0

Reland "Unify allow_credentials and credentials_mode on network::ResourceRequest"

This is a reland of 1ccc5eeed0

Original change's description:
> Unify allow_credentials and credentials_mode on network::ResourceRequest
>
> Remove allow_credentials, map allow_credentials: false to
> credentials_mode: kOmit and map allow_credentials: true to
> credentials_mode: kInclude.
>
> network::URLLoader cannot handle kSameOrigin. This CL doesn't change
> that. CORSURLLoader translates the value to either kOmit or kInclude.
>
> This works correctly even when OOR-CORS is disabled because in that
> case load flags are set in the renderer. One caveat is we will not
> be able to remove the load flags until we remove the blink-side CORS
> code (M78? M79?) with this change.
>
> This CL removes a validity check for credentials related settings in
> CorsURLLoaderFactory. Originally the check was introduced to check the
> inconsistency between credentials_mode and load flags. After that
> allow_credentials was introduced, and at
> https://crrev.com/c/chromium/src/+/1443976 the logic was changed to
> check the inconsistency between credentials_mode and allow_credentials.
> Now they are merged and we don't need the check.
>
> Bug: 799935
> Change-Id: Ic05b2d41456d91fd3f48416a3a3e8fc98e235756
> Tbr: bsimonnet@chromium.org, dimich@chromium.org, groby@chromium.org, markusheintz@chromium.org, olka@chromium.org, satorux@chromium.org, tbansal@chromium.org
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1695341
> Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
> Reviewed-by: Tom Sepez <tsepez@chromium.org>
> Reviewed-by: Greg Levin <glevin@chromium.org>
> Reviewed-by: Nico Weber <thakis@chromium.org>
> Reviewed-by: Nicolas Ouellet-Payeur <nicolaso@chromium.org>
> Reviewed-by: Friedrich [CET] <fhorschig@chromium.org>
> Reviewed-by: Marc Treib <treib@chromium.org>
> Reviewed-by: Sylvain Defresne <sdefresne@chromium.org>
> Reviewed-by: Vasilii Sukhanov <vasilii@chromium.org>
> Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
> Reviewed-by: Matt Menke <mmenke@chromium.org>
> Reviewed-by: Kyle Milka <kmilka@chromium.org>
> Reviewed-by: Wei-Yin Chen (陳威尹) <wychen@chromium.org>
> Reviewed-by: Mark Pearson <mpearson@chromium.org>
> Reviewed-by: Rebekah Potter <rbpotter@chromium.org>
> Reviewed-by: Emily Stark <estark@chromium.org>
> Reviewed-by: John Rummell <jrummell@chromium.org>
> Reviewed-by: Ganggui Tang <gogerald@chromium.org>
> Reviewed-by: Michael Martis <martis@chromium.org>
> Reviewed-by: Mathias Carlen <mcarlen@chromium.org>
> Reviewed-by: Tsuyoshi Horo <horo@chromium.org>
> Reviewed-by: Patrick Noland <pnoland@chromium.org>
> Reviewed-by: Tommy Nyquist <nyquist@chromium.org>
> Reviewed-by: Matt Reynolds <mattreynolds@chromium.org>
> Reviewed-by: Scott Violet <sky@chromium.org>
> Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org>
> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
> Reviewed-by: David Benjamin <davidben@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#681698}

TBR=sky@chromium.org,horo@chromium.org,mpearson@chromium.org,davidben@chromium.org,thakis@chromium.org,toyoshim@chromium.org,nyquist@chromium.org,markusheintz@chromium.org,vasilii@chromium.org,jrummell@chromium.org,asvitkine@chromium.org,groby@chromium.org,bsimonnet@chromium.org,noel@chromium.org,rsorokin@chromium.org,glevin@chromium.org,yhirano@chromium.org,dimich@chromium.org,mmenke@chromium.org,nhiroki@chromium.org,sdefresne@chromium.org,tsepez@chromium.org,treib@chromium.org,estark@chromium.org,tbansal@chromium.org,gogerald@chromium.org,mattreynolds@chromium.org,wychen@chromium.org,olka@chromium.org,satorux@chromium.org,rbpotter@chromium.org,pnoland@chromium.org,fhorschig@chromium.org,martis@chromium.org,kmilka@chromium.org,jselover@chromium.org,nicolaso@chromium.org,mcarlen@chromium.org

Bug: 799935
Change-Id: Iec8067b3fed29bd6845077f5dc9c564d6640b6ff
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1722274
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Cr-Commit-Position: refs/heads/master@{#681719}
This commit is contained in:
Yutaka Hirano
2019-07-29 06:41:34 +00:00
committed by Commit Bot
parent ff2fb3d15b
commit 3d80498323
78 changed files with 99 additions and 206 deletions
chrome/browser
chromeos
components
content/browser
rlz/lib
services

@@ -166,7 +166,7 @@ void ContextualSearchDelegate::ResolveSearchTermFromContext() {
GetDiscourseContext(*context_));
// Disable cookies for this request.
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
// Add Chrome experiment state to the request headers.
// Reset will delete any previous loader, and we won't get any callback.

