Improve console log message for CORS failure

Source/core/fetch/CrossOriginAccessControl.cpp

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 164 matching lines @@
 
 bool passesPreflightStatusCheck(const ResourceResponse& response, String& errorDescription)
 {
     // CORS preflight with 3XX is considered network error in
     // Fetch API Spec:
     //   https://fetch.spec.whatwg.org/#cors-preflight-fetch
     // CORS Spec:
     //   http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
     // https://crbug.com/452394
     if (response.httpStatusCode() < 200 || response.httpStatusCode() >= 300) {
-        errorDescription = "Invalid HTTP status code " + String::number(response.httpStatusCode());
+        errorDescription = "Response for preflight has invalid HTTP status code " + String::number(response.httpStatusCode());

[tyoshino (SeeGerritForStatus), 2015/06/30 05:30:08]

Split this change into https://codereview.chromium.org/1219693006/

         return false;
     }
 
     return true;
 }
 
 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet)
 {
     Vector<String> headers;
     headerValue.split(',', false, headers);
@@ skipping 13 matching lines @@
     }
 
     if (!(requestURL.user().isEmpty() && requestURL.pass().isEmpty())) {
         errorDescription = "The request was redirected to a URL ('" + requestURL.string() + "') containing userinfo, which is disallowed for cross-origin requests.";
         return false;
     }
 
     return true;
 }
 
-bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, ResourceRequest& request, const ResourceResponse& redirectResponse, StoredCredentials withCredentials, ResourceLoaderOptions& options, String& errorMessage)
+bool CrossOriginAccessControl::handleRedirect(SecurityOrigin* securityOrigin, ResourceRequest& newRequest, const ResourceResponse& redirectResponse, StoredCredentials withCredentials, ResourceLoaderOptions& options, String& errorMessage)
 {
     // http://www.w3.org/TR/cors/#redirect-steps terminology:
     const KURL& originalURL = redirectResponse.url();
-    const KURL& requestURL = request.url();
+    const KURL& newURL = newRequest.url();
 
-    bool redirectCrossOrigin = !securityOrigin->canRequest(requestURL);
+    bool redirectCrossOrigin = !securityOrigin->canRequest(newURL);
 
     // Same-origin request URLs that redirect are allowed without checking access.
     if (!securityOrigin->canRequest(originalURL)) {
         // Follow http://www.w3.org/TR/cors/#redirect-steps
         String errorDescription;
 
         // Steps 3 & 4 - check if scheme and other URL restrictions hold.
-        bool allowRedirect = isLegalRedirectLocation(requestURL, errorDescription);
-        if (allowRedirect) {
-            // Step 5: perform resource sharing access check.
-            allowRedirect = passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription);
-            if (allowRedirect) {
-                RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
-                // Step 6: if the request URL origin is not same origin as the original URL's,
-                // set the source origin to a globally unique identifier.
-                if (!originalOrigin->canRequest(requestURL)) {
-                    options.securityOrigin = SecurityOrigin::createUnique();
-                    securityOrigin = options.securityOrigin.get();
-                }
-            }
-        }
-        if (!allowRedirect) {
+        if (!isLegalRedirectLocation(newURL, errorDescription))

[sof, 2015/06/25 11:24:18]

This generated a console error message before containing the source origin, but
doesn't now. Wouldn't it be helpful to include that?

[tyoshino (SeeGerritForStatus), 2016/07/22 12:46:45]

Good catch. Reverted.

+            return false;
+
+        // Step 5: perform resource sharing access check.
+        if (!passesAccessControlCheck(redirectResponse, withCredentials, securityOrigin, errorDescription)) {
             const String& originalOrigin = SecurityOrigin::create(originalURL)->toString();
             errorMessage = "Redirect at origin '" + originalOrigin + "' has been blocked from loading by Cross-Origin Resource Sharing policy: " + errorDescription;
             return false;
         }
+
+        RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::create(originalURL);
+        // Step 6: if the request URL origin is not same origin as the original URL's,
+        // set the source origin to a globally unique identifier.
+        if (!originalOrigin->canRequest(newURL)) {
+            options.securityOrigin = SecurityOrigin::createUnique();
+            securityOrigin = options.securityOrigin.get();
+        }
     }
     if (redirectCrossOrigin) {
         // If now to a different origin, update/set Origin:.
-        request.clearHTTPOrigin();
-        request.setHTTPOrigin(securityOrigin->toAtomicString());
+        newRequest.clearHTTPOrigin();
+        newRequest.setHTTPOrigin(securityOrigin->toAtomicString());

[sof, 2015/06/25 11:24:18]

(This doesn't actually do what's intended, btw.)

         // If the user didn't request credentials in the first place, update our
         // state so we neither request them nor expect they must be allowed.
         if (options.credentialsRequested == ClientDidNotRequestCredentials)
             options.allowCredentials = DoNotAllowStoredCredentials;
     }
     return true;
 }
 
 } // namespace blink