QNAM HTTP: Introduce attributes for controlling cookies and auth

Introduced QNetworkRequest::CookieLoadControlAttribute,
QNetworkRequest::CookieSaveControlAttribute and
QNetworkRequest::AuthenticationReuseControlAttribute

These are true by default. They only come into play when QtWebKit
processes a cross-origin XMLHttpRequest. In such cases QtWebKit sets
each of the attributes to false when it creates a QNetworkRequest
where the XMLHttpRequest is cross-origin and has withCredentials
set to false:

var req = new XMLHttpRequest;
req.open("GET", "http://host/resource.php", false);
req.withCredentials = false; // actually false by default

For more information:
   http://www.w3.org/TR/XMLHttpRequest2/#credentials-flag

The QtWebKit counterpart of this patch is tracked at:
   https://bugs.webkit.org/show_bug.cgi?id=32967

Merge-Request: 592
Reviewed-by: Markus Goetz

13 files changed, 128 insertions, 16 deletions

diff --git a/src/network/access/qhttpnetworkconnection.cpp b/src/network/access/qhttpnetworkconnection.cpp
index 559124f..31c64f0 100644
--- a/src/network/access/qhttpnetworkconnection.cpp
+++ b/src/network/access/qhttpnetworkconnection.cpp
@@ -343,9 +343,16 @@ bool QHttpNetworkConnectionPrivate::handleAuthenticateChallenge(QAbstractSocket
                 copyCredentials(i,  auth, isProxy);
                 QMetaObject::invokeMethod(q, "_q_restartAuthPendingRequests", Qt::QueuedConnection);
             }
+        } else if (priv->phase == QAuthenticatorPrivate::Start) {
+            // If the url's authenticator has a 'user' set we will end up here (phase is only set to 'Done' by
+            // parseHttpResponse above if 'user' is empty). So if credentials were supplied with the request,
+            // such as in the case of an XMLHttpRequest, this is our only opportunity to cache them.
+            emit q->cacheCredentials(reply->request(), auth, q);
         }
-        // changing values in QAuthenticator will reset the 'phase'
-        if (priv->phase == QAuthenticatorPrivate::Done) {
+        // - Changing values in QAuthenticator will reset the 'phase'.
+        // - If withCredentials has been set to false (e.g. by QtWebKit for a cross-origin XMLHttpRequest) then
+        //   we need to bail out if authentication is required.
+        if (priv->phase == QAuthenticatorPrivate::Done || !reply->request().withCredentials()) {
             // authentication is cancelled, send the current contents to the user.
             emit channels[i].reply->headerChanged();
             emit channels[i].reply->readyRead();
diff --git a/src/network/access/qhttpnetworkconnection_p.h b/src/network/access/qhttpnetworkconnection_p.h
index b5bd300..51666d6 100644
--- a/src/network/access/qhttpnetworkconnection_p.h
+++ b/src/network/access/qhttpnetworkconnection_p.h
@@ -133,6 +133,8 @@ Q_SIGNALS:
 #endif
     void authenticationRequired(const QHttpNetworkRequest &request, QAuthenticator *authenticator,
                                 const QHttpNetworkConnection *connection = 0);
+    void cacheCredentials(const QHttpNetworkRequest &request, QAuthenticator *authenticator,
+                                const QHttpNetworkConnection *connection = 0);
     void error(QNetworkReply::NetworkError errorCode, const QString &detail = QString());
 
