Revert of HTML Imports: Send credentials for same origin requests...

Revert of HTML Imports: Send credentials for same origin requests (https://codereview.chromium.org/196043002/)

Reason for revert:
The following tests crash on all debug bots.
- fast/shapes/shape-inside/shape-inside-image-set.html
- fast/shapes/shape-outside-floats/shape-outside-image-set.html


Original issue's description:
> HTML Imports: Send credentials for same origin requests
> 
> This captures following spec chagne: https://www.w3.org/Bugs/Public/show_bug.cgi?id=24905
> The essential part of the change is in HTMLImportsController.cpp.
> Anything else is to make it work with redirect.
> 
> The problem here is that allowCredentials flag is held both
> by ResourceLoaderOptions and ResourceRequest and these two
> can go out-of-sync. This change tries to make them in sync.
> 
> Such a state duplication should be resolved eventually, but
> that is another story.
> 
> BUG=348671
> TEST=import-cors-credentials.html
> R=dglazkov@chromium.org, japhet@chromium.org, abarth
> 
> Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=169496
> 
> Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=169578

TBR=abarth@chromium.org,dglazkov@chromium.org,japhet@chromium.org,morrita@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=348671

Review URL: https://codereview.chromium.org/199733008

git-svn-id: svn://svn.chromium.org/blink/trunk@169618 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/http/tests/htmlimports/import-cors-credentials-expected.txt

-PASS sameOrigin.import.body.innerHTML is "PASS"
-PASS crossOrigin.import.body.innerHTML is "PASS"
-PASS fromSameToCrossOrigin.import.getElementById('crossOrigin').import.body.innerHTML is "PASS"
-PASS fromCrossToSameOrigin.import.getElementById('sameOrigin').import.body.innerHTML is "PASS"
-PASS successfullyParsed is true
-
-TEST COMPLETE
-

third_party/WebKit/LayoutTests/http/tests/htmlimports/import-cors-credentials.html

-<!DOCTYPE html>
-<script src="/js-test-resources/js-test.js"></script>
-<script>
-document.cookie = "key=HelloCredentials";
-</script>
-<link id="sameOrigin" rel="import" href="resources/cookie-match.cgi?key=HelloCredentials">
-<link id="crossOrigin" rel="import" href="http://localhost:8080/htmlimports/resources/cookie-match.cgi">
-<link id="fromSameToCrossOrigin" rel="import" href="resources/having-cookie-match-8080.html">
-<link id="fromCrossToSameOrigin" rel="import" href="http://localhost:8080/htmlimports/resources/having-cookie-match-same.cgi">
-<script>
-if (window.testRunner)
-    testRunner.dumpAsText();
-
-shouldBeEqualToString("sameOrigin.import.body.innerHTML", "PASS");
-shouldBeEqualToString("crossOrigin.import.body.innerHTML", "PASS");
-shouldBeEqualToString("fromSameToCrossOrigin.import.getElementById('crossOrigin').import.body.innerHTML", "PASS");
-shouldBeEqualToString("fromCrossToSameOrigin.import.getElementById('sameOrigin').import.body.innerHTML", "PASS");
-</script>

third_party/WebKit/LayoutTests/http/tests/htmlimports/resources/cookie-match.cgi

-#!/usr/bin/perl -wT
-use strict;
-
-my $query = $ENV{"QUERY_STRING"};
-my $cookie = $ENV{"HTTP_COOKIE"};
-
-$query =~ s/\?//g; # Squash "?" that is added to prevent dedup.
-
-print "Content-Type: text/html\n";
-print "Access-Control-Allow-Credentials: true\n";
-print "Access-Control-Allow-Origin: *\n";
-print "\n";
-
-if ($query eq $cookie) {
-    print "<body>PASS</body>"
-} else {
-    print "<body>FAIL: Cookie:" . $cookie .", Query:" . $query . "</body>";
-}

third_party/WebKit/LayoutTests/http/tests/htmlimports/resources/having-cookie-match-8080.html

-<!DOCTYPE html>
-<!-- Put ? at the end of the URL to prevent de-deup -->
-<link id="crossOrigin" rel="import" href="http://localhost:8080/htmlimports/resources/cookie-match.cgi?">

third_party/WebKit/LayoutTests/http/tests/htmlimports/resources/having-cookie-match-same.cgi

