Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / chromium_org / third_party / WebKit / e52495584422c5edb5b2944981473a2e208da323^! / . / Source / core / loader
commite52495584422c5edb5b2944981473a2e208da323[log] [tgz]
authorTorne (Richard Coles) <torne@google.com>Wed May 15 11:35:13 2013 +0100
committerTorne (Richard Coles) <torne@google.com>Wed May 15 11:35:13 2013 +0100
tree707b85435adfb2c67b9ca3d346769564c41566fd
parent8521fccd3e39d65a1f2ac1f360f5ead86fcb7dae [diff]
Merge from Chromium at DEPS revision r200144

This commit was generated by merge_to_master.py.

Change-Id: I52995489013675af682cee321f417f624396b584

diff --git a/Source/core/loader/CrossOriginAccessControl.cpp b/Source/core/loader/CrossOriginAccessControl.cpp
index db496c7..e77bf5d 100644
--- a/Source/core/loader/CrossOriginAccessControl.cpp
+++ b/Source/core/loader/CrossOriginAccessControl.cpp

@@ -33,7 +33,7 @@
 #include "core/platform/network/HTTPParsers.h"
 #include "core/platform/network/ResourceRequest.h"
 #include "core/platform/network/ResourceResponse.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SecurityOrigin.h"
 
 namespace WebCore {
 

diff --git a/Source/core/loader/DocumentLoadTiming.cpp b/Source/core/loader/DocumentLoadTiming.cpp
index 99defb6..fc6970c 100644
--- a/Source/core/loader/DocumentLoadTiming.cpp
+++ b/Source/core/loader/DocumentLoadTiming.cpp

@@ -32,7 +32,7 @@
 #include "core/loader/DocumentLoader.h"
 #include "core/page/Frame.h"
 #include "core/page/Page.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SecurityOrigin.h"
 
 namespace WebCore {
 

diff --git a/Source/core/loader/DocumentLoader.cpp b/Source/core/loader/DocumentLoader.cpp
index 1aac7ce..b18718a 100644
--- a/Source/core/loader/DocumentLoader.cpp
+++ b/Source/core/loader/DocumentLoader.cpp

@@ -63,8 +63,8 @@
 #include "core/page/Page.h"
 #include "core/page/Settings.h"
 #include "core/platform/Logging.h"
-#include "origin/SchemeRegistry.h"
-#include "origin/SecurityPolicy.h"
+#include "weborigin/SchemeRegistry.h"
+#include "weborigin/SecurityPolicy.h"
 
 namespace WebCore {
 
@@ -477,9 +477,9 @@
     if (newRequest.cachePolicy() == UseProtocolCachePolicy && isPostOrRedirectAfterPost(newRequest, redirectResponse))
         newRequest.setCachePolicy(ReloadIgnoringCacheData);
 
-    Frame* top = m_frame->tree()->top();
-    if (top != m_frame) {
-        if (!frameLoader()->mixedContentChecker()->canDisplayInsecureContent(top->document()->securityOrigin(), newRequest.url())) {
+    Frame* parent = m_frame->tree()->parent();
+    if (parent) {
+        if (!parent->loader()->mixedContentChecker()->canRunInsecureContent(parent->document()->securityOrigin(), newRequest.url())) {
             cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
             return;
         }
@@ -647,8 +647,6 @@
 
         if (frameLoader()->stateMachine()->creatingInitialEmptyDocument())
             return;
-        if (frameLoader()->stateMachine()->isDisplayingInitialEmptyDocument())
-            frameLoader()->stateMachine()->advanceTo(FrameLoaderStateMachine::CommittedFirstRealLoad);
         
         // The origin is the MHTML file, we need to set the base URL to the document encoded in the MHTML so
         // relative URLs are resolved properly.
@@ -1077,7 +1075,7 @@
 
     ResourceRequest request(m_request);
     DEFINE_STATIC_LOCAL(ResourceLoaderOptions, mainResourceLoadOptions,
-        (SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck));
+        (SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck));
     CachedResourceRequest cachedResourceRequest(request, mainResourceLoadOptions);
     m_mainResource = m_cachedResourceLoader->requestMainResource(cachedResourceRequest);
     if (!m_mainResource) {

diff --git a/Source/core/loader/DocumentThreadableLoader.cpp b/Source/core/loader/DocumentThreadableLoader.cpp
index 58beed3..6f4a6be 100644
--- a/Source/core/loader/DocumentThreadableLoader.cpp
+++ b/Source/core/loader/DocumentThreadableLoader.cpp