@@ -131,7 +131,7 @@ ConnectivityChecker::ConnectivityChecker(
void ConnectivityChecker::StartAsyncCheck() {
auto request = std::make_unique<network::ResourceRequest>();
request->url = url_;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
request->load_flags = net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
url_loader_ = network::SimpleURLLoader::Create(std::move(request),
NO_TRAFFIC_ANNOTATION_YET);

@@ -115,7 +115,7 @@ void RlzPingHandler::Ping(
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = request_url;
resource_request->load_flags = net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
simple_url_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);

@@ -695,7 +695,7 @@ void WebApkInstaller::SendRequest(
request->url = server_url_;
request->method = "POST";
request->load_flags = net::LOAD_DISABLE_CACHE;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
loader_ = network::SimpleURLLoader::Create(std::move(request),
NO_TRAFFIC_ANNOTATION_YET);
loader_->AttachStringForUpload(*serialized_proto, kProtoMimeType);

@@ -396,7 +396,7 @@ void AvailabilityProber::CreateAndStartURLLoader() {
request->method = HttpMethodToString(http_method_);
request->headers = headers_;
request->load_flags = net::LOAD_DISABLE_CACHE;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
url_loader_ =
network::SimpleURLLoader::Create(std::move(request), traffic_annotation_);

@@ -179,7 +179,8 @@ class AvailabilityProberTest : public testing::Test {
EXPECT_EQ(testing_header, "Hello world");
EXPECT_EQ(request->request.method, "GET");
EXPECT_EQ(request->request.load_flags, net::LOAD_DISABLE_CACHE);
EXPECT_FALSE(request->request.allow_credentials);
EXPECT_EQ(request->request.credentials_mode,
network::mojom::CredentialsMode::kOmit);
if (expect_random_guid) {
EXPECT_NE(request->request.url, kTestUrl);
EXPECT_TRUE(request->request.url.query().find("guid=") !=

@@ -136,7 +136,7 @@ void XmlDownloader::FetchXml() {
auto request = std::make_unique<network::ResourceRequest>();
request->url = source.url;
request->load_flags = net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
source.url_loader = network::SimpleURLLoader::Create(std::move(request),
traffic_annotation);
source.url_loader->SetRetryOptions(

@@ -87,7 +87,7 @@ class BackdropFetcher {
resource_request->method = "POST";
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
simple_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);

@@ -581,7 +581,7 @@ void ServicesCustomizationDocument::DoStartFileFetch() {
auto request = std::make_unique<network::ResourceRequest>();
request->url = url_;
request->load_flags = net::LOAD_DISABLE_CACHE;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
request->headers.SetHeader("Accept", "application/json");
url_loader_ = network::SimpleURLLoader::Create(std::move(request),

@@ -89,7 +89,7 @@ void CustomizationWallpaperDownloader::StartRequest() {
resource_request->url = wallpaper_url_;
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
// TODO(crbug.com/833390): Add a real traffic annotation here.
simple_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
MISSING_TRAFFIC_ANNOTATION);

@@ -162,7 +162,7 @@ void WilcoDtcSupportdWebRequestService::PerformRequest(
request->request = std::make_unique<network::ResourceRequest>();
request->request->method = http_method_str;
request->request->url = std::move(url);
request->request->allow_credentials = false;
request->request->credentials_mode = network::mojom::CredentialsMode::kOmit;
request->request->load_flags = net::LOAD_DISABLE_CACHE;
for (auto header : headers) {
request->request->headers.AddHeaderFromString(header);

@@ -118,7 +118,7 @@ void IntranetRedirectDetector::FinishSleep() {
resource_request->method = "HEAD";
// We don't want these fetches to affect existing state in the profile.
resource_request->load_flags = net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
network::mojom::URLLoaderFactory* loader_factory =
g_browser_process->system_network_context_manager()
->GetURLLoaderFactory();

@@ -116,7 +116,7 @@ void DialURLFetcher::Start(const GURL& url,
// help.
// net::LOAD_DISABLE_CACHE: The request should not touch the cache.
request->load_flags = net::LOAD_BYPASS_PROXY | net::LOAD_DISABLE_CACHE;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
loader_ = network::SimpleURLLoader::Create(std::move(request),
kDialUrlFetcherTrafficAnnotation);

@@ -155,7 +155,7 @@ void PrivetURLLoader::Try() {
request->method = request_type_;
// Privet requests are relevant to hosts on local network only.
request->load_flags = net::LOAD_BYPASS_PROXY | net::LOAD_DISABLE_CACHE;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
std::string token = GetPrivetAccessToken();
if (token.empty())

@@ -104,7 +104,7 @@ void NtpBackgroundService::FetchCollectionInfo() {
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = collections_api_url_;
resource_request->method = "POST";
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
collections_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);
@@ -197,7 +197,7 @@ void NtpBackgroundService::FetchCollectionImageInfo(
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = collection_images_api_url_;
resource_request->method = "POST";
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
collections_image_info_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);
@@ -294,7 +294,7 @@ void NtpBackgroundService::FetchNextCollectionImage(
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = next_image_api_url_;
resource_request->method = "POST";
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
next_image_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);

@@ -244,7 +244,8 @@ void OneGoogleBarLoaderImpl::AuthenticatedURLLoader::Start() {
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = api_url_;
resource_request->allow_credentials = true;
resource_request->credentials_mode =
network::mojom::CredentialsMode::kInclude;
SetRequestHeaders(resource_request.get());
resource_request->request_initiator =
url::Origin::Create(GURL(chrome::kChromeUINewTabURL));

@@ -129,7 +129,7 @@ void PromoService::Refresh() {
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = GetApiUrl();
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->request_initiator =
url::Origin::Create(GURL(chrome::kChromeUINewTabURL));

@@ -81,7 +81,7 @@ void CommonNameMismatchHandler::CheckSuggestedUrl(
// since then the connection may be reused without checking the cert.
resource_request->url = check_url_;
resource_request->method = "HEAD";
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
simple_url_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);