-#!/usr/bin/perl -wT
-use strict;
-
-print "Content-Type: text/html\n";
-print "Access-Control-Allow-Credentials: true\n";
-print "Access-Control-Allow-Origin: *\n";
-print "\n";
-print <<EOF
-<!DOCTYPE html>
-<!-- Put an extra "?" in the URL to prevent de-deup -->
-<link id="sameOrigin" rel="import" href="http://127.0.0.1:8000/htmlimports/resources/cookie-match.cgi?key=HelloCredentials?">
-EOF

third_party/WebKit/Source/core/css/CSSImageSetValue.cpp

@@ -106,7 +106,7 @@ StyleFetchedImageSet* CSSImageSetValue::cachedImageSet(ResourceFetcher* loader,
             FetchRequest request(ResourceRequest(document->completeURL(image.imageURL)), FetchInitiatorTypeNames::css, options);
 
             if (options.corsEnabled == IsCORSEnabled)
-                request.setCrossOriginAccessControl(loader->document()->securityOrigin(), options.allowCredentials, options.credentialsRequested);
+                request.setCrossOriginAccessControl(loader->document()->securityOrigin(), options.allowCredentials);
 
             if (ResourcePtr<ImageResource> cachedImage = loader->fetchImage(request)) {
                 m_imageSet = StyleFetchedImageSet::create(cachedImage.get(), image.scaleFactor, this);

third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp

@@ -242,7 +242,7 @@ bool CrossOriginAccessControl::handleRedirect(Resource* resource, SecurityOrigin
         bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescription);
         if (allowRedirect) {
             // Step 5: perform resource sharing access check.
-            StoredCredentials withCredentials = resource->lastResourceRequest().allowStoredCredentials() ? AllowStoredCredentials : DoNotAllowStoredCredentials;
+            StoredCredentials withCredentials = resource->resourceRequest().allowStoredCredentials() ? AllowStoredCredentials : DoNotAllowStoredCredentials;
             allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription);
             if (allowRedirect) {
                 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);

third_party/WebKit/Source/core/fetch/FetchRequest.cpp

@@ -69,18 +69,11 @@ FetchRequest::~FetchRequest()
 {
 }
 
-void FetchRequest::setCrossOriginAccessControl(SecurityOrigin* origin, StoredCredentials allowCredentials, CredentialRequest requested)
+void FetchRequest::setCrossOriginAccessControl(SecurityOrigin* origin, StoredCredentials allowCredentials)
 {
-    ASSERT(requested == ClientDidNotRequestCredentials || allowCredentials == AllowStoredCredentials);
     updateRequestForAccessControl(m_resourceRequest, origin, allowCredentials);
     m_options.corsEnabled = IsCORSEnabled;
     m_options.securityOrigin = origin;
-    m_options.credentialsRequested = requested;
-}
-
-void FetchRequest::setCrossOriginAccessControl(SecurityOrigin* origin, StoredCredentials allowCredentials)
-{
-    setCrossOriginAccessControl(origin, allowCredentials, allowCredentials == AllowStoredCredentials ? ClientRequestedCredentials : ClientDidNotRequestCredentials);
 }
 
 void FetchRequest::setCrossOriginAccessControl(SecurityOrigin* origin, const AtomicString& crossOriginMode)

third_party/WebKit/Source/core/fetch/FetchRequest.h

@@ -59,7 +59,6 @@ public:
     DeferOption defer() const { return m_defer; }
     void setDefer(DeferOption defer) { m_defer = defer; }
     void setContentSecurityCheck(ContentSecurityPolicyCheck contentSecurityPolicyOption) { m_options.contentSecurityPolicyOption = contentSecurityPolicyOption; }
-    void setCrossOriginAccessControl(SecurityOrigin*, StoredCredentials, CredentialRequest);
     void setCrossOriginAccessControl(SecurityOrigin*, StoredCredentials);
     void setCrossOriginAccessControl(SecurityOrigin*, const AtomicString& crossOriginMode);
     OriginRestriction originRestriction() const { return m_originRestriction; }

third_party/WebKit/Source/core/fetch/Resource.cpp

@@ -336,13 +336,6 @@ static bool canUseResponse(const ResourceResponse& response, double responseTime
     return currentAge(response, responseTimestamp) <= freshnessLifetime(response, responseTimestamp);
 }
 
-const ResourceRequest& Resource::lastResourceRequest()
-{
-    if (!m_redirectChain.size())
-        return m_resourceRequest;
-    return m_redirectChain.last().m_request;
-}
-
 void Resource::willSendRequest(ResourceRequest& request, const ResourceResponse& response)
 {
     m_redirectChain.append(RedirectPair(request, response));

third_party/WebKit/Source/core/fetch/Resource.h

@@ -108,7 +108,6 @@ public:
     virtual bool shouldIgnoreHTTPStatusCodeErrors() const { return false; }
 