 private:
diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp
index 3b7bc9e..d24eb1f 100644
--- a/src/network/access/qhttpnetworkconnectionchannel.cpp
+++ b/src/network/access/qhttpnetworkconnectionchannel.cpp
@@ -173,7 +173,7 @@ bool QHttpNetworkConnectionChannel::sendRequest()
         pendingEncrypt = false;
         // if the url contains authentication parameters, use the new ones
         // both channels will use the new authentication parameters
-        if (!request.url().userInfo().isEmpty()) {
+        if (!request.url().userInfo().isEmpty() && request.withCredentials()) {
             QUrl url = request.url();
             QAuthenticator &auth = authenticator;
             if (url.userName() != auth.user()
@@ -187,7 +187,10 @@ bool QHttpNetworkConnectionChannel::sendRequest()
             url.setUserInfo(QString());
             request.setUrl(url);
         }
-        connection->d_func()->createAuthorization(socket, request);
+        // Will only be false if QtWebKit is performing a cross-origin XMLHttpRequest
+        // and withCredentials has not been set to true.
+        if (request.withCredentials())
+            connection->d_func()->createAuthorization(socket, request);
 #ifndef QT_NO_NETWORKPROXY
         QByteArray header = QHttpNetworkRequestPrivate::header(request,
             (connection->d_func()->networkProxy.type() != QNetworkProxy::NoProxy));
diff --git a/src/network/access/qhttpnetworkrequest.cpp b/src/network/access/qhttpnetworkrequest.cpp
index 9eb2399..639025e 100644
--- a/src/network/access/qhttpnetworkrequest.cpp
+++ b/src/network/access/qhttpnetworkrequest.cpp
@@ -49,7 +49,7 @@ QT_BEGIN_NAMESPACE
 QHttpNetworkRequestPrivate::QHttpNetworkRequestPrivate(QHttpNetworkRequest::Operation op,
         QHttpNetworkRequest::Priority pri, const QUrl &newUrl)
     : QHttpNetworkHeaderPrivate(newUrl), operation(op), priority(pri), uploadByteDevice(0),
-      autoDecompress(false), pipeliningAllowed(false)
+      autoDecompress(false), pipeliningAllowed(false), withCredentials(true)
 {
 }
 
@@ -62,6 +62,7 @@ QHttpNetworkRequestPrivate::QHttpNetworkRequestPrivate(const QHttpNetworkRequest
     autoDecompress = other.autoDecompress;
     pipeliningAllowed = other.pipeliningAllowed;
     customVerb = other.customVerb;
+    withCredentials = other.withCredentials;
 }
 
 QHttpNetworkRequestPrivate::~QHttpNetworkRequestPrivate()
@@ -274,6 +275,16 @@ void QHttpNetworkRequest::setPipeliningAllowed(bool b)
     d->pipeliningAllowed = b;
 }
 
+bool QHttpNetworkRequest::withCredentials() const
+{
+    return d->withCredentials;
+}
+
+void QHttpNetworkRequest::setWithCredentials(bool b)
+{
+    d->withCredentials = b;
+}
+
 void QHttpNetworkRequest::setUploadByteDevice(QNonContiguousByteDevice *bd)
 {
     d->uploadByteDevice = bd;
diff --git a/src/network/access/qhttpnetworkrequest_p.h b/src/network/access/qhttpnetworkrequest_p.h
index 1b35a84..15cab73 100644
--- a/src/network/access/qhttpnetworkrequest_p.h
+++ b/src/network/access/qhttpnetworkrequest_p.h
@@ -113,6 +113,9 @@ public:
     bool isPipeliningAllowed() const;
     void setPipeliningAllowed(bool b);
 
+    bool withCredentials() const;
+    void setWithCredentials(bool b);
+
     void setUploadByteDevice(QNonContiguousByteDevice *bd);
     QNonContiguousByteDevice* uploadByteDevice() const;
 
@@ -142,6 +145,7 @@ public:
     mutable QNonContiguousByteDevice* uploadByteDevice;
     bool autoDecompress;
     bool pipeliningAllowed;
+    bool withCredentials;
 };
 
 
diff --git a/src/network/access/qnetworkaccessbackend.cpp b/src/network/access/qnetworkaccessbackend.cpp
index f188bd5..2a02c99 100644
--- a/src/network/access/qnetworkaccessbackend.cpp
+++ b/src/network/access/qnetworkaccessbackend.cpp
@@ -327,6 +327,11 @@ void QNetworkAccessBackend::authenticationRequired(QAuthenticator *authenticator
     manager->authenticationRequired(this, authenticator);
 }
 