@@ -442,7 +442,7 @@ void SimpleGeolocationRequest::StartRequest() {
request->url = request_url_;
request->method = "POST";
request->load_flags = net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
simple_url_loader_ = network::SimpleURLLoader::Create(
std::move(request), NO_TRAFFIC_ANNOTATION_YET);

@@ -775,7 +775,8 @@ class PpdProviderImpl : public PpdProvider {
resource_request->url = url;
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode =
network::mojom::CredentialsMode::kOmit;
// TODO(luum): confirm correct traffic annotation
fetcher_ = network::SimpleURLLoader::Create(std::move(resource_request),

@@ -161,7 +161,7 @@ void ChromiumHttpConnection::Start() {
resource_request->method = "HEAD";
break;
}
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
const bool chunked_upload =
!chunked_upload_content_type_.empty() && method_ == Method::POST;

@@ -344,7 +344,7 @@ void TimeZoneRequest::StartRequest() {
auto request = std::make_unique<network::ResourceRequest>();
request->url = request_url_;
request->load_flags = net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
url_loader_ = network::SimpleURLLoader::Create(std::move(request),
NO_TRAFFIC_ANNOTATION_YET);

@@ -171,7 +171,7 @@ void ServiceImpl::StartLoader(Loader* loader) {
auto resource_request = std::make_unique<::network::ResourceRequest>();
resource_request->method = "POST";
resource_request->redirect_mode = ::network::mojom::RedirectMode::kError;
resource_request->allow_credentials = false;
resource_request->credentials_mode = ::network::mojom::CredentialsMode::kOmit;
if (access_token_.empty()) {
std::string query_str = base::StrCat({"key=", api_key_});
// query_str must remain valid until ReplaceComponents() has returned.

@@ -81,7 +81,7 @@ void CaptivePortalDetector::StartProbe(
// Can't safely use net::LOAD_DISABLE_CERT_NETWORK_FETCHES here,
// since then the connection may be reused without checking the cert.
resource_request->load_flags = net::LOAD_BYPASS_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
simple_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);

@@ -443,7 +443,7 @@ void DataReductionProxyPingbackClientImpl::CreateLoaderForDataAndStart() {
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = pingback_url_;
resource_request->load_flags = net::LOAD_BYPASS_PROXY;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
// Attach variations headers.
variations::AppendVariationsHeader(

@@ -474,7 +474,7 @@ void DataReductionProxyConfigServiceClient::RetrieveRemoteConfig() {
resource_request->url = config_service_url_;
resource_request->method = "POST";
resource_request->load_flags = net::LOAD_BYPASS_PROXY;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
// Attach variations headers.
url_loader_ = variations::CreateSimpleURLLoaderWithVariationsHeader(
std::move(resource_request), variations::InIncognito::kNo,

@@ -97,7 +97,7 @@ void SecureProxyChecker::CheckIfSecureProxyIsAllowed(
resource_request->url = params::GetSecureProxyCheckURL();
resource_request->load_flags =
net::LOAD_DISABLE_CACHE | net::LOAD_BYPASS_PROXY;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
url_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);

@@ -195,7 +195,7 @@ std::unique_ptr<network::SimpleURLLoader> NetworkFetch::MakeLoader() {
resource_request->url = url;
resource_request->load_flags = net::LOAD_BYPASS_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = request_type_;
SetRequestHeaders(resource_request.get());

@@ -159,7 +159,7 @@ void FeedbackUploader::DispatchReport() {
})");
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = feedback_post_url_;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
// Tell feedback server about the variation state of this install.

@@ -107,7 +107,7 @@ void GCMChannelStatusRequest::Start() {
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = request_url;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
resource_request->headers.SetHeader(net::HttpRequestHeaders::kUserAgent,
user_agent_);

@@ -138,7 +138,7 @@ class RequestImpl : public WebHistoryService::Request {
})");
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = url_;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = post_data_ ? "POST" : "GET";
resource_request->headers.SetHeader(net::HttpRequestHeaders::kAuthorization,
"Bearer " + access_token_info.token);

@@ -81,7 +81,9 @@ void ImageDataFetcher::FetchImageData(
request->url = image_url;
request->referrer_policy = referrer_policy;
request->referrer = GURL(referrer);
request->allow_credentials = send_cookies;
request->credentials_mode = send_cookies
? network::mojom::CredentialsMode::kInclude
: network::mojom::CredentialsMode::kOmit;
std::unique_ptr<network::SimpleURLLoader> loader =
network::SimpleURLLoader::Create(std::move(request), traffic_annotation);

@@ -82,7 +82,8 @@ TEST_F(ImageDataFetcherTest, FetchImageData) {
// provide a response.
const network::ResourceRequest* pending_request;
EXPECT_TRUE(test_url_loader_factory_.IsPending(kImageURL, &pending_request));
EXPECT_FALSE(pending_request->allow_credentials);
EXPECT_EQ(pending_request->credentials_mode,
network::mojom::CredentialsMode::kOmit);
network::ResourceResponseHead head;
std::string raw_header =
@@ -115,7 +116,8 @@ TEST_F(ImageDataFetcherTest, FetchImageDataWithCookies) {
// provide a response.
const network::ResourceRequest* pending_request;
EXPECT_TRUE(test_url_loader_factory_.IsPending(kImageURL, &pending_request));
EXPECT_TRUE(pending_request->allow_credentials);
EXPECT_EQ(pending_request->credentials_mode,
network::mojom::CredentialsMode::kInclude);
network::ResourceResponseHead head;
std::string raw_header =

@@ -262,7 +262,7 @@ void GCMNetworkChannel::OnGetTokenComplete(
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = BuildUrl(registration_id_);
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
resource_request->headers.SetHeader(net::HttpRequestHeaders::kAuthorization,
"Bearer " + access_token_);