     ResourceRequest& resourceRequest() { return m_resourceRequest; }
-    const ResourceRequest& lastResourceRequest();
     const KURL& url() const { return m_resourceRequest.url();}
     Type type() const { return static_cast<Type>(m_type); }
     const ResourceLoaderOptions& options() const { return m_options; }

third_party/WebKit/Source/core/fetch/ResourceLoader.cpp

@@ -121,7 +121,7 @@ void ResourceLoader::init(const ResourceRequest& passedRequest)
     request.setReportLoadTiming(true);
     ASSERT(m_state != Terminated);
     ASSERT(!request.isNull());
-    m_originalRequest = m_request = applyOptions(request);
+    m_originalRequest = m_request = request;
     m_resource->updateRequest(request);
     m_host->didInitializeResourceLoader(this);
 }
@@ -153,6 +153,7 @@ void ResourceLoader::start()
     m_loader = adoptPtr(blink::Platform::current()->createURLLoader());
     ASSERT(m_loader);
     blink::WrappedResourceRequest wrappedRequest(m_request);
+    wrappedRequest.setAllowStoredCredentials(m_options.allowCredentials == AllowStoredCredentials);
     m_loader->loadAsynchronously(wrappedRequest, this);
 }
 
@@ -173,7 +174,7 @@ void ResourceLoader::setDefersLoading(bool defers)
     if (m_loader)
         m_loader->setDefersLoading(defers);
     if (!defers && !m_deferredRequest.isNull()) {
-        m_request = applyOptions(m_deferredRequest);
+        m_request = m_deferredRequest;
         m_deferredRequest = ResourceRequest();
         start();
     }
@@ -262,7 +263,7 @@ void ResourceLoader::willSendRequest(blink::WebURLLoader*, blink::WebURLRequest&
 {
     RefPtr<ResourceLoader> protect(this);
 
-    ResourceRequest& request(applyOptions(passedRequest.toMutableResourceRequest()));
+    ResourceRequest& request(passedRequest.toMutableResourceRequest());
     ASSERT(!request.isNull());
     const ResourceResponse& redirectResponse(passedRedirectResponse.toResourceResponse());
     ASSERT(!redirectResponse.isNull());
@@ -271,7 +272,6 @@ void ResourceLoader::willSendRequest(blink::WebURLLoader*, blink::WebURLRequest&
         return;
     }
 
-    applyOptions(request); // canAccessRedirect() can modify m_options so we should re-apply it.
     m_host->redirectReceived(m_resource, redirectResponse);
     m_resource->willSendRequest(request, redirectResponse);
     if (request.isNull() || m_state == Terminated)
@@ -456,6 +456,7 @@ void ResourceLoader::requestSynchronously()
     m_connectionState = ConnectionStateStarted;
 
     blink::WrappedResourceRequest requestIn(m_request);
+    requestIn.setAllowStoredCredentials(m_options.allowCredentials == AllowStoredCredentials);
     blink::WebURLResponse responseOut;
     responseOut.initialize();
     blink::WebURLError errorOut;
@@ -475,10 +476,4 @@ void ResourceLoader::requestSynchronously()
     didFinishLoading(0, monotonicallyIncreasingTime(), encodedDataLength);
 }
 
-ResourceRequest& ResourceLoader::applyOptions(ResourceRequest& request) const
-{
-    request.setAllowStoredCredentials(m_options.allowCredentials == AllowStoredCredentials);
-    return request;
-}
-
 }

third_party/WebKit/Source/core/fetch/ResourceLoader.h

@@ -93,8 +93,6 @@ private:
 
     bool responseNeedsAccessControlCheck() const;
 
-    ResourceRequest& applyOptions(ResourceRequest&) const;
-
     OwnPtr<blink::WebURLLoader> m_loader;
     RefPtr<ResourceLoaderHost> m_host;
 

third_party/WebKit/Source/core/html/HTMLLinkElement.cpp

@@ -692,8 +692,10 @@ void LinkStyle::process()
         // Load stylesheets that are not needed for the rendering immediately with low priority.
         FetchRequest request = builder.build(blocking);
         AtomicString crossOriginMode = m_owner->fastGetAttribute(HTMLNames::crossoriginAttr);
-        if (!crossOriginMode.isNull())
-            request.setCrossOriginAccessControl(document().securityOrigin(), crossOriginMode);
+        if (!crossOriginMode.isNull()) {
+            StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
+            request.setCrossOriginAccessControl(document().securityOrigin(), allowCredentials);
+        }
         setResource(document().fetcher()->fetchCSSStyleSheet(request));
 
         if (!resource()) {

third_party/WebKit/Source/core/html/imports/HTMLImportsController.cpp

@@ -87,10 +87,7 @@ HTMLImportChild* HTMLImportsController::load(HTMLImport* parent, HTMLImportChild
         return child;
     }
 
-    bool sameOriginRequest = securityOrigin()->canRequest(request.url());
-    request.setCrossOriginAccessControl(
-        securityOrigin(), sameOriginRequest ? AllowStoredCredentials : DoNotAllowStoredCredentials,
-        ClientDidNotRequestCredentials);
+    request.setCrossOriginAccessControl(securityOrigin(), DoNotAllowStoredCredentials);
     ResourcePtr<RawResource> resource = parent->document()->fetcher()->fetchImport(request);
     if (!resource)
         return 0;