+void QNetworkAccessBackend::cacheCredentials(QAuthenticator *authenticator)
+{
+    manager->addCredentials(this->reply->url, authenticator);
+}
+
 void QNetworkAccessBackend::metaDataChanged()
 {
     reply->metaDataChanged();
diff --git a/src/network/access/qnetworkaccessbackend_p.h b/src/network/access/qnetworkaccessbackend_p.h
index 4ce37a6..4fe6de6 100644
--- a/src/network/access/qnetworkaccessbackend_p.h
+++ b/src/network/access/qnetworkaccessbackend_p.h
@@ -188,6 +188,7 @@ protected slots:
     void proxyAuthenticationRequired(const QNetworkProxy &proxy, QAuthenticator *auth);
 #endif
     void authenticationRequired(QAuthenticator *auth);
+    void cacheCredentials(QAuthenticator *auth);
     void metaDataChanged();
     void redirectionRequested(const QUrl &destination);
     void sslErrors(const QList<QSslError> &errors);
diff --git a/src/network/access/qnetworkaccesshttpbackend.cpp b/src/network/access/qnetworkaccesshttpbackend.cpp
index 3154ed6..a6c5c02 100644
--- a/src/network/access/qnetworkaccesshttpbackend.cpp
+++ b/src/network/access/qnetworkaccesshttpbackend.cpp
@@ -346,6 +346,8 @@ void QNetworkAccessHttpBackend::setupConnection()
 #endif
     connect(http, SIGNAL(authenticationRequired(QHttpNetworkRequest,QAuthenticator*)),
             SLOT(httpAuthenticationRequired(QHttpNetworkRequest,QAuthenticator*)));
+    connect(http, SIGNAL(cacheCredentials(QHttpNetworkRequest,QAuthenticator*)),
+            SLOT(httpCacheCredentials(QHttpNetworkRequest,QAuthenticator*)));
     connect(http, SIGNAL(error(QNetworkReply::NetworkError,QString)),
             SLOT(httpError(QNetworkReply::NetworkError,QString)));
 #ifndef QT_NO_OPENSSL
@@ -578,6 +580,11 @@ void QNetworkAccessHttpBackend::postRequest()
     if (request().attribute(QNetworkRequest::HttpPipeliningAllowedAttribute).toBool() == true)
         httpRequest.setPipeliningAllowed(true);
 
+    if (static_cast<QNetworkRequest::LoadControl>
+        (request().attribute(QNetworkRequest::AuthenticationReuseAttribute,
+                             QNetworkRequest::Automatic).toInt()) == QNetworkRequest::Manual)
+        httpRequest.setWithCredentials(false);
+
     httpReply = http->sendRequest(httpRequest);
     httpReply->setParent(this);
 #ifndef QT_NO_OPENSSL
@@ -861,6 +868,12 @@ void QNetworkAccessHttpBackend::httpAuthenticationRequired(const QHttpNetworkReq
     authenticationRequired(auth);
 }
 
