[CORS] Set preflight request mode correctly

CORS preflight request mode was set to kNoCors up until now, and with cross-origin-embedder-policy: require-corp CORS preflights fail unless a CORP header is attached. Fix the bug. Bug: 1116990 Change-Id: Id91c8d92a17c701bacb2289c2f5a23561f3e7538 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2362065 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#799531}

[CORS] Set preflight request mode correctly
CORS preflight request mode was set to kNoCors up until now, and with cross-origin-embedder-policy: require-corp CORS preflights fail unless a CORP header is attached. Fix the bug. Bug: 1116990 Change-Id: Id91c8d92a17c701bacb2289c2f5a23561f3e7538 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2362065 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#799531}
ed257e2b · Yutaka Hirano · Commit Bot · 70c1a27b · ed257e2b · ed257e2b
Commit ed257e2b authored Aug 19, 2020 by Yutaka Hirano Committed by Commit Bot Aug 19, 2020
6 changed files
--- a/services/network/cors/preflight_controller.cc
+++ b/services/network/cors/preflight_controller.cc
@@ -89,6 +89,7 @@ std::unique_ptr<ResourceRequest> CreatePreflightRequest(
  preflight_request->destination = request.destination;
  preflight_request->referrer = request.referrer;
  preflight_request->referrer_policy = request.referrer_policy;
+  preflight_request->mode = mojom::RequestMode::kCors;

  preflight_request->credentials_mode = mojom::CredentialsMode::kOmit;
  preflight_request->load_flags = RetrieveCacheFlags(request.load_flags);

--- a/services/network/cors/preflight_controller_unittest.cc
+++ b/services/network/cors/preflight_controller_unittest.cc
@@ -363,6 +363,10 @@ class PreflightControllerTest : public testing::Test {
    network::mojom::URLLoaderFactoryParamsPtr params =
        network::mojom::URLLoaderFactoryParams::New();
    params->process_id = mojom::kBrowserProcessId;
+    // We use network::CorsURLLoaderFactory for "internal" URLLoaderFactory
+    // used by the PreflightController. Hence here we disable CORS as otherwise
+    // the URLLoader would create a CORS-preflight for the preflight request.
+    params->disable_web_security = true;
    params->is_corb_enabled = false;
    network_context_remote_->CreateURLLoaderFactory(
        url_loader_factory_remote_.BindNewPipeAndPassReceiver(),

--- a/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/none-sw-from-none.https.html
+++ b/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/none-sw-from-none.https.html
@@ -77,9 +77,13 @@ promise_test(async (t) => {

 promise_test(async (t) => {
  const URL = remote(
-    '/common/blank.html?pipe=header(access-control-allow-origin,*');
+    '/common/blank.html?pipe=header(access-control-allow-origin,*)');
  await fetch(URL, {mode: 'cors'});
 }, 'making a cross-origin request with CORS');

+promise_test(async (t) => {
+  const URL = remote('/fetch/api/resources/preflight.py?allow_headers=hoge');
+  await fetch(URL, {mode: 'cors', headers: {'hoge': 'fuga'}});
+}, 'making a cross-origin request with CORS-preflight');
 </script>
 </html>
--- a/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/none-sw-from-require-corp.https.html
+++ b/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/none-sw-from-require-corp.https.html
@@ -80,9 +80,14 @@ promise_test(async (t) => {

 promise_test(async (t) => {
  const URL = remote(
-    '/common/blank.html?pipe=header(access-control-allow-origin,*');
+    '/common/blank.html?pipe=header(access-control-allow-origin,*)');
  await fetch(URL, {mode: 'cors'});
 }, 'making a cross-origin request with CORS');

+promise_test(async (t) => {
+  const URL = remote('/fetch/api/resources/preflight.py?allow_headers=hoge');
+  await fetch(URL, {mode: 'cors', headers: {'hoge': 'fuga'}});
+}, 'making a cross-origin request with CORS-preflight');
+
 </script>
 </html>
--- a/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/require-corp-sw-from-none.https.html
+++ b/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/require-corp-sw-from-none.https.html
@@ -79,9 +79,14 @@ promise_test(async (t) => {

 promise_test(async (t) => {
  const URL = remote(
-    '/common/blank.html?pipe=header(access-control-allow-origin,*');
+    '/common/blank.html?pipe=header(access-control-allow-origin,*)');
  await fetch(URL, {mode: 'cors'});
 }, 'making a cross-origin request with CORS');

+promise_test(async (t) => {
+  const URL = remote('/fetch/api/resources/preflight.py?allow_headers=hoge');
+  await fetch(URL, {mode: 'cors', headers: {'hoge': 'fuga'}});
+}, 'making a cross-origin request with CORS-preflight');
+
 </script>
 </html>
--- a/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/require-corp-sw-from-require-corp.https.html
+++ b/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/require-corp-sw-from-require-corp.https.html
@@ -81,9 +81,13 @@ promise_test(async (t) => {

 promise_test(async (t) => {
  const URL = remote(
-    '/common/blank.html?pipe=header(access-control-allow-origin,*');
+    '/common/blank.html?pipe=header(access-control-allow-origin,*)');
  await fetch(URL, {mode: 'cors'});
 }, 'making a cross-origin request with CORS');

+promise_test(async (t) => {
+  const URL = remote('/fetch/api/resources/preflight.py?allow_headers=hoge');
+  await fetch(URL, {mode: 'cors', headers: {'hoge': 'fuga'}});
+}, 'making a cross-origin request with CORS-preflight');
 </script>
 </html>