@@ -31,8 +31,7 @@
 #include "config.h"
 #include "core/loader/DocumentThreadableLoader.h"
 
-#include <wtf/Assertions.h>
-#include <wtf/UnusedParam.h>
+#include "bindings/v8/ScriptController.h"
 #include "core/dom/Document.h"
 #include "core/inspector/InspectorInstrumentation.h"
 #include "core/loader/CrossOriginAccessControl.h"
@@ -45,11 +44,15 @@
 #include "core/loader/cache/CachedRawResource.h"
 #include "core/loader/cache/CachedResourceLoader.h"
 #include "core/loader/cache/CachedResourceRequest.h"
+#include "core/loader/cache/CachedResourceRequestInitiators.h"
+#include "core/page/ContentSecurityPolicy.h"
 #include "core/page/Frame.h"
 #include "core/platform/network/ResourceError.h"
 #include "core/platform/network/ResourceRequest.h"
-#include "origin/SchemeRegistry.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SchemeRegistry.h"
+#include "weborigin/SecurityOrigin.h"
+#include "wtf/Assertions.h"
+#include "wtf/UnusedParam.h"
 
 namespace WebCore {
 
@@ -179,6 +182,12 @@
     ASSERT_UNUSED(resource, resource == m_resource);
 
     RefPtr<DocumentThreadableLoader> protect(this);
+    if (!isAllowedByPolicy(request.url())) {
+        m_client->didFailRedirectCheck();
+        request = ResourceRequest();
+        return;
+    }
+
     // Allow same origin requests to continue after allowing clients to audit the redirect.
     if (isAllowedRedirect(request.url())) {
         if (m_client->isDocumentThreadableLoaderClient())
@@ -187,7 +196,8 @@
     }
 
     // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported
-    // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check.
+    // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the
+    // original request was not same-origin.
     if (m_options.crossOriginRequestPolicy == UseAccessControl) {
         bool allowRedirect = false;
         if (m_simpleRequest) {
@@ -195,7 +205,7 @@
             allowRedirect = SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())
                             && request.url().user().isEmpty()
                             && request.url().pass().isEmpty()
-                            && passesAccessControlCheck(redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription);
+                            && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription));
         }
 
         if (allowRedirect) {
@@ -204,12 +214,19 @@
 
             RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::createFromString(redirectResponse.url());
             RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::createFromString(request.url());
-            // If the request URL origin is not same origin with the original URL origin, set source origin to a globally unique identifier.
-            if (!originalOrigin->isSameSchemeHostPort(requestOrigin.get()))
+            // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin,
+            // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request
+            // should be the original URL origin.)
+            if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(requestOrigin.get()))
                 m_options.securityOrigin = SecurityOrigin::createUnique();
             // Force any subsequent requests to use these checks.
             m_sameOriginRequest = false;
 
+            // Since the request is no longer same-origin, if the user didn't request credentials in
+            // the first place, update our state so we neither request them nor expect they must be allowed.
+            if (m_options.credentialsRequested == ClientDidNotRequestCredentials)
+                m_options.allowCredentials = DoNotAllowStoredCredentials;
+
             // Remove any headers that may have been added by the network layer that cause access control to fail.
             request.clearHTTPContentType();
             request.clearHTTPReferrer();
@@ -394,7 +411,7 @@
     unsigned long identifier = std::numeric_limits<unsigned long>::max();
     if (Frame* frame = m_document->frame()) {
         Frame* top = frame->tree()->top();
-        if (!top->loader()->mixedContentChecker()->canDisplayInsecureContent(top->document()->securityOrigin(), requestURL)) {
+        if (!top->loader()->mixedContentChecker()->canRunInsecureContent(top->document()->securityOrigin(), requestURL)) {
             m_client->didFail(error);
             return;
         }
@@ -413,7 +430,7 @@
     // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the
     // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
     // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
-    if (requestURL != response.url() && !isAllowedRedirect(response.url())) {
+    if (requestURL != response.url() && (!isAllowedByPolicy(response.url()) || !isAllowedRedirect(response.url()))) {
         m_client->didFailRedirectCheck();
         return;
     }
@@ -427,7 +444,7 @@
     didFinishLoading(identifier, 0.0);
 }
 
