Merge CORS*Error enums to the CORSError

Now we have three kinds of CORS error enum types, but these error groups are comprehensive yet and will need different error groups. To avoid introducing many minor error types, I would merge them into a single enum type, CORSError. Bug: 736308 Change-Id: Ib14d0359a73efa6b6a3e9db7021ca57952980666 Reviewed-on: https://chromium-review.googlesource.com/742829 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#512782}

Merge CORS*Error enums to the CORSError
Now we have three kinds of CORS error enum types, but these error groups are comprehensive yet and will need different error groups. To avoid introducing many minor error types, I would merge them into a single enum type, CORSError. Bug: 736308 Change-Id: Ib14d0359a73efa6b6a3e9db7021ca57952980666 Reviewed-on: https://chromium-review.googlesource.com/742829 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#512782}
b6454acb · Takashi Toyoshima · Commit Bot · 9cb2824d · b6454acb · b6454acb
Commit b6454acb authored Oct 31, 2017 by Takashi Toyoshima Committed by Commit Bot Oct 31, 2017
9 changed files
--- a/services/network/public/interfaces/cors.mojom
+++ b/services/network/public/interfaces/cors.mojom
@@ -4,8 +4,9 @@
 module network.mojom;
-// Error conditions of the CORS access control check.
+// Error conditions of the CORS check.
-enum CORSAccessError {
+enum CORSError {
+  // Access control
  kInvalidResponse,
  kAllowOriginMismatch,
  kSubOriginMismatch,
@@ -15,25 +16,17 @@ enum CORSAccessError {
  kInvalidAllowOriginValue,
  kDisallowCredentialsNotSetToTrue,
-  kLast = kDisallowCredentialsNotSetToTrue,
+  // Preflight
-};
+  kPreflightInvalidStatus,
-// Error conditions of CORS preflight.
-enum CORSPreflightError {
-  kInvalidStatus,
  // "Access-Control-Allow-External:"
  // ( https://wicg.github.io/cors-rfc1918/#headers ) specific error
  // conditions:
-  kMissingAllowExternal,
+  kPreflightMissingAllowExternal,
-  kInvalidAllowExternal,
+  kPreflightInvalidAllowExternal,
-  kLast = kInvalidAllowExternal,
-};
-// Error conditions of CORS redirect target URL checks.
+  // Redirect
-enum CORSRedirectError {
+  kRedirectDisallowedScheme,
-  kDisallowedScheme,
+  kRedirectContainsCredentials,
-  kContainsCredentials,
-  kLast = kContainsCredentials,
+  kLast = kRedirectContainsCredentials,
 };
--- a/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-anonymous-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-anonymous-expected.txt
 CONSOLE ERROR: Access to Image at 'http://localhost:8000/security/resources/abe.png' from origin 'http://127.0.0.1:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://localhost:8000/security/resources/abe-allow-credentials.php' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://localhost:8000/security/resources/abe-allow-credentials.php' to 'http://localhost:8000/security/resources/abe-allow-credentials.php' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://127.0.0.1:8000/security/resources/abe-allow-credentials.php' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://127.0.0.1:8000/security/resources/abe-allow-credentials.php' to 'http://127.0.0.1:8000/security/resources/abe-allow-credentials.php' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
 Testing the handling of CORS-enabled fetch in the presence of 'anonymous' redirects.
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

--- a/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-no-cors-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/img-crossorigin-redirect-no-cors-expected.txt
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/abe.png' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/abe.png' to 'http://localhost:8000/security/resources/abe.png' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/abe-allow-star.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/abe-allow-star.php' to 'http://localhost:8000/security/resources/abe-allow-star.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/abe-allow-credentials.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/abe-allow-credentials.php' to 'http://localhost:8000/security/resources/abe-allow-credentials.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://127.0.0.1:8000/security/resources/abe-allow-credentials.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://127.0.0.1:8000/security/resources/abe-allow-credentials.php' to 'http://127.0.0.1:8000/security/resources/abe-allow-credentials.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
 Testing the handling of CORS-enabled fetch in the presence of 'No CORS' redirects.