@@ -254,7 +254,7 @@ void NetMetricsLogUploader::UploadLogToURL(
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = url;
// Drop cookies and auth data.
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
std::string reporting_info_string = SerializeReportingInfo(reporting_info);

@@ -472,7 +472,7 @@ void NetworkTimeTracker::CheckTime() {
// Not expecting any cookies, but just in case.
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
// This cancels any outstanding fetch.
time_fetcher_ = network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);

@@ -290,7 +290,7 @@ std::unique_ptr<network::ResourceRequest>
JsonRequest::Builder::BuildResourceRequest() const {
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = url_;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
resource_request->headers.SetHeader("Content-Type",
"application/json; charset=UTF-8");

@@ -443,7 +443,7 @@ void PopularSitesImpl::FetchPopularSites() {
})");
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = pending_url_;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
simple_url_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);
simple_url_loader_->SetRetryOptions(

@@ -86,7 +86,7 @@ PrefetchRequestFetcher::PrefetchRequestFetcher(
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = url;
resource_request->method = message.empty() ? "GET" : "POST";
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
std::string experiment_header = PrefetchExperimentHeader();
if (!experiment_header.empty())

@@ -283,7 +283,7 @@ void RemoteSuggestionsService::CreateExperimentalRequest(
std::string request_body =
FormatRequestBodyExperimentalService(current_url, visit_time);
AddVariationHeaders(request.get());
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
// If authentication services are unavailable or if this request is still
// waiting for an oauth2 token, run the remote service without access

@@ -99,7 +99,7 @@ bool HintsFetcher::FetchOptimizationGuideServiceHints(
resource_request->method = "POST";
resource_request->load_flags = net::LOAD_BYPASS_PROXY;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
url_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);

@@ -113,7 +113,7 @@ void AffiliationFetcher::StartRequest() {
resource_request->url = BuildQueryURL();
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
simple_url_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);

@@ -172,7 +172,7 @@ void PasswordRequirementsSpecFetcherImpl::Fetch(GURL origin,
})");
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = GetUrlForRequirementsSpec(version_, hash_prefix);
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
lookup->url_loader = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);
lookup->url_loader->DownloadToStringOfUnboundedSizeUntilCrashAndDie(

@@ -320,7 +320,7 @@ void PaymentManifestDownloader::InitiateDownload(
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = url;
resource_request->method = method;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
std::unique_ptr<network::SimpleURLLoader> loader =
network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);

@@ -278,7 +278,7 @@ JobConfigurationBase::GetResourceRequest(bool bypass_proxy, int last_error) {
rr->method = "POST";
rr->load_flags =
net::LOAD_DISABLE_CACHE | (bypass_proxy ? net::LOAD_BYPASS_PROXY : 0);
rr->allow_credentials = false;
rr->credentials_mode = network::mojom::CredentialsMode::kOmit;
// If auth data is specified, use it to build the request.
if (auth_data_) {

@@ -92,7 +92,7 @@ void ExternalPolicyDataFetcher::Job::Start(
resource_request->url = url;
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("external_policy_fetcher", R"(

@@ -69,7 +69,7 @@ void UserInfoFetcher::Start(const std::string& access_token) {
resource_request->url = GaiaUrls::GetInstance()->oauth_user_info_url();
resource_request->headers.SetHeader(net::HttpRequestHeaders::kAuthorization,
MakeAuthorizationHeader(access_token));
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
url_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);

@@ -90,7 +90,7 @@ void QuirksClient::StartDownload() {
resource_request->url = GURL(url);
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("quirks_display_fetcher", R"(

@@ -147,7 +147,7 @@ void LogUploader::StartScheduledUpload() {
resource_request->url = server_url_;
// We already drop cookies server-side, but we might as well strip them out
// client-side as well.
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
simple_url_loader_ = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);

@@ -113,7 +113,7 @@ void SafeSearchURLCheckerClient::CheckURL(const GURL& url,
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = GURL(kSafeSearchApiUrl);
resource_request->method = "POST";
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
std::unique_ptr<network::SimpleURLLoader> simple_url_loader =
network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation_);

@@ -346,7 +346,7 @@ GaiaCookieManagerService::ExternalCcResultFetcher::CreateAndStartLoader(
auto request = std::make_unique<network::ResourceRequest>();
request->url = url;
request->allow_credentials = false;
request->credentials_mode = network::mojom::CredentialsMode::kOmit;
std::unique_ptr<network::SimpleURLLoader> loader =
network::SimpleURLLoader::Create(std::move(request), traffic_annotation);

@@ -167,7 +167,7 @@ bool SpellingServiceClient::RequestTextCheck(
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = BuildEndpointUrl(type);
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
std::unique_ptr<network::SimpleURLLoader> simple_url_loader =

@@ -420,7 +420,7 @@ SuggestionsServiceImpl::CreateSuggestionsRequest(
resource_request->url = url;
resource_request->method = "GET";
resource_request->load_flags = net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
// Add Chrome experiment state to the request headers.
// TODO: We should call AppendVariationHeaders with explicit
// variations::SignedIn::kNo If the access_token is empty

@@ -92,7 +92,7 @@ void SyncStoppedReporter::ReportSyncStopped(const std::string& access_token,
resource_request->url = sync_event_url_;
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request->method = "POST";
resource_request->headers.SetHeader(
net::HttpRequestHeaders::kAuthorization,

@@ -535,7 +535,7 @@ bool VariationsService::DoFetchFromURL(const GURL& url, bool is_http_retry) {
})");
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = url;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
bool enable_deltas = false;
std::string serial_number =
field_trial_creator_.seed_store()->GetLatestSerialNumber();

@@ -157,7 +157,6 @@ ServiceWorkerSingleScriptUpdateChecker::ServiceWorkerSingleScriptUpdateChecker(
// default value.
// TODO(https://crbug.com/972458): Need the test.
resource_request.credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request.allow_credentials = false;
// |fetch_request_context_type| and |resource_type| roughly correspond to
// the request's |destination| in the Fetch spec.

