[import] Use master document's origin to resolve CORS

This follows the spec change on https://www.w3.org/Bugs/Public/show_bug.cgi?id=24905
where the fetch origin is given by the master document, not the referring document.
This matches what CSP in imports is doing: Using master's CSP directive to regulate
all the imports.

In implemntation, it just set ResourceLoaderOptions::m_securityOrigin in
FetchRequest::setCrossOriginAccessControl() because HTMLImportsController
happened to pass the master' origin already.
(That was wrong but wasn't covered by the test.)

This change doesn't affect other FetchRequest client because in other callsite,
m_securityOrigin is same as one that is used when it is absent.

TEST=cors-same-origin.html
BUG=348671
R=abarth@chromium.org, dglazkov@chromium.org

Review URL: https://codereview.chromium.org/186803005

git-svn-id: svn://svn.chromium.org/blink/trunk@168497 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/http/tests/htmlimports/cors-same-origin-expected.txt

-PASS target.import.querySelector('h1').innerHTML is 'Hello, CORS!'
+CONSOLE ERROR: Imported resource from origin 'http://localhost:8080' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
+PASS basic.import.querySelector('h1').innerHTML is "Hello, CORS!"
+PASS nested.import.querySelector('#sameOriginNoCors').import is null
+PASS nested.import.querySelector('#sameOriginCors').import.querySelector('h1').innerHTML is "Hello, CORS!"
+PASS nested.import.querySelector('#masterOriginNoCors').import.querySelector('h1').innerHTML is "Hello"
+PASS nested.import.querySelector('#masterOriginCors').import.querySelector('h1').innerHTML is "Hello, CORS!"
 PASS successfullyParsed is true
 
 TEST COMPLETE

third_party/WebKit/LayoutTests/http/tests/htmlimports/cors-same-origin.html

 <!DOCTYPE html>
 <html>
 <head>
-<link id="target" rel="import" href="http://localhost:8080/htmlimports/resources/cors-basic.cgi">
+<link id="basic" rel="import" href="http://localhost:8080/htmlimports/resources/cors-basic.cgi">
+<link id="nested" rel="import" href="http://localhost:8080/htmlimports/resources/cors-subimports.cgi">
 <script src="/js-test-resources/js-test.js"></script>
 </head>
 <body>
 <script>
-shouldBe("target.import.querySelector('h1').innerHTML", "'Hello, CORS!'");
+
+shouldBeEqualToString("basic.import.querySelector('h1').innerHTML", "Hello, CORS!");
+shouldBeNull("nested.import.querySelector('#sameOriginNoCors').import");
+shouldBeEqualToString("nested.import.querySelector('#sameOriginCors').import.querySelector('h1').innerHTML", "Hello, CORS!");
+shouldBeEqualToString("nested.import.querySelector('#masterOriginNoCors').import.querySelector('h1').innerHTML", "Hello");
+shouldBeEqualToString("nested.import.querySelector('#masterOriginCors').import.querySelector('h1').innerHTML", "Hello, CORS!");
+
 </script>
 </body>
 </html>

third_party/WebKit/LayoutTests/http/tests/htmlimports/resources/child-having-domain-policy.cgi

@@ -9,7 +9,7 @@ print <<EOF
 <!DOCTYPE html>
 <html>
 <head>
-<link rel="import" href="having-domain-policy.html">
+<link rel="import" href="having-domain-policy.cgi">
 </head>
 </html>
 EOF

third_party/WebKit/LayoutTests/http/tests/htmlimports/resources/cors-basic.cgi

@@ -6,4 +6,3 @@ print "Access-Control-Allow-Credentials: true\n";
 print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
 
 print "<html><body><h1>Hello, CORS!</h1></body></html>\n";
-

third_party/WebKit/LayoutTests/http/tests/htmlimports/resources/cors-subimports.cgi

+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/html\n";
+print "Access-Control-Allow-Credentials: true\n";
+print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+
+print <<EOF
+<!DOCTYPE html>
+<link id="sameOriginCors" rel="import" href="cors-basic.cgi?1">
+<link id="sameOriginNoCors" rel="import" href="resources/hello.html?1">
+<link id="masterOriginNoCors" rel="import" href="http://127.0.0.1:8000/htmlimports/resources/hello.html?2">
+<link id="masterOriginCors" rel="import" href="http://127.0.0.1:8000/htmlimports/resources/cors-basic.cgi?2">
+EOF
+

third_party/WebKit/Source/core/fetch/FetchRequest.cpp

@@ -73,13 +73,12 @@ void FetchRequest::setCrossOriginAccessControl(SecurityOrigin* origin, StoredCre
 {
     updateRequestForAccessControl(m_resourceRequest, origin, allowCredentials);
     m_options.corsEnabled = IsCORSEnabled;
+    m_options.securityOrigin = origin;
 }
 
 void FetchRequest::setCrossOriginAccessControl(SecurityOrigin* origin, const AtomicString& crossOriginMode)
 {
-    StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
-    updateRequestForAccessControl(m_resourceRequest, origin, allowCredentials);
-    m_options.corsEnabled = IsCORSEnabled;
+    setCrossOriginAccessControl(origin, equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials);
 }
 
 } // namespace WebCore