-bool DocumentThreadableLoader::isAllowedRedirect(const KURL& url)
+bool DocumentThreadableLoader::isAllowedRedirect(const KURL& url) const
 {
     if (m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)
         return true;
@@ -435,6 +452,13 @@
     return m_sameOriginRequest && securityOrigin()->canRequest(url);
 }
 
+bool DocumentThreadableLoader::isAllowedByPolicy(const KURL& url) const
+{
+    if (m_options.contentSecurityPolicyEnforcement != EnforceConnectSrcDirective)
+        return true;
+    return m_document->contentSecurityPolicy()->allowConnectToSource(url);
+}
+
 SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
 {
     return m_options.securityOrigin ? m_options.securityOrigin.get() : m_document->securityOrigin();

diff --git a/Source/core/loader/DocumentThreadableLoader.h b/Source/core/loader/DocumentThreadableLoader.h
index 32402b0..da0afb6 100644
--- a/Source/core/loader/DocumentThreadableLoader.h
+++ b/Source/core/loader/DocumentThreadableLoader.h

@@ -95,7 +95,8 @@
         void preflightFailure(unsigned long identifier, const String& url, const String& errorDescription);
 
         void loadRequest(const ResourceRequest&, SecurityCheckPolicy);
-        bool isAllowedRedirect(const KURL&);
+        bool isAllowedRedirect(const KURL&) const;
+        bool isAllowedByPolicy(const KURL&) const;
 
         SecurityOrigin* securityOrigin() const;
 

diff --git a/Source/core/loader/DocumentWriter.cpp b/Source/core/loader/DocumentWriter.cpp
index b29d7da..9232db8 100644
--- a/Source/core/loader/DocumentWriter.cpp
+++ b/Source/core/loader/DocumentWriter.cpp

@@ -44,7 +44,7 @@
 #include "core/page/FrameView.h"
 #include "core/page/Settings.h"
 #include "core/platform/text/SegmentedString.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SecurityOrigin.h"
 
 namespace WebCore {
 

diff --git a/Source/core/loader/EmptyClients.h b/Source/core/loader/EmptyClients.h
index 5bc450f..137e8ec 100644
--- a/Source/core/loader/EmptyClients.h
+++ b/Source/core/loader/EmptyClients.h

@@ -139,7 +139,6 @@
     virtual WebKit::WebScreenInfo screenInfo() const OVERRIDE { return WebKit::WebScreenInfo(); }
     virtual void contentsSizeChanged(Frame*, const IntSize&) const OVERRIDE { }
 
-    virtual void scrollbarsModeDidChange() const OVERRIDE { }
     virtual void mouseDidMoveOverElement(const HitTestResult&, unsigned) OVERRIDE { }
 
     virtual void setToolTip(const String&, TextDirection) OVERRIDE { }

diff --git a/Source/core/loader/FrameLoadRequest.h b/Source/core/loader/FrameLoadRequest.h
index 5e5185f..0d1c8cd 100644
--- a/Source/core/loader/FrameLoadRequest.h
+++ b/Source/core/loader/FrameLoadRequest.h

@@ -27,7 +27,7 @@
 #define FrameLoadRequest_h
 
 #include "core/loader/SubstituteData.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SecurityOrigin.h"
 #include "core/platform/network/ResourceRequest.h"
 
 namespace WebCore {

diff --git a/Source/core/loader/FrameLoader.cpp b/Source/core/loader/FrameLoader.cpp
index 10c9a76..c985192 100644
--- a/Source/core/loader/FrameLoader.cpp
+++ b/Source/core/loader/FrameLoader.cpp

@@ -104,9 +104,9 @@
 #include "core/plugins/PluginData.h"
 #include "core/xml/parser/XMLDocumentParser.h"
 #include "modules/webdatabase/DatabaseManager.h"
-#include "origin/SchemeRegistry.h"
-#include "origin/SecurityOrigin.h"
-#include "origin/SecurityPolicy.h"
+#include "weborigin/SchemeRegistry.h"
+#include "weborigin/SecurityOrigin.h"
+#include "weborigin/SecurityPolicy.h"
 
