Source/WebCore/ChangeLog

 12011-02-04 Martin Galpin <martin@66laps.com>
 2
 3 Reviewed by NOBODY (OOPS!).
 4
 5 Bug 50773: CORS origin header not set on GET when a preflight request
 6 is required.
 7
 8 Test: http/tests/xmlhttprequest/cross-origin-preflight-get.html
 9
 10 * loader/DocumentThreadableLoader.cpp:
 11 (WebCore::DocumentThreadableLoader::preflightSuccess):
 12 Explicitly set the request origin after a preflight request succeeds.
 13
1142011-02-04 Peter Varga <pvarga@webkit.org>
215
316 Rubber-stamped by Csaba Osztrogonác.
77626

Source/WebCore/loader/DocumentThreadableLoader.cpp

@@void DocumentThreadableLoader::preflight
297297{
298298 OwnPtr<ResourceRequest> actualRequest;
299299 actualRequest.swap(m_actualRequest);
 300
 301 // Explicitly set the origin of this request
 302 actualRequest->setHTTPOrigin(m_document->securityOrigin()->toString());
300303
301304 // It should be ok to skip the security check since we already asked about the preflight request.
302305 loadRequest(*actualRequest, SkipSecurityCheck);
77619

LayoutTests/ChangeLog

 12011-02-04 Martin Galpin <martin@66laps.com>
 2
 3 Reviewed by NOBODY (OOPS!).
 4
 5 Bug 50773: CORS origin header not set on GET when a preflight request is
 6 required. https://bugs.webkit.org/show_bug.cgi?id=50773
 7
 8 * http/tests/xmlhttprequest/cross-origin-preflight-get-expected.txt: Added.
 9 * http/tests/xmlhttprequest/cross-origin-preflight-get.html: Added.
 10 * http/tests/xmlhttprequest/resources/cross-origin-preflight-get.php: Added.
 11
1122011-02-04 Ilya Tikhonovsky <loislo@chromium.org>
213
314 Unreviewed.
77626

LayoutTests/http/tests/xmlhttprequest/cross-origin-preflight-get-expected.txt

 1Test case for issue #50773 - the "Origin" header should be properly sent with a non-simple cross-origin resource sharing request that uses the GET method.
 2
 3PASS: Origin header correctly sent
 4
0

LayoutTests/http/tests/xmlhttprequest/cross-origin-preflight-get.html

 1<html>
 2<body>
 3<p>Test case for issue #50773 - the "Origin" header should be properly sent with a non-simple cross-origin resource sharing request that uses the GET method.</p>
 4<pre id="console"></pre>
 5<script>
 6if (window.layoutTestController) {
 7 layoutTestController.dumpAsText();
 8}
 9
 10function log(message)
 11{
 12 document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
 13}
 14
 15
 16function test()
 17{
 18 var xhr = new XMLHttpRequest();
 19 xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/cross-origin-preflight-get.php", true);
 20 xhr.setRequestHeader("X-Proprietary-Header", "foo"); // make this a non-simple CORS request
 21 xhr.onerror = function() { log("onerror") }
 22 xhr.onload = function() {
 23 log(xhr.responseText);
 24 }
 25 xhr.send(null);
 26}
 27
 28test();
 29</script>
 30</body>
 31</html>
0

LayoutTests/http/tests/xmlhttprequest/resources/cross-origin-preflight-get.php

 1<?php
 2// Test case for the preflight cross-origin request using GET (issue #50773)
 3if(!isset($_SERVER['HTTP_ORIGIN'])) {
 4 echo "FAIL: No origin header sent";
 5} else {
 6 header("Access-Control-Allow-Origin: *");
 7 header("Access-Control-Allow-Headers: X-Proprietary-Header");
 8 echo "PASS: Origin header correctly sent";
 9}
 10?>
0