CEF3: Support cross-origin XMLHttpRequest loads and redirects for custom standard schemes when enabled via the cross-origin whitelist

Issue #950 resolved
Marshall Greenblatt
created an issue

Original issue 950 created by magreenblatt on 2013-04-18T17:36:42.000Z:

What steps will reproduce the problem?
1. Register a custom standard scheme (for example, "myscheme").
2. Attempt an XMLHttpRequest (XHR) where the target URL redirects to a different origin. For example:

A. Add a cross-origin whitelist entry for the domains (current origin is "myscheme://mydomain"):

CefAddCrossOriginWhitelistEntry("myscheme://mydomain", "myscheme", "mydomain2", false);

B. Send an XHR request where "myscheme://mydomain/xhr.html" redirects to "myscheme://mydomain2/xhr.html":

xhr = new XMLHttpRequest();
xhr.open("GET", "myscheme://mydomain/xhr.html", true);
xhr.onload = function(e) { ... }

What is the expected output? What do you see instead?
The request should succeed. Instead, the request fails.

There are a few different problems here:

  1. Custom standard schemes are not currently registered as CORS-enabled so all CORS checks fail immediately.

  2. All synchronous cross-origin XHR redirects are denied in SyncResourceHandler::OnRequestRedirected().

  3. Asynchronous cross-origin XHR redirects are filtered based on CORS restrictions in DocumentThreadableLoader::redirectReceived(). However, some redirects are handled internally using URLRequestRedirectJob (for example, changing the URL in CefRequestHandler::OnBeforeResourceLoad) and there is no opportunity for the client to add the necessary CORS headers.

Comments (2)

  1. Marshall Greenblatt reporter

    Comment 1. originally posted by magreenblatt on 2013-04-18T18:01:14.000Z:

    comment 1. and comment 3. fixed in trunk revision 1235 and 1453 branch revision 1236.
    - Call WebSecurityPolicy::registerURLSchemeAsCORSEnabled() for custom standard schemes (fixes comment 1.).
    - Explicitly check the cross-origin whitelist in CefResourceDispatcherHostDelegate::OnRequestRedirected() and add the appropriate CORS headers (fixes comment 3.).
    - Improve the CefAddCrossOriginWhitelistEntry() documentation to mention the top-level domain requirement for sub-domain matching.

    There are no plans to fix comment 2. at this time. See the comments in SyncResourceHandler::OnRequestRedirected() for more background.

  2. Log in to comment