Remove FetchContext::CanRequest() call from ResourceLoader::DidReceiveResponse()

It's been wrong that this method was enclosed by the if with cors_handling_by_resource_fetcher in its condition. CanRequest() is not about CORS but CSP, etc. However, this was not harmful. Since ResourceLoader::WillFollowRedirect() just calls it on each redirect, calling this in DidReceiveResponse() was just redundant. So, remove it. The only concern was that the CanRequest() uses the SecurityOrigin on the ResourceLoaderOptions updated by HandleRedirect() on the last redirect if any, and we remove that effect. But it looks actually unnecessary. Bug: 736308 Change-Id: I8d7b30a1eac6d7f5f6151a0385e7019ab815c86c Reviewed-on: https://chromium-review.googlesource.com/581955 Commit-Queue: Takeshi Yoshino <tyoshino@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Cr-Commit-Position: refs/heads/master@{#491350}

Remove FetchContext::CanRequest() call from ResourceLoader::DidReceiveResponse()
It's been wrong that this method was enclosed by the if with cors_handling_by_resource_fetcher in its condition. CanRequest() is not about CORS but CSP, etc. However, this was not harmful. Since ResourceLoader::WillFollowRedirect() just calls it on each redirect, calling this in DidReceiveResponse() was just redundant. So, remove it. The only concern was that the CanRequest() uses the SecurityOrigin on the ResourceLoaderOptions updated by HandleRedirect() on the last redirect if any, and we remove that effect. But it looks actually unnecessary. Bug: 736308 Change-Id: I8d7b30a1eac6d7f5f6151a0385e7019ab815c86c Reviewed-on: https://chromium-review.googlesource.com/581955 Commit-Queue: Takeshi Yoshino <tyoshino@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Cr-Commit-Position: refs/heads/master@{#491350}
e4f503e9 · Takeshi Yoshino · Commit Bot · 38e8c8f8 · e4f503e9 · e4f503e9
Commit e4f503e9 authored Aug 02, 2017 by Takeshi Yoshino Committed by Commit Bot Aug 02, 2017
3 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-resources-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-css-resources-expected.txt
 CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure font 'http://example.test:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
 CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure image 'http://example.test:8080/resources/square20.png'. This content should also be served over HTTPS.
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-resources.html' was loaded over HTTPS, but requested an insecure font 'http://example.test:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
 This test opens a window that loads a style sheet which fetches an insecure background image and an insecure web font. We should trigger a mixed content callback because the main frame in the window is HTTPS but is running insecure content.
--- a/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-font-in-main-frame-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/insecure-font-in-main-frame-expected.txt
 CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-font.html' was loaded over HTTPS, but requested an insecure font 'http://example.test:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
-CONSOLE WARNING: Mixed Content: The page at 'https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-font.html' was loaded over HTTPS, but requested an insecure font 'http://example.test:8080/css/resources/cors-ahem.php'. This content should also be served over HTTPS.
 This test opens a window that loads an insecure font. We should trigger a mixed content callback because the main frame in the window is HTTPS but is displaying insecure content.
--- a/third_party/WebKit/Source/platform/loader/fetch/ResourceLoader.cpp
+++ b/third_party/WebKit/Source/platform/loader/fetch/ResourceLoader.cpp
@@ -528,32 +528,14 @@ void ResourceLoader::DidReceiveResponse(
  } else if (options.cors_handling_by_resource_fetcher ==
                 kEnableCORSHandlingByResourceFetcher &&
             fetch_request_mode == WebURLRequest::kFetchRequestModeCORS) {
-    bool unused_preload = resource_->IsUnusedPreload();
-    // Redirects can change the response URL different from one of request.
-    const KURL& response_url = response.Url();
-    ResourceRequestBlockedReason blocked_reason = Context().CanRequest(
-        resource_type, initial_request, response_url, options,
-        /* Don't send security violation reports for unused preloads */
-        (unused_preload ? SecurityViolationReportingPolicy::kSuppressReporting
-                        : SecurityViolationReportingPolicy::kReport),
-        FetchParameters::kUseDefaultOriginRestrictionForType,
-        initial_request.GetRedirectStatus());
-    if (blocked_reason != ResourceRequestBlockedReason::kNone) {
-      HandleError(ResourceError::CancelledDueToAccessCheckError(
-          response_url, blocked_reason));
-      return;
-    }
    if (!resource_->IsSameOriginOrCORSSuccessful()) {
-      if (!unused_preload) {
+      if (!resource_->IsUnusedPreload())
        Context().AddErrorConsoleMessage(cors_error_msg.ToString(),
                                         FetchContext::kJSSource);
-      }
+      // Redirects can change the response URL different from one of request.
      HandleError(ResourceError::CancelledDueToAccessCheckError(
-          response_url, ResourceRequestBlockedReason::kOther));
+          response.Url(), ResourceRequestBlockedReason::kOther));
      return;
    }
  }