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

--- a/third_party/WebKit/LayoutTests/http/tests/security/script-crossorigin-redirect-anonymous-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/script-crossorigin-redirect-anonymous-expected.txt
 CONSOLE ERROR: Access to Script at 'http://localhost:8000/security/resources/localScript.js' from origin 'http://127.0.0.1:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://localhost:8000/security/resources/script-allow-credentials.php' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://localhost:8000/security/resources/script-allow-credentials.php' to 'http://localhost:8000/security/resources/script-allow-credentials.php' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://127.0.0.1:8000/security/resources/script-allow-credentials.php' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=anonymous&url=http://127.0.0.1:8000/security/resources/script-allow-credentials.php' to 'http://127.0.0.1:8000/security/resources/script-allow-credentials.php' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
 Testing the handling of CORS-enabled script fetch in the presence of 'anonymous' redirects.
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

--- a/third_party/WebKit/LayoutTests/http/tests/security/script-crossorigin-redirect-no-cors-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/script-crossorigin-redirect-no-cors-expected.txt
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/localScript.js' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/localScript.js' to 'http://localhost:8000/security/resources/localScript.js' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/script-allow-star.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/script-allow-star.php' to 'http://localhost:8000/security/resources/script-allow-star.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/script-allow-credentials.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://localhost:8000/security/resources/script-allow-credentials.php' to 'http://localhost:8000/security/resources/script-allow-credentials.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
-CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://127.0.0.1:8000/security/resources/script-allow-credentials.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+CONSOLE ERROR: Redirect from 'http://localhost:8000/security/resources/cors-redirect.php?mode=no&url=http://127.0.0.1:8000/security/resources/script-allow-credentials.php' to 'http://127.0.0.1:8000/security/resources/script-allow-credentials.php' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
 Testing the handling of CORS-enabled
 PASS/FAIL descriptions are of the form, 'CORS request type': 'redirect CORS type' => 'resource'

--- a/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp
@@ -682,41 +682,37 @@ bool DocumentThreadableLoader::RedirectReceivedBlinkCORS(
          : nullptr,
      redirect_response, resource);
-  WTF::Optional<network::mojom::CORSRedirectError> redirect_error =
+  WTF::Optional<network::mojom::CORSError> redirect_error =
      WebCORS::CheckRedirectLocation(new_url);
  if (redirect_error) {
    DispatchDidFailAccessControlCheck(
        ResourceError::CancelledDueToAccessCheckError(
            original_url, ResourceRequestBlockedReason::kOther,
-            WebCORS::RedirectErrorString(*redirect_error, original_url,
+            WebCORS::GetErrorString(*redirect_error, original_url, new_url,
-                                         new_url)));
+                                    redirect_response.HttpStatusCode(),
+                                    redirect_response.HttpHeaderFields(),
+                                    WebSecurityOrigin(GetSecurityOrigin()),
+                                    request_context_)));
    return false;
  }
  if (cors_flag_) {
    // The redirect response must pass the access control check if the CORS
    // flag is set.
-    WTF::Optional<network::mojom::CORSAccessError> access_error =
+    WTF::Optional<network::mojom::CORSError> access_error =
-        WebCORS::CheckAccess(redirect_response.Url(),
+        WebCORS::CheckAccess(original_url, redirect_response.HttpStatusCode(),
-                             redirect_response.HttpStatusCode(),
                             redirect_response.HttpHeaderFields(),
                             new_request.GetFetchCredentialsMode(),
                             WebSecurityOrigin(GetSecurityOrigin()));
    if (access_error) {
-      StringBuilder builder;
-      builder.Append("Redirect from '");
-      builder.Append(original_url.GetString());
-      builder.Append("' to '");
-      builder.Append(new_url.GetString());
