Allow navigations that include cross-origin redirects to succeed. (#32996)

Signed-off-by: Josh Matthews <josh@joshmatthews.net>

components/net/fetch/methods.rs

@@ -26,8 +26,8 @@ use net_traits::blob_url_store::{parse_blob_url, BlobURLStoreError};
 use net_traits::filemanager_thread::{FileTokenCheck, RelativePos};
 use net_traits::request::{
     is_cors_safelisted_method, is_cors_safelisted_request_header, BodyChunkRequest,
-    BodyChunkResponse, CredentialsMode, Destination, Origin, Referrer, Request, RequestMode,
+    BodyChunkResponse, CredentialsMode, Destination, Origin, RedirectMode, Referrer, Request,
-    ResponseTainting, Window,
+    RequestMode, ResponseTainting, Window,
 };
 use net_traits::response::{Response, ResponseBody, ResponseType};
 use net_traits::{
@@ -298,7 +298,11 @@ pub async fn main_fetch(
 
             if (same_origin && !cors_flag) ||
                 current_url.scheme() == "data" ||
-                current_url.scheme() == "chrome"
+                current_url.scheme() == "chrome" ||
+                matches!(
+                    request.mode,
+                    RequestMode::Navigate | RequestMode::WebSocket { .. }
+                )
             {
                 // Substep 1.
                 request.response_tainting = ResponseTainting::Basic;
@@ -308,11 +312,18 @@ pub async fn main_fetch(
             } else if request.mode == RequestMode::SameOrigin {
                 Response::network_error(NetworkError::Internal("Cross-origin response".into()))
             } else if request.mode == RequestMode::NoCors {
-                // Substep 1.
+                // Substep 1. If request’s redirect mode is not "follow", then return a network error.
-                request.response_tainting = ResponseTainting::Opaque;
+                if request.redirect_mode != RedirectMode::Follow {
+                    Response::network_error(NetworkError::Internal(
+                        "NoCors requests must follow redirects".into(),
+                    ))
+                } else {
+                    // Substep 2. Set request’s response tainting to "opaque".
+                    request.response_tainting = ResponseTainting::Opaque;
 
-                // Substep 2.
+                    // Substep 3. Return the result of running scheme fetch given fetchParams.
-                scheme_fetch(request, cache, target, done_chan, context).await
+                    scheme_fetch(request, cache, target, done_chan, context).await
+                }
             } else if !matches!(current_url.scheme(), "http" | "https") {
                 Response::network_error(NetworkError::Internal("Non-http scheme".into()))
             } else if request.use_cors_preflight ||

components/script/script_thread.rs

@@ -63,7 +63,9 @@ use media::WindowGLContext;
 use metrics::{PaintTimeMetrics, MAX_TASK_NS};
 use mime::{self, Mime};
 use net_traits::image_cache::{ImageCache, PendingImageResponse};
-use net_traits::request::{CredentialsMode, Destination, RedirectMode, RequestBuilder};
+use net_traits::request::{
+    CredentialsMode, Destination, RedirectMode, RequestBuilder, RequestMode,
+};
 use net_traits::storage_thread::StorageType;
 use net_traits::{
     FetchMetadata, FetchResponseListener, FetchResponseMsg, Metadata, NetworkError, ReferrerPolicy,
@@ -3970,6 +3972,7 @@ impl ScriptThread {
         let req_init = RequestBuilder::new(load_data.url.clone(), load_data.referrer)
             .method(load_data.method)
             .destination(Destination::Document)
+            .mode(RequestMode::Navigate)
             .credentials_mode(CredentialsMode::Include)
             .use_url_credentials(true)
             .pipeline_id(Some(id))

tests/wpt/meta/fetch/api/redirect/redirect-mode.any.js.ini

@@ -1,32 +0,0 @@
-[redirect-mode.any.worker.html]
-  [cross-origin redirect 301 in manual redirect and no-cors mode]
-    expected: FAIL
-
-  [cross-origin redirect 302 in manual redirect and no-cors mode]
-    expected: FAIL
-
-  [cross-origin redirect 303 in manual redirect and no-cors mode]
-    expected: FAIL
-
-  [cross-origin redirect 307 in manual redirect and no-cors mode]
-    expected: FAIL
-
-  [cross-origin redirect 308 in manual redirect and no-cors mode]
-    expected: FAIL
-
-
-[redirect-mode.any.html]
-  [cross-origin redirect 301 in manual redirect and no-cors mode]
-    expected: FAIL
-
-  [cross-origin redirect 302 in manual redirect and no-cors mode]
-    expected: FAIL
-
-  [cross-origin redirect 303 in manual redirect and no-cors mode]
-    expected: FAIL
-
-  [cross-origin redirect 307 in manual redirect and no-cors mode]
-    expected: FAIL
-
-  [cross-origin redirect 308 in manual redirect and no-cors mode]
-    expected: FAIL