+void QNetworkAccessHttpBackend::httpCacheCredentials(const QHttpNetworkRequest &,
+                                                 QAuthenticator *auth)
+{
+    cacheCredentials(auth);
+}
+
 void QNetworkAccessHttpBackend::httpError(QNetworkReply::NetworkError errorCode,
                                           const QString &errorString)
 {
diff --git a/src/network/access/qnetworkaccesshttpbackend_p.h b/src/network/access/qnetworkaccesshttpbackend_p.h
index e5cc0ab..254907f 100644
--- a/src/network/access/qnetworkaccesshttpbackend_p.h
+++ b/src/network/access/qnetworkaccesshttpbackend_p.h
@@ -107,6 +107,7 @@ private slots:
     void replyFinished();
     void replyHeaderChanged();
     void httpAuthenticationRequired(const QHttpNetworkRequest &request, QAuthenticator *auth);
+    void httpCacheCredentials(const QHttpNetworkRequest &request, QAuthenticator *auth);
     void httpError(QNetworkReply::NetworkError error, const QString &errorString);
     bool sendCacheContents(const QNetworkCacheMetaData &metaData);
     void finished(); // override
diff --git a/src/network/access/qnetworkaccessmanager.cpp b/src/network/access/qnetworkaccessmanager.cpp
index feb9d99..1c7661d 100644
--- a/src/network/access/qnetworkaccessmanager.cpp
+++ b/src/network/access/qnetworkaccessmanager.cpp
@@ -948,10 +948,15 @@ QNetworkReply *QNetworkAccessManager::createRequest(QNetworkAccessManager::Opera
         // but the data that is outgoing is random-access
         request.setHeader(QNetworkRequest::ContentLengthHeader, outgoingData->size());
     }
-    if (d->cookieJar) {
-        QList<QNetworkCookie> cookies = d->cookieJar->cookiesForUrl(request.url());
-        if (!cookies.isEmpty())
-            request.setHeader(QNetworkRequest::CookieHeader, qVariantFromValue(cookies));
+
+    if (static_cast<QNetworkRequest::LoadControl>
+        (request.attribute(QNetworkRequest::CookieLoadControlAttribute,
+                           QNetworkRequest::Automatic).toInt()) == QNetworkRequest::Automatic) {
+        if (d->cookieJar) {
+            QList<QNetworkCookie> cookies = d->cookieJar->cookiesForUrl(request.url());
+            if (!cookies.isEmpty())
+                request.setHeader(QNetworkRequest::CookieHeader, qVariantFromValue(cookies));
+        }
     }
 
     // first step: create the reply
@@ -967,11 +972,15 @@ QNetworkReply *QNetworkAccessManager::createRequest(QNetworkAccessManager::Opera
     priv->manager = this;
 
     // second step: fetch cached credentials
-    QNetworkAuthenticationCredential *cred = d->fetchCachedCredentials(url);
-    if (cred) {
-        url.setUserName(cred->user);
-        url.setPassword(cred->password);
-        priv->urlForLastAuthentication = url;
+    if (static_cast<QNetworkRequest::LoadControl>
+        (request.attribute(QNetworkRequest::AuthenticationReuseAttribute,
+                           QNetworkRequest::Automatic).toInt()) == QNetworkRequest::Automatic) {
+        QNetworkAuthenticationCredential *cred = d->fetchCachedCredentials(url);
+        if (cred) {
+            url.setUserName(cred->user);
+            url.setPassword(cred->password);
+            priv->urlForLastAuthentication = url;
+        }
     }
 
     // third step: find a backend
diff --git a/src/network/access/qnetworkreplyimpl.cpp b/src/network/access/qnetworkreplyimpl.cpp
index 128d18f..31ee2a4 100644
--- a/src/network/access/qnetworkreplyimpl.cpp
+++ b/src/network/access/qnetworkreplyimpl.cpp
@@ -673,8 +673,12 @@ void QNetworkReplyImplPrivate::error(QNetworkReplyImpl::NetworkError code, const
 void QNetworkReplyImplPrivate::metaDataChanged()
 {
     Q_Q(QNetworkReplyImpl);
-    // do we have cookies?
-    if (cookedHeaders.contains(QNetworkRequest::SetCookieHeader) && !manager.isNull()) {
+    // 1. do we have cookies?
+    // 2. are we allowed to set them?
+    if (cookedHeaders.contains(QNetworkRequest::SetCookieHeader) && !manager.isNull()
+        && (static_cast<QNetworkRequest::LoadControl>
+            (request.attribute(QNetworkRequest::CookieSaveControlAttribute,
+                               QNetworkRequest::Automatic).toInt()) == QNetworkRequest::Automatic)) {
         QList<QNetworkCookie> cookies =
             qvariant_cast<QList<QNetworkCookie> >(cookedHeaders.value(QNetworkRequest::SetCookieHeader));
         QNetworkCookieJar *jar = manager->cookieJar();
diff --git a/src/network/access/qnetworkrequest.cpp b/src/network/access/qnetworkrequest.cpp
index 61c116d..79f169f 100644
--- a/src/network/access/qnetworkrequest.cpp
+++ b/src/network/access/qnetworkrequest.cpp
@@ -190,6 +190,40 @@ QT_BEGIN_NAMESPACE
         of other verbs than GET, POST, PUT and DELETE). This verb is set
         when calling QNetworkAccessManager::sendCustomRequest().
 