-      builder.Append("' has been blocked by CORS policy: ");
-      builder.Append(WebCORS::AccessControlErrorString(
-          *access_error, redirect_response.HttpStatusCode(),
-          redirect_response.HttpHeaderFields(),
-          WebSecurityOrigin(GetSecurityOrigin()), request_context_));
      DispatchDidFailAccessControlCheck(
          ResourceError::CancelledDueToAccessCheckError(
              original_url, ResourceRequestBlockedReason::kOther,
-              builder.ToString()));
+              WebCORS::GetErrorString(*access_error, original_url, new_url,
+                                      redirect_response.HttpStatusCode(),
+                                      redirect_response.HttpHeaderFields(),
+                                      WebSecurityOrigin(GetSecurityOrigin()),
+                                      request_context_)));
      return false;
    }
  }
@@ -829,42 +825,45 @@ void DocumentThreadableLoader::ResponseReceived(
 void DocumentThreadableLoader::HandlePreflightResponse(
    const ResourceResponse& response) {
-  WTF::Optional<network::mojom::CORSAccessError> cors_error =
+  WTF::Optional<network::mojom::CORSError> cors_error = WebCORS::CheckAccess(
-      WebCORS::CheckAccess(response.Url(), response.HttpStatusCode(),
+      response.Url(), response.HttpStatusCode(), response.HttpHeaderFields(),
-                           response.HttpHeaderFields(),
+      actual_request_.GetFetchCredentialsMode(),
-                           actual_request_.GetFetchCredentialsMode(),
+      WebSecurityOrigin(GetSecurityOrigin()));
-                           WebSecurityOrigin(GetSecurityOrigin()));
  if (cors_error) {
    StringBuilder builder;
    builder.Append(
        "Response to preflight request doesn't pass access "
        "control check: ");
-    builder.Append(WebCORS::AccessControlErrorString(
+    builder.Append(WebCORS::GetErrorString(
-        *cors_error, response.HttpStatusCode(), response.HttpHeaderFields(),
+        *cors_error, response.Url(), WebURL(), response.HttpStatusCode(),
-        WebSecurityOrigin(GetSecurityOrigin()), request_context_));
+        response.HttpHeaderFields(), WebSecurityOrigin(GetSecurityOrigin()),
+        request_context_));
    HandlePreflightFailure(response.Url(), builder.ToString());
    return;
  }
-  WTF::Optional<network::mojom::CORSPreflightError> preflight_error =
+  WTF::Optional<network::mojom::CORSError> preflight_error =
      WebCORS::CheckPreflight(response.HttpStatusCode());
  if (preflight_error) {
-    HandlePreflightFailure(response.Url(),
+    HandlePreflightFailure(
-                           WebCORS::PreflightErrorString(
+        response.Url(),
-                               *preflight_error, response.HttpHeaderFields(),
+        WebCORS::GetErrorString(
-                               response.HttpStatusCode()));
+            *preflight_error, response.Url(), WebURL(),
+            response.HttpStatusCode(), response.HttpHeaderFields(),
+            WebSecurityOrigin(GetSecurityOrigin()), request_context_));
    return;
  }
  if (actual_request_.IsExternalRequest()) {
-    WTF::Optional<network::mojom::CORSPreflightError>
+    WTF::Optional<network::mojom::CORSError> external_preflight_status =
-        external_preflight_status =
+        WebCORS::CheckExternalPreflight(response.HttpHeaderFields());
-            WebCORS::CheckExternalPreflight(response.HttpHeaderFields());
    if (external_preflight_status) {
-      HandlePreflightFailure(response.Url(), WebCORS::PreflightErrorString(
+      HandlePreflightFailure(
-                                                 *external_preflight_status,
+          response.Url(),
-                                                 response.HttpHeaderFields(),
+          WebCORS::GetErrorString(
-                                                 response.HttpStatusCode()));
+              *external_preflight_status, response.Url(), WebURL(),
+              response.HttpStatusCode(), response.HttpHeaderFields(),
+              WebSecurityOrigin(GetSecurityOrigin()), request_context_));
      return;
    }
  }
@@ -955,15 +954,14 @@ void DocumentThreadableLoader::HandleResponseBlinkCORS(
    if (request_mode != network::mojom::FetchRequestMode::kNoCORS &&
        response.ResponseTypeViaServiceWorker() ==
            network::mojom::FetchResponseType::kOpaque) {
-      StringBuilder builder;
-      builder.Append(WebCORS::AccessControlErrorString(
-          network::mojom::CORSAccessError::kInvalidResponse,
-          response.HttpStatusCode(), response.HttpHeaderFields(),
-          WebSecurityOrigin(GetSecurityOrigin()), request_context_));
      DispatchDidFailAccessControlCheck(
          ResourceError::CancelledDueToAccessCheckError(
