:
+        body = json.dumps({
+            "dest": request.headers.get("sec-fetch-dest", ""),
+            "mode": request.headers.get("sec-fetch-mode", ""),
+            "site": request.headers.get("sec-fetch-site", ""),
+            "user": request.headers.get("sec-fetch-user", ""),
+            })
-    body = json.dumps({
-        "dest": request.headers.get("sec-fetch-dest", ""),
-        "mode": request.headers.get("sec-fetch-mode", ""),
-        "site": request.headers.get("sec-fetch-site", ""),
-        "user": request.headers.get("sec-fetch-user", ""),
-        })
    return headers, body