@@ -559,7 +559,7 @@ SpeechRecognitionEngine::ConnectBothStreams(const FSMEventArgs&) {
}
})");
auto downstream_request = std::make_unique<network::ResourceRequest>();
downstream_request->allow_credentials = false;
downstream_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
downstream_request->url = downstream_url;
downstream_loader_ = std::make_unique<DownstreamLoader>(
std::move(downstream_request), downstream_traffic_annotation,
@@ -657,7 +657,7 @@ SpeechRecognitionEngine::ConnectBothStreams(const FSMEventArgs&) {
upstream_request->url = upstream_url;
upstream_request->method = "POST";
upstream_request->referrer = GURL(config_.origin_url);
upstream_request->allow_credentials = false;
upstream_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
if (use_framed_post_data_) {
upstream_request->headers.SetHeader(net::HttpRequestHeaders::kContentType,
"application/octet-stream");

@@ -120,7 +120,7 @@ SignedExchangeCertFetcher::SignedExchangeCertFetcher(
static_cast<int>(ResourceType::kSubResource);
// Cert requests should not send credential informartion, because the default
// credentials mode of Fetch is "omit".
resource_request_->allow_credentials = false;
resource_request_->credentials_mode = network::mojom::CredentialsMode::kOmit;
resource_request_->headers.SetHeader(network::kAcceptHeader,
kCertChainMimeType);
if (force_fetch) {

@@ -268,7 +268,8 @@ TEST_F(SignedExchangeCertFetcherTest, Simple) {
EXPECT_EQ(url_, mock_loader_factory_.url_request()->url);
EXPECT_EQ(static_cast<int>(ResourceType::kSubResource),
mock_loader_factory_.url_request()->resource_type);
EXPECT_FALSE(mock_loader_factory_.url_request()->allow_credentials);
EXPECT_EQ(mock_loader_factory_.url_request()->credentials_mode,
network::mojom::CredentialsMode::kOmit);
EXPECT_TRUE(mock_loader_factory_.url_request()->request_initiator->opaque());
std::string accept;
EXPECT_TRUE(
@@ -326,7 +327,8 @@ TEST_F(SignedExchangeCertFetcherTest, ForceFetchAndFail) {
mock_loader_factory_.url_request()->resource_type);
EXPECT_EQ(net::LOAD_DISABLE_CACHE | net::LOAD_BYPASS_CACHE,
mock_loader_factory_.url_request()->load_flags);
EXPECT_FALSE(mock_loader_factory_.url_request()->allow_credentials);
EXPECT_EQ(mock_loader_factory_.url_request()->credentials_mode,
network::mojom::CredentialsMode::kOmit);
mock_loader_factory_.client_ptr()->OnComplete(
network::URLLoaderCompletionStatus(net::ERR_INVALID_SIGNED_EXCHANGE));

@@ -91,7 +91,7 @@ void SignedExchangeValidityPinger::Start(
static_cast<int>(ResourceType::kSubResource);
// Set empty origin as the initiator and attach no cookies.
resource_request->request_initiator = url::Origin();
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
// Always hit the network as it's meant to be a liveliness check.
// (While we don't check the result yet)
resource_request->load_flags |=

@@ -143,6 +143,7 @@ void WorkerScriptFetchInitiator::Start(
resource_request->referrer_policy = Referrer::ReferrerPolicyForUrlRequest(
outside_fetch_client_settings_object->referrer_policy);
resource_request->resource_type = static_cast<int>(resource_type);
resource_request->credentials_mode = credentials_mode;
// For a classic worker script request:
// https://html.spec.whatwg.org/C/#fetch-a-classic-worker-script
@@ -155,20 +156,6 @@ void WorkerScriptFetchInitiator::Start(
// module fetch flag is set, then set request's mode to "same-origin"."
resource_request->mode = network::mojom::RequestMode::kSameOrigin;
// When the credentials mode is "omit", clear |allow_credentials| and set
// load flags to disable sending credentials according to the comments in
// CorsURLLoaderFactory::IsSane().
// TODO(https://crbug.com/799935): Unify |LOAD_DO_NOT_*| into
// |allow_credentials|.
resource_request->credentials_mode = credentials_mode;
if (credentials_mode == network::mojom::CredentialsMode::kOmit) {
resource_request->allow_credentials = false;
const auto load_flags_pattern = net::LOAD_DO_NOT_SAVE_COOKIES |
net::LOAD_DO_NOT_SEND_COOKIES |
net::LOAD_DO_NOT_SEND_AUTH_DATA;
resource_request->load_flags |= load_flags_pattern;
}
switch (resource_type) {
case ResourceType::kWorker:
resource_request->fetch_request_context_type =

@@ -306,7 +306,7 @@ void PingRlzServer(std::string url,
auto resource_request = std::make_unique<network::ResourceRequest>();
resource_request->url = GURL(url);
resource_request->load_flags = net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
auto url_loader = network::SimpleURLLoader::Create(
std::move(resource_request), traffic_annotation);

@@ -154,7 +154,7 @@ bool NetworkLocationRequest::MakeRequest(
DCHECK(resource_request->url.is_valid());
resource_request->load_flags =
net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
url_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
traffic_annotation);

@@ -507,7 +507,7 @@ std::unique_ptr<network::SimpleURLLoader> Annotator::MakeRequestLoader(
resource_request->url = server_url;
resource_request->allow_credentials = false;
resource_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
// Put API key in request's header if a key exists, and the endpoint is
// trusted by Google.