              response.Url(), ResourceRequestBlockedReason::kOther,
-              builder.ToString()));
+              WebCORS::GetErrorString(
+                  network::mojom::CORSError::kInvalidResponse, response.Url(),
+                  WebURL(), response.HttpStatusCode(),
+                  response.HttpHeaderFields(),
+                  WebSecurityOrigin(GetSecurityOrigin()), request_context_)));
      return;
    }
@@ -987,7 +985,7 @@ void DocumentThreadableLoader::HandleResponseBlinkCORS(
  fallback_request_for_service_worker_ = ResourceRequest();
  if (WebCORS::IsCORSEnabledRequestMode(request_mode) && cors_flag_) {
-    WTF::Optional<network::mojom::CORSAccessError> access_error =
+    WTF::Optional<network::mojom::CORSError> access_error =
        WebCORS::CheckAccess(response.Url(), response.HttpStatusCode(),
                             response.HttpHeaderFields(), credentials_mode,
                             WebSecurityOrigin(GetSecurityOrigin()));
@@ -996,9 +994,9 @@ void DocumentThreadableLoader::HandleResponseBlinkCORS(
      DispatchDidFailAccessControlCheck(
          ResourceError::CancelledDueToAccessCheckError(
              response.Url(), ResourceRequestBlockedReason::kOther,
-              WebCORS::AccessControlErrorString(
+              WebCORS::GetErrorString(
-                  *access_error, response.HttpStatusCode(),
+                  *access_error, response.Url(), WebURL(),
-                  response.HttpHeaderFields(),
+                  response.HttpStatusCode(), response.HttpHeaderFields(),
                  WebSecurityOrigin(GetSecurityOrigin()), request_context_)));
      return;
    }

--- a/third_party/WebKit/Source/platform/exported/WebCORS.cpp
+++ b/third_party/WebKit/Source/platform/exported/WebCORS.cpp
--- a/third_party/WebKit/Source/platform/loader/fetch/ResourceLoader.cpp
+++ b/third_party/WebKit/Source/platform/loader/fetch/ResourceLoader.cpp
@@ -314,17 +314,23 @@ bool ResourceLoader::WillFollowRedirect(
        source_origin = Context().GetSecurityOrigin();
      WebSecurityOrigin source_web_origin(source_origin.get());
      WrappedResourceRequest new_request_wrapper(new_request);
-      WebString cors_error_msg;
+      WTF::Optional<network::mojom::CORSError> cors_error =
-      if (!WebCORS::HandleRedirect(
+          WebCORS::HandleRedirect(
              source_web_origin, new_request_wrapper, redirect_response.Url(),
              redirect_response.HttpStatusCode(),
              redirect_response.HttpHeaderFields(), fetch_credentials_mode,
-              resource_->MutableOptions(), cors_error_msg)) {
+              resource_->MutableOptions());
+      if (cors_error) {
        resource_->SetCORSStatus(CORSStatus::kFailed);
        if (!unused_preload) {
-          Context().AddErrorConsoleMessage(cors_error_msg,
+          Context().AddErrorConsoleMessage(
-                                           FetchContext::kJSSource);
+              WebCORS::GetErrorString(
+                  *cors_error, redirect_response.Url(), new_url,
+                  redirect_response.HttpStatusCode(),
+                  redirect_response.HttpHeaderFields(), source_web_origin,
+                  last_request.GetRequestContext()),
+              FetchContext::kJSSource);
        }
        CancelForRedirectAccessCheckError(new_url,
@@ -468,7 +474,7 @@ CORSStatus ResourceLoader::DetermineCORSStatus(const ResourceResponse& response,
          ? resource_->GetResponse()
          : response;
-  base::Optional<network::mojom::CORSAccessError> cors_error =
+  base::Optional<network::mojom::CORSError> cors_error =
      WebCORS::CheckAccess(response_for_access_control.Url(),
                           response_for_access_control.HttpStatusCode(),
                           response_for_access_control.HttpHeaderFields(),
@@ -487,8 +493,9 @@ CORSStatus ResourceLoader::DetermineCORSStatus(const ResourceResponse& response,
  error_msg.Append("' from origin '");
  error_msg.Append(source_origin->ToString());
  error_msg.Append("' has been blocked by CORS policy: ");
-  error_msg.Append(WebCORS::AccessControlErrorString(
+  error_msg.Append(WebCORS::GetErrorString(
-      *cors_error, response_for_access_control.HttpStatusCode(),
+      *cors_error, initial_request.Url(), WebURL(),
+      response_for_access_control.HttpStatusCode(),
      response_for_access_control.HttpHeaderFields(),
      WebSecurityOrigin(source_origin), initial_request.GetRequestContext()));

--- a/third_party/WebKit/public/platform/WebCORS.h
+++ b/third_party/WebKit/public/platform/WebCORS.h
@@ -45,33 +45,37 @@ class WebSecurityOrigin;
 namespace WebCORS {
 // Perform a CORS access check on the response parameters.
