Mention withCredentials attribute in the error message about CORS check failure

third_party/WebKit/Source/core/fetch/CrossOriginAccessControl.cpp

 /*
  * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 173 matching lines @@
     }
   }
 
   if (allowOriginHeaderValue == starAtom) {
     // A wildcard Access-Control-Allow-Origin can not be used if credentials are
     // to be sent, even with Access-Control-Allow-Credentials set to true.
     if (includeCredentials == DoNotAllowStoredCredentials)
       return true;
     if (response.isHTTP()) {
       errorDescription = buildAccessControlFailureMessage(
-          "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' "
-          "header when the credentials flag is true.",
+          "The value of the 'Access-Control-Allow-Origin' header in the "
+          "response must not be the wildcard '*' when the request's "
+          "credentials mode is 'include'.",
           securityOrigin);
 
       if (context == WebURLRequest::RequestContextXMLHttpRequest) {
         errorDescription.append(
-            " The credentials mode of an XMLHttpRequest is controlled by the "
-            "withCredentials attribute.");
+            " The credentials mode of requests initiated by the "
+            "XMLHttpRequest is controlled by the withCredentials attribute.");
       }
 
       return false;
     }
   } else if (allowOriginHeaderValue != securityOrigin->toAtomicString()) {
     if (allowOriginHeaderValue.isNull()) {
       errorDescription = buildAccessControlFailureMessage(
           "No 'Access-Control-Allow-Origin' header is present on the requested "
           "resource.",
           securityOrigin);
@@ skipping 41 matching lines @@
           "'no-cors' to fetch the resource with CORS disabled.");
     }
     return false;
   }
 
   if (includeCredentials == AllowStoredCredentials) {
     const AtomicString& allowCredentialsHeaderValue =
         response.httpHeaderField(allowCredentialsHeaderName);
     if (allowCredentialsHeaderValue != "true") {
       errorDescription = buildAccessControlFailureMessage(
-          "Credentials flag is 'true', but the "
-          "'Access-Control-Allow-Credentials' header is '" +
+          "The value of the 'Access-Control-Allow-Credentials' header in "
+          "the response is '" +
               allowCredentialsHeaderValue +
-              "'. It must be 'true' to allow credentials.",
+              "' which must "
+              "be 'true' when the request's credentials mode is 'include'.",
           securityOrigin);
+
+      if (context == WebURLRequest::RequestContextXMLHttpRequest) {
+        errorDescription.append(
+            " The credentials mode of requests initiated by the "
+            "XMLHttpRequest is controlled by the withCredentials attribute.");
+      }
+
       return false;
     }
   }
 
   return true;
 }
 
 bool passesPreflightStatusCheck(const ResourceResponse& response,
                                 String& errorDescription) {
   // CORS preflight with 3XX is considered network error in
@@ skipping 146 matching lines @@
     //
     // This is equivalent to the step 2 in
     // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
     if (options.credentialsRequested == ClientDidNotRequestCredentials)
       options.allowCredentials = DoNotAllowStoredCredentials;
   }
   return true;
 }
 
 }  // namespace blink