@@ -454,11 +454,6 @@ void CorsURLLoader::StartRequest() {
request_.url, request_.mode, request_.request_initiator, fetch_cors_flag_,
tainted_, origin_access_list_);
if (!CalculateCredentialsFlag(request_.credentials_mode,
response_tainting_)) {
request_.allow_credentials = false;
}
// Note that even when |NeedsPreflight(request_)| holds we don't make a
// preflight request when |fetch_cors_flag_| is false (e.g., when the origin
// of the url is equal to the origin of the request.
@@ -488,6 +483,15 @@ void CorsURLLoader::StartNetworkRequest(
if (preflight_timing_info)
preflight_timing_info_.push_back(*preflight_timing_info);
// Here we overwrite the credentials mode sent to URLLoader because
// network::URLLoader doesn't understand |kSameOrigin|.
// TODO(crbug.com/943939): Fix this.
auto original_credentials_mode = request_.credentials_mode;
request_.credentials_mode =
CalculateCredentialsFlag(original_credentials_mode, response_tainting_)
? mojom::CredentialsMode::kInclude
: mojom::CredentialsMode::kOmit;
mojom::URLLoaderClientPtr network_client;
network_client_binding_.Bind(mojo::MakeRequest(&network_client));
// Binding |this| as an unretained pointer is safe because
@@ -497,6 +501,8 @@ void CorsURLLoader::StartNetworkRequest(
network_loader_factory_->CreateLoaderAndStart(
mojo::MakeRequest(&network_loader_), routing_id_, request_id_, options_,
request_, std::move(network_client), traffic_annotation_);
request_.credentials_mode = original_credentials_mode;
}
void CorsURLLoader::HandleComplete(const URLLoaderCompletionStatus& status) {

@@ -142,24 +142,6 @@ bool CorsURLLoaderFactory::IsSane(const NetworkContext* context,
return false;
}
const auto load_flags_pattern = net::LOAD_DO_NOT_SAVE_COOKIES |
net::LOAD_DO_NOT_SEND_COOKIES |
net::LOAD_DO_NOT_SEND_AUTH_DATA;
// The Fetch credential mode and lower-level options should match. If the
// Fetch mode is kOmit, then either |allow_credentials| must be false or
// all three load flags must be set. https://crbug.com/799935 tracks
// unifying |LOAD_DO_NOT_*| into |allow_credentials|.
if (request.credentials_mode == mojom::CredentialsMode::kOmit &&
request.allow_credentials &&
(request.load_flags & load_flags_pattern) != load_flags_pattern) {
LOG(WARNING) << "|credentials_mode| and |allow_credentials| or "
"|load_flags| contradict each "
"other.";
mojo::ReportBadMessage(
"CorsURLLoaderFactory: omit-credentials vs load_flags");
return false;
}
// Ensure that renderer requests are covered either by CORS or CORB.
if (process_id_ != mojom::kBrowserProcessId) {
switch (request.mode) {

@@ -120,7 +120,6 @@ TEST_F(CorsURLLoaderFactoryTest, DestructionOrder) {
GURL url("http://localhost");
request.mode = mojom::RequestMode::kNoCors;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.allow_credentials = false;
request.method = net::HttpRequestHeaders::kGetMethod;
request.url = url;
request.request_initiator = url::Origin::Create(url);

