[credentialless] Update redirect behavior.

In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#923884}
luojiguicai · Sep 22, 2021 · 640ff1a · 640ff1a
1 parent 6cdf4b8
commit 640ff1a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/services/network/url_loader.cc b/services/network/url_loader.cc
@@ -2359,15 +2359,12 @@ void URLLoader::SetRequestCredentials(const GURL& url) {
       ShouldSendClientCertificates(request_credentials_mode_) &&
       coep_allow_credentials;
 
-  // TODO(https://crbug.com/799935) net::LOAD_DO_NOT_* are in the process of
-  // being converted to credentials_mode. Using set_allow_credentials will
-  // implicitly override the deprecated LOAD_DO_NOT_SAVE_COOKIE flag. As a
-  // result, set_allow_credentials should not be called when not needed, or it
-  // would have side effects.
-  if (url_request_->allow_credentials() != allow_credentials)
-    url_request_->set_allow_credentials(allow_credentials);
-
-  url_request_->set_send_client_certs(allow_client_certificates);
+  // The decision not to include credentials is sticky. This is equivalent to
+  // checking the tainted origin flag in the fetch specification.
+  if (!allow_credentials)
+    url_request_->set_allow_credentials(false);
+  if (!allow_client_certificates)
+    url_request_->set_send_client_certs(false);
 
   // Contrary to Firefox or blink's cache, the HTTP cache doesn't distinguish
   // requests including user's credentials from the anonymous ones yet. See

diff --git a/...sts/external/wpt/html/cross-origin-embedder-policy/credentialless/redirect.tentative.html b/...sts/external/wpt/html/cross-origin-embedder-policy/credentialless/redirect.tentative.html
@@ -53,7 +53,7 @@
   redirectTest("same-origin -> cross-origin",
     same_origin, cross_origin, undefined)
   redirectTest("cross-origin -> same-origin",
-    cross_origin, same_origin, cookie_same_origin);
+    cross_origin, same_origin, undefined);
   redirectTest("cross-origin -> cross-origin",
     cross_origin, cross_origin, undefined);
 }, "Setup");