From 640ff1a8149d911069c5b77ca9c0883abba2e9d3 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Wed, 22 Sep 2021 16:11:45 +0000 Subject: [PATCH] [credentialless] Update redirect behavior. In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: https://github.com/whatwg/fetch/pull/1229#discussion_r712175485 Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano Commit-Queue: Arthur Sonzogni Cr-Commit-Position: refs/heads/main@{#923884} --- services/network/url_loader.cc | 15 ++++++--------- .../credentialless/redirect.tentative.html | 2 +- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/services/network/url_loader.cc b/services/network/url_loader.cc index 3a0b5206dc3011..ad8882f0d37c1d 100644 --- a/services/network/url_loader.cc +++ b/services/network/url_loader.cc @@ -2359,15 +2359,12 @@ void URLLoader::SetRequestCredentials(const GURL& url) { ShouldSendClientCertificates(request_credentials_mode_) && coep_allow_credentials; - // TODO(https://crbug.com/799935) net::LOAD_DO_NOT_* are in the process of - // being converted to credentials_mode. Using set_allow_credentials will - // implicitly override the deprecated LOAD_DO_NOT_SAVE_COOKIE flag. As a - // result, set_allow_credentials should not be called when not needed, or it - // would have side effects. - if (url_request_->allow_credentials() != allow_credentials) - url_request_->set_allow_credentials(allow_credentials); - - url_request_->set_send_client_certs(allow_client_certificates); + // The decision not to include credentials is sticky. This is equivalent to + // checking the tainted origin flag in the fetch specification. + if (!allow_credentials) + url_request_->set_allow_credentials(false); + if (!allow_client_certificates) + url_request_->set_send_client_certs(false); // Contrary to Firefox or blink's cache, the HTTP cache doesn't distinguish // requests including user's credentials from the anonymous ones yet. See diff --git a/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/credentialless/redirect.tentative.html b/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/credentialless/redirect.tentative.html index 219de4a9668695..f3bf02da6e27b2 100644 --- a/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/credentialless/redirect.tentative.html +++ b/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/credentialless/redirect.tentative.html @@ -53,7 +53,7 @@ redirectTest("same-origin -> cross-origin", same_origin, cross_origin, undefined) redirectTest("cross-origin -> same-origin", - cross_origin, same_origin, cookie_same_origin); + cross_origin, same_origin, undefined); redirectTest("cross-origin -> cross-origin", cross_origin, cross_origin, undefined); }, "Setup");