@@ -176,7 +176,6 @@ class CorsURLLoaderTest : public testing::Test {
ResourceRequest request;
request.mode = mode;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.allow_credentials = false;
request.method = net::HttpRequestHeaders::kGetMethod;
request.url = url;
request.request_initiator = url::Origin::Create(origin);
@@ -493,75 +492,6 @@ TEST_F(CorsURLLoaderTest, NavigateWithoutInitiator) {
EXPECT_EQ(net::OK, client().completion_status().error_code);
}
TEST_F(CorsURLLoaderTest, CredentialsModeAndLoadFlagsContradictEachOther1) {
ResourceRequest request;
request.mode = mojom::RequestMode::kNavigate;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.load_flags =
net::LOAD_DO_NOT_SAVE_COOKIES | net::LOAD_DO_NOT_SEND_COOKIES;
request.url = GURL("http://example.com/");
request.request_initiator = base::nullopt;
BadMessageTestHelper bad_message_helper;
CreateLoaderAndStart(request);
RunUntilComplete();
EXPECT_FALSE(IsNetworkLoaderStarted());
EXPECT_FALSE(client().has_received_redirect());
EXPECT_FALSE(client().has_received_response());
EXPECT_TRUE(client().has_received_completion());
EXPECT_EQ(net::ERR_INVALID_ARGUMENT, client().completion_status().error_code);
EXPECT_THAT(bad_message_helper.bad_message_reports(),
::testing::ElementsAre(
"CorsURLLoaderFactory: omit-credentials vs load_flags"));
}
TEST_F(CorsURLLoaderTest, CredentialsModeAndLoadFlagsContradictEachOther2) {
ResourceRequest request;
request.mode = mojom::RequestMode::kNavigate;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.load_flags =
net::LOAD_DO_NOT_SAVE_COOKIES | net::LOAD_DO_NOT_SEND_AUTH_DATA;
request.url = GURL("http://example.com/");
request.request_initiator = base::nullopt;
BadMessageTestHelper bad_message_helper;
CreateLoaderAndStart(request);
RunUntilComplete();
EXPECT_FALSE(IsNetworkLoaderStarted());
EXPECT_FALSE(client().has_received_redirect());
EXPECT_FALSE(client().has_received_response());
EXPECT_TRUE(client().has_received_completion());
EXPECT_EQ(net::ERR_INVALID_ARGUMENT, client().completion_status().error_code);
EXPECT_THAT(bad_message_helper.bad_message_reports(),
::testing::ElementsAre(
"CorsURLLoaderFactory: omit-credentials vs load_flags"));
}
TEST_F(CorsURLLoaderTest, CredentialsModeAndLoadFlagsContradictEachOther3) {
ResourceRequest request;
request.mode = mojom::RequestMode::kNavigate;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.load_flags =
net::LOAD_DO_NOT_SEND_COOKIES | net::LOAD_DO_NOT_SEND_AUTH_DATA;
request.url = GURL("http://example.com/");
request.request_initiator = base::nullopt;
BadMessageTestHelper bad_message_helper;
CreateLoaderAndStart(request);
RunUntilComplete();
EXPECT_FALSE(IsNetworkLoaderStarted());
EXPECT_FALSE(client().has_received_redirect());
EXPECT_FALSE(client().has_received_response());
EXPECT_TRUE(client().has_received_completion());
EXPECT_EQ(net::ERR_INVALID_ARGUMENT, client().completion_status().error_code);
EXPECT_THAT(bad_message_helper.bad_message_reports(),
::testing::ElementsAre(
"CorsURLLoaderFactory: omit-credentials vs load_flags"));
}
TEST_F(CorsURLLoaderTest, NavigationFromRenderer) {
ResourceRequest request;
request.mode = mojom::RequestMode::kNavigate;
@@ -1024,7 +954,6 @@ TEST_F(CorsURLLoaderTest,
ResourceRequest original_request;
original_request.mode = mojom::RequestMode::kCors;
original_request.credentials_mode = mojom::CredentialsMode::kOmit;
original_request.allow_credentials = false;
original_request.method = "PATCH";
original_request.url = url;
original_request.request_initiator = url::Origin::Create(origin);
@@ -1095,7 +1024,6 @@ TEST_F(CorsURLLoaderTest, RedirectInfoShouldBeUsed) {
ResourceRequest request;
request.mode = mojom::RequestMode::kCors;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.allow_credentials = false;
request.method = "POST";
request.url = url;
request.request_initiator = url::Origin::Create(origin);
@@ -1178,7 +1106,6 @@ TEST_F(CorsURLLoaderTest, FollowErrorRedirect) {
ResourceRequest original_request;
original_request.mode = mojom::RequestMode::kCors;
original_request.credentials_mode = mojom::CredentialsMode::kOmit;
original_request.allow_credentials = false;
original_request.redirect_mode = mojom::RedirectMode::kError;
original_request.method = "GET";
original_request.url = url;
@@ -1401,7 +1328,6 @@ TEST_F(CorsURLLoaderTest, 304ForSimpleRevalidation) {
ResourceRequest request;
request.mode = mojom::RequestMode::kCors;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.allow_credentials = false;
request.method = "GET";
request.url = url;
request.request_initiator = url::Origin::Create(origin);
@@ -1431,7 +1357,6 @@ TEST_F(CorsURLLoaderTest, 304ForSimpleGet) {
ResourceRequest request;
request.mode = mojom::RequestMode::kCors;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.allow_credentials = false;
request.method = "GET";
request.url = url;
request.request_initiator = url::Origin::Create(origin);
@@ -1457,7 +1382,6 @@ TEST_F(CorsURLLoaderTest, 200ForSimpleRevalidation) {
ResourceRequest request;
request.mode = mojom::RequestMode::kCors;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.allow_credentials = false;
request.method = "GET";
request.url = url;
request.request_initiator = url::Origin::Create(origin);
@@ -1487,7 +1411,6 @@ TEST_F(CorsURLLoaderTest, RevalidationAndPreflight) {
ResourceRequest original_request;
original_request.mode = mojom::RequestMode::kCors;
original_request.credentials_mode = mojom::CredentialsMode::kOmit;
original_request.allow_credentials = false;
original_request.method = "GET";
original_request.url = url;
original_request.request_initiator = url::Origin::Create(origin);
@@ -1630,7 +1553,6 @@ TEST_F(CorsURLLoaderTest, RequestWithHostHeaderFails) {
ResourceRequest request;
request.mode = mojom::RequestMode::kCors;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.allow_credentials = false;
request.method = net::HttpRequestHeaders::kGetMethod;
request.url = GURL("https://foo.test/path");
request.request_initiator = url::Origin::Create(GURL("https://foo.test"));
@@ -1648,7 +1570,6 @@ TEST_F(CorsURLLoaderTest, RequestWithProxyAuthorizationHeaderFails) {
ResourceRequest request;
request.mode = mojom::RequestMode::kCors;
request.credentials_mode = mojom::CredentialsMode::kOmit;
request.allow_credentials = false;
request.method = net::HttpRequestHeaders::kGetMethod;
request.url = GURL("https://foo.test/path");
request.request_initiator = url::Origin::Create(GURL("https://foo.test"));

@@ -85,7 +85,6 @@ std::unique_ptr<ResourceRequest> CreatePreflightRequest(
preflight_request->referrer_policy = request.referrer_policy;
preflight_request->credentials_mode = mojom::CredentialsMode::kOmit;
preflight_request->allow_credentials = false;
preflight_request->load_flags = RetrieveCacheFlags(request.load_flags);
preflight_request->fetch_window_id = request.fetch_window_id;
preflight_request->render_frame_id = request.render_frame_id;