-// Use |AccessControlErrorString()| to construct a user-friendly error message.
+//
-BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSAccessError>
+// Use |GetErrorString()| to construct a user-friendly error message.
-CheckAccess(const WebURL,
+BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSError> CheckAccess(
-            const int response_status_code,
+    const WebURL,
-            const WebHTTPHeaderMap&,
+    const int response_status_code,
-            network::mojom::FetchCredentialsMode,
+    const WebHTTPHeaderMap&,
-            const WebSecurityOrigin&);
+    network::mojom::FetchCredentialsMode,
+    const WebSecurityOrigin&);
 // Given a redirected-to URL, check if the location is allowed
 // according to CORS. That is:
 // - the URL has a CORS supported scheme and
 // - the URL does not contain the userinfo production.
 //
-// Use |RedirectErrorString()| to construct a user-friendly error message.
+// Use |GetErrorString()| to construct a user-friendly error message.
-BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSRedirectError>
+BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSError>
 CheckRedirectLocation(const WebURL&);
 // Perform the required CORS checks on the response to a preflight request.
 // Returns |kPreflightSuccess| if preflight response was successful.
-// Use |PreflightErrorString()| to construct a user-friendly error message.
+//
-BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSPreflightError>
+// Use |GetErrorString()| to construct a user-friendly error message.
-CheckPreflight(const int preflight_response_status_code);
+BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSError> CheckPreflight(
+    const int preflight_response_status_code);
 // Error checking for the currently experimental
 // "Access-Control-Allow-External:" header. Shares error conditions with
 // standard preflight checking.
-BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSPreflightError>
+//
+// Use |GetErrorString()| to construct a user-friendly error message.
+BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSError>
 CheckExternalPreflight(const WebHTTPHeaderMap&);
 BLINK_PLATFORM_EXPORT WebURLRequest
@@ -80,33 +84,27 @@ CreateAccessControlPreflightRequest(const WebURLRequest&);
 // TODO(tyoshino): Using platform/loader/fetch/ResourceLoaderOptions violates
 // the DEPS rule. This will be fixed soon by making HandleRedirect() not
 // depending on ResourceLoaderOptions.
-BLINK_PLATFORM_EXPORT bool HandleRedirect(
+BLINK_PLATFORM_EXPORT base::Optional<network::mojom::CORSError> HandleRedirect(
    WebSecurityOrigin&,
    WebURLRequest&,
    const WebURL,
    const int redirect_response_status_code,
    const WebHTTPHeaderMap&,
    network::mojom::FetchCredentialsMode,
-    ResourceLoaderOptions&,
+    ResourceLoaderOptions&);
-    WebString&);
-// Stringify errors from CORS access checks, preflight or redirect checks.
-BLINK_PLATFORM_EXPORT WebString
-AccessControlErrorString(const network::mojom::CORSAccessError,
-                         const int response_status_code,
-                         const WebHTTPHeaderMap&,
-                         const WebSecurityOrigin&,
-                         const WebURLRequest::RequestContext);
-BLINK_PLATFORM_EXPORT WebString
-PreflightErrorString(const network::mojom::CORSPreflightError,
-                     const WebHTTPHeaderMap&,
-                     const int preflight_response_status_code);
+// Stringify CORSError mainly for inspector messages. Generated string should
+// not be exposed to JavaScript for security reasons.
+// For errors during the redirect check, valid WebURL should be set to
+// |redirect_url|. Otherwise, it should be WebURL(), the invalid instance.
 BLINK_PLATFORM_EXPORT WebString
-RedirectErrorString(const network::mojom::CORSRedirectError,
+GetErrorString(const network::mojom::CORSError,
-                    const WebURL& request_url,
+               const WebURL& request_url,
-                    const WebURL& redirect_url);
+               const WebURL& redirect_url,
+               const int response_status_code,
+               const WebHTTPHeaderMap&,
+               const WebSecurityOrigin&,
+               const WebURLRequest::RequestContext);
 BLINK_PLATFORM_EXPORT void ParseAccessControlExposeHeadersAllowList(
    const WebString&,