2011-02-04 Martin Galpin <martin@66laps.com>
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 Feb 2011 22:41:55 +0000 (22:41 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 Feb 2011 22:41:55 +0000 (22:41 +0000)
        Reviewed by David Levin.

        CORS origin header not set on GET when a preflight request is required.
        https://bugs.webkit.org/show_bug.cgi?id=50773

        * http/tests/xmlhttprequest/cross-origin-preflight-get-expected.txt: Added.
        * http/tests/xmlhttprequest/cross-origin-preflight-get.html: Added.
        * http/tests/xmlhttprequest/resources/cross-origin-preflight-get.php: Added.
2011-02-04  Martin Galpin  <martin@66laps.com>

        Reviewed by David Levin.

        CORS origin header not set on GET when a preflight request is required.
        https://bugs.webkit.org/show_bug.cgi?id=50773

        Test: http/tests/xmlhttprequest/cross-origin-preflight-get.html

        * loader/DocumentThreadableLoader.cpp:
        (WebCore::DocumentThreadableLoader::preflightSuccess):
        Explicitly set the request origin after a preflight request succeeds.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@77680 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/xmlhttprequest/cross-origin-preflight-get-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/cross-origin-preflight-get.html [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/resources/cross-origin-preflight-get.php [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentThreadableLoader.cpp

index ce3785c..7af6a83 100644 (file)
@@ -1,3 +1,14 @@
+2011-02-04  Martin Galpin  <martin@66laps.com>
+
+        Reviewed by David Levin.
+
+        CORS origin header not set on GET when a preflight request is required.
+        https://bugs.webkit.org/show_bug.cgi?id=50773
+
+        * http/tests/xmlhttprequest/cross-origin-preflight-get-expected.txt: Added.
+        * http/tests/xmlhttprequest/cross-origin-preflight-get.html: Added.
+        * http/tests/xmlhttprequest/resources/cross-origin-preflight-get.php: Added.
+
 2011-02-04  Jeremy Orlow  <jorlow@chromium.org>
 
         Reviewed by Nate Chapin.
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-preflight-get-expected.txt b/LayoutTests/http/tests/xmlhttprequest/cross-origin-preflight-get-expected.txt
new file mode 100644 (file)
index 0000000..ef61511
--- /dev/null
@@ -0,0 +1,4 @@
+The "Origin" header must be sent with a "non-simple" cross-origin resource sharing request that uses the GET method.
+
+PASS: Origin header correctly sent
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-preflight-get.html b/LayoutTests/http/tests/xmlhttprequest/cross-origin-preflight-get.html
new file mode 100644 (file)
index 0000000..7f81f08
--- /dev/null
@@ -0,0 +1,32 @@
+<html>
+<body>
+<p>The "Origin" header must be sent with a "non-simple" cross-origin resource sharing request that uses the GET method.</p>
+<pre id="console"></pre>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+}
+
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
+}
+
+
+function test()
+{
+    var xhr = new XMLHttpRequest();
+    xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/cross-origin-preflight-get.php", true);
+    // Make this a "non-simple" cross-origin request by adding a custom header.
+    xhr.setRequestHeader("X-Proprietary-Header", "foo");
+    xhr.onerror = function() { log("onerror") }
+    xhr.onload = function() {
+        log(xhr.responseText);
+    }
+    xhr.send(null);
+}
+
+test();
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/cross-origin-preflight-get.php b/LayoutTests/http/tests/xmlhttprequest/resources/cross-origin-preflight-get.php
new file mode 100644 (file)
index 0000000..4846439
--- /dev/null
@@ -0,0 +1,9 @@
+<?php
+if(!isset($_SERVER['HTTP_ORIGIN'])) {
+    echo "FAIL: No origin header sent";
+} else {
+    header("Access-Control-Allow-Origin: *");
+    header("Access-Control-Allow-Headers: X-Proprietary-Header");
+    echo "PASS: Origin header correctly sent";
+}
+?>
index d3abb5e..9c63ee0 100644 (file)
@@ -1,3 +1,16 @@
+2011-02-04  Martin Galpin  <martin@66laps.com>
+
+        Reviewed by David Levin.
+
+        CORS origin header not set on GET when a preflight request is required.
+        https://bugs.webkit.org/show_bug.cgi?id=50773
+        
+        Test: http/tests/xmlhttprequest/cross-origin-preflight-get.html
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::preflightSuccess): 
+        Explicitly set the request origin after a preflight request succeeds.
+
 2011-02-04  Jeremy Orlow  <jorlow@chromium.org>
 
         Reviewed by Nate Chapin.
index d0f7f48..0a132b1 100644 (file)
@@ -298,6 +298,8 @@ void DocumentThreadableLoader::preflightSuccess()
     OwnPtr<ResourceRequest> actualRequest;
     actualRequest.swap(m_actualRequest);
 
+    actualRequest->setHTTPOrigin(m_document->securityOrigin()->toString());
+
     // It should be ok to skip the security check since we already asked about the preflight request.
     loadRequest(*actualRequest, SkipSecurityCheck);
 }