[Backport] CVE-2018-4117

[Fetch API] Fix redirect leak on "no-cors" requests

The spec issue is now fixed, and this CL follows the spec change[1].

1: https://github.com/whatwg/fetch/commit/14858d3e9402285a7ff3b5e47a22896ff3adc95d

Bug: 791324

Reviewed-on: https://chromium-review.googlesource.com/1023613
Change-Id: I4ed948591697e1dc9cff91d82333a49d8ec0c1a2
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 10 insertions, 0 deletions

diff --git a/chromium/third_party/WebKit/Source/core/fetch/FetchManager.cpp b/chromium/third_party/WebKit/Source/core/fetch/FetchManager.cpp
index 17d4734eed8..fbf917212e9 100644
--- a/chromium/third_party/WebKit/Source/core/fetch/FetchManager.cpp
+++ b/chromium/third_party/WebKit/Source/core/fetch/FetchManager.cpp
@@ -632,6 +632,16 @@ void FetchManager::Loader::Start() {
 
   // "- |request|'s mode is |no CORS|"
   if (request_->Mode() == network::mojom::FetchRequestMode::kNoCORS) {
+   // "If |request|'s redirect mode is not |follow|, then return a network
+   // error.
+    if (request_->Redirect() != network::mojom::FetchRedirectMode::kFollow) {
+      PerformNetworkError("Fetch API cannot load " +
+                          request_->Url().GetString() +
+                          ". Request mode is \"no-cors\" but the redirect mode "
+                          " is not \"follow\".");
+      return;
+    }
+
     // "Set |request|'s response tainting to |opaque|."
     request_->SetResponseTainting(FetchRequestData::kOpaqueTainting);
     // "The result of performing a scheme fetch using |request|."