+    \value CookieLoadControlAttribute
+        Requests only, type: QVariant::Int (default: QNetworkRequest::Automatic)
+        Indicates whether to send 'Cookie' headers in the request.
+
+        This attribute is set to false by QtWebKit when creating a cross-origin
+        XMLHttpRequest where withCredentials has not been set explicitly to true by the
+        Javascript that created the request.
+
+        See http://www.w3.org/TR/XMLHttpRequest2/#credentials-flag for more information.
+
+     \value CookieSaveControlAttribute
+        Requests only, type: QVariant::Int (default: QNetworkRequest::Automatic)
+        Indicates whether to save 'Cookie' headers received from the server in reply
+        to the request.
+
+        This attribute is set to false by QtWebKit when creating a cross-origin
+        XMLHttpRequest where withCredentials has not been set explicitly to true by the
+        Javascript that created the request.
+
+        See http://www.w3.org/TR/XMLHttpRequest2/#credentials-flag for more information.
+
+     \value AuthenticationReuseControlAttribute
+        Requests only, type: QVariant::Int (default: QNetworkRequest::Automatic)
+        Indicates whether to use cached authorization credentials in the request,
+        if available. If this is set to QNetworkRequest::Manual and the authentication
+        mechanism is 'Basic' or 'Digest', Qt will not send an an 'Authorization' HTTP
+        header with any cached credentials it may have for the request's URL.
+
+        This attribute is set to QNetworkRequest::Manual by QtWebKit when creating a cross-origin
+        XMLHttpRequest where withCredentials has not been set explicitly to true by the
+        Javascript that created the request.
+
+        See http://www.w3.org/TR/XMLHttpRequest2/#credentials-flag for more information.
+
     \value User
         Special type. Additional information can be passed in
         QVariants with types ranging from User to UserMax. The default
@@ -222,6 +256,17 @@ QT_BEGIN_NAMESPACE
     if the item was not cached (i.e., off-line mode)
 */
 
+/*!
+    \enum QNetworkRequest::LoadControl
+
+    Indicates if an aspect of the request's loading mechanism has been
+    manually overridden, e.g. by QtWebKit.
+
+    \value Automatic            default value: indicates default behaviour.
+
+    \value Manual               indicates behaviour has been manually overridden.
+*/
+
 class QNetworkRequestPrivate: public QSharedData, public QNetworkHeadersPrivate
 {
 public:
diff --git a/src/network/access/qnetworkrequest.h b/src/network/access/qnetworkrequest.h
index a0ef1a6..d2945c4 100644
--- a/src/network/access/qnetworkrequest.h
+++ b/src/network/access/qnetworkrequest.h
@@ -79,6 +79,9 @@ public:
         HttpPipeliningAllowedAttribute,
         HttpPipeliningWasUsedAttribute,
         CustomVerbAttribute,
+        CookieLoadControlAttribute,
+        AuthenticationReuseAttribute,
+        CookieSaveControlAttribute,
 
         User = 1000,
         UserMax = 32767
@@ -89,6 +92,10 @@ public:
         PreferCache,
         AlwaysCache
     };
+    enum LoadControl {
+        Automatic = 0,
+        Manual
+    };
 
     enum Priority {
         HighPriority = 1,