@@ -89,7 +89,6 @@ TEST(PreflightControllerCreatePreflightRequestTest, Credentials) {
PreflightController::CreatePreflightRequestForTesting(request);
EXPECT_EQ(mojom::CredentialsMode::kOmit, preflight->credentials_mode);
EXPECT_FALSE(preflight->allow_credentials);
}
TEST(PreflightControllerCreatePreflightRequestTest,

@@ -131,7 +131,7 @@ void OriginPolicyFetcher::FetchPolicy(mojom::URLLoaderFactory* factory) {
std::make_unique<ResourceRequest>();
policy_request->url = fetch_url_;
policy_request->request_initiator = url::Origin::Create(fetch_url_);
policy_request->allow_credentials = false;
policy_request->credentials_mode = network::mojom::CredentialsMode::kOmit;
url_loader_ =
SimpleURLLoader::Create(std::move(policy_request), traffic_annotation);

@@ -31,7 +31,6 @@ bool ResourceRequest::EqualsForTesting(const ResourceRequest& request) const {
cors_exempt_headers.ToString() ==
request.cors_exempt_headers.ToString() &&
load_flags == request.load_flags &&
allow_credentials == request.allow_credentials &&
plugin_child_id == request.plugin_child_id &&
resource_type == request.resource_type &&
priority == request.priority &&
@@ -79,11 +78,13 @@ bool ResourceRequest::EqualsForTesting(const ResourceRequest& request) const {
}
bool ResourceRequest::SendsCookies() const {
return allow_credentials && !(load_flags & net::LOAD_DO_NOT_SEND_COOKIES);
return credentials_mode == network::mojom::CredentialsMode::kInclude &&
!(load_flags & net::LOAD_DO_NOT_SEND_COOKIES);
}
bool ResourceRequest::SavesCookies() const {
return allow_credentials && !(load_flags & net::LOAD_DO_NOT_SAVE_COOKIES);
return credentials_mode == network::mojom::CredentialsMode::kInclude &&
!(load_flags & net::LOAD_DO_NOT_SAVE_COOKIES);
}
} // namespace network

@@ -55,7 +55,6 @@ struct COMPONENT_EXPORT(NETWORK_CPP_BASE) ResourceRequest {
net::HttpRequestHeaders headers;
net::HttpRequestHeaders cors_exempt_headers;
int load_flags = 0;
bool allow_credentials = true;
int plugin_child_id = -1;
int resource_type = 0;
net::RequestPriority priority = net::IDLE;

@@ -189,7 +189,6 @@ bool StructTraits<
data.update_first_party_url_on_redirect();
out->is_prerendering = data.is_prerendering();
out->load_flags = data.load_flags();
out->allow_credentials = data.allow_credentials();
out->plugin_child_id = data.plugin_child_id();
out->resource_type = data.resource_type();
out->should_reset_appcache = data.should_reset_appcache();

@@ -102,9 +102,6 @@ struct COMPONENT_EXPORT(NETWORK_CPP_BASE)
static int32_t load_flags(const network::ResourceRequest& request) {
return request.load_flags;
}
static bool allow_credentials(const network::ResourceRequest& request) {
return request.allow_credentials;
}
static int32_t plugin_child_id(const network::ResourceRequest& request) {
return request.plugin_child_id;
}

@@ -65,7 +65,6 @@ TEST(URLRequestMojomTraitsTest, Roundtrips_ResourceRequest) {
original.headers.SetHeader("Accept", "text/xml");
original.cors_exempt_headers.SetHeader("X-Requested-With", "ForTesting");
original.load_flags = 3;
original.allow_credentials = true;
original.plugin_child_id = 5;
original.resource_type = 2;
original.priority = net::IDLE;

@@ -178,10 +178,6 @@ struct URLRequest {
// net::URLRequest load flags.
int32 load_flags;
// Whether to allow credentials for this request.
// See net::URLRequest::set_allow_credentials.
bool allow_credentials;
// If this request originated from a pepper plugin running in a child
// process, this identifies which process it came from. Otherwise, it
// is zero.
@@ -241,9 +237,9 @@ struct URLRequest {
RequestMode mode;
// https://fetch.spec.whatwg.org/#concept-request-credentials-mode
// Used mainly by CORS handling (out-of-blink CORS), Service Worker.
// If this member is kOmit, then DO_NOT_SAVE_COOKIES, DO_NOT_SEND_COOKIES,
// and DO_NOT_SEND_AUTH_DATA must be set on load_flags.
// Controls whether credentials are attached to this request.
// Currently kSameOrigin does not work with |mode: kNavigate|.
// TODO(yhirano): Fix this.
CredentialsMode credentials_mode;
// https://fetch.spec.whatwg.org/#concept-request-redirect-mode

@@ -461,8 +461,9 @@ URLLoader::URLLoader(
url_request_->SetLoadFlags(request.load_flags);
// net::LOAD_DO_NOT_* are in the process of being converted to
// allow_credentials. See https://crbug.com/799935.
if (!request.allow_credentials) {
// credentials_mode. See https://crbug.com/799935.
// TODO(crbug.com/943939): Make this work with CredentialsMode::kSameOrigin.
if (request.credentials_mode == mojom::CredentialsMode::kOmit) {
const auto creds_mask = net::LOAD_DO_NOT_SAVE_COOKIES |
net::LOAD_DO_NOT_SEND_COOKIES |
net::LOAD_DO_NOT_SEND_AUTH_DATA;