 #if ENABLE(SVG)
 #include "SVGNames.h"
@@ -480,7 +480,7 @@
 
     // Calling document.open counts as committing the first real document load.
     if (!m_stateMachine.committedFirstRealDocumentLoad())
-        m_stateMachine.advanceTo(FrameLoaderStateMachine::CommittedFirstRealLoad);
+        m_stateMachine.advanceTo(FrameLoaderStateMachine::DisplayingInitialEmptyDocumentPostCommit);
     
     // Prevent window.open(url) -- eg window.open("about:blank") -- from blowing away results
     // from a subsequent window.document.open / window.document.write call. 
@@ -543,6 +543,9 @@
     m_checkTimer.stop();
     m_shouldCallCheckCompleted = false;
     m_shouldCallCheckLoadComplete = false;
+
+    if (m_stateMachine.isDisplayingInitialEmptyDocument() && m_stateMachine.committedFirstRealDocumentLoad())
+        m_stateMachine.advanceTo(FrameLoaderStateMachine::CommittedFirstRealLoad);
 }
 
 void FrameLoader::receivedFirstData()
@@ -774,7 +777,7 @@
     m_frame->document()->implicitClose();
 }
 
-void FrameLoader::loadURLIntoChildFrame(const KURL& url, const String& referer, Frame* childFrame)
+void FrameLoader::loadURLIntoChildFrame(const ResourceRequest& request, Frame* childFrame)
 {
     ASSERT(childFrame);
 
@@ -789,27 +792,7 @@
             return;
         }
     }
-
-    childFrame->loader()->loadURL(url, referer, "_self", FrameLoadTypeInitialInChildFrame, 0, 0);
-}
-
-ObjectContentType FrameLoader::defaultObjectContentType(const KURL& url, const String& mimeTypeIn, bool shouldPreferPlugInsForImages)
-{
-    String mimeType = mimeTypeIn;
-
-    if (mimeType.isEmpty())
-        mimeType = mimeTypeFromURL(url);
-
-    if (mimeType.isEmpty())
-        return ObjectContentFrame; // Go ahead and hope that we can display the content.
-
-    if (MIMETypeRegistry::isSupportedImageMIMEType(mimeType))
-        return WebCore::ObjectContentImage;
-
-    if (MIMETypeRegistry::isSupportedNonImageMIMEType(mimeType))
-        return WebCore::ObjectContentFrame;
-
-    return WebCore::ObjectContentNone;
+    childFrame->loader()->loadURL(request, "_self", FrameLoadTypeInitialInChildFrame, 0, 0);
 }
 
 String FrameLoader::outgoingReferrer() const
@@ -990,6 +973,7 @@
         frame()->page()->backForward()->setCurrentItem(currentItem.get());
 
         ASSERT(stateMachine()->isDisplayingInitialEmptyDocument());
+        stateMachine()->advanceTo(FrameLoaderStateMachine::DisplayingInitialEmptyDocumentPostCommit);
         stateMachine()->advanceTo(FrameLoaderStateMachine::CommittedFirstRealLoad);
     }
 }
@@ -1028,26 +1012,34 @@
         return;
     }
 
-    String argsReferrer = request.resourceRequest().httpReferrer();
+    ResourceRequest resourceRequest(request.resourceRequest());
+    String argsReferrer = resourceRequest.httpReferrer();
     if (argsReferrer.isEmpty())
         argsReferrer = outgoingReferrer();
 
     String referrer = SecurityPolicy::generateReferrerHeader(m_frame->document()->referrerPolicy(), url, argsReferrer);
     if (shouldSendReferrer == NeverSendReferrer)
         referrer = String();
-    
+
+    if (!referrer.isEmpty()) {
+        resourceRequest.setHTTPReferrer(referrer);
+        RefPtr<SecurityOrigin> referrerOrigin = SecurityOrigin::createFromString(referrer);
+        addHTTPOriginIfNeeded(resourceRequest, referrerOrigin->toString());
+    } else
+        resourceRequest.clearHTTPReferrer();
+
     FrameLoadType loadType;
-    if (request.resourceRequest().cachePolicy() == ReloadIgnoringCacheData)
+    if (resourceRequest.cachePolicy() == ReloadIgnoringCacheData)
         loadType = FrameLoadTypeReload;
     else if (lockBackForwardList || history()->currentItemShouldBeReplaced())
         loadType = FrameLoadTypeRedirectWithLockedBackForwardList;
     else
         loadType = FrameLoadTypeStandard;
 
-    if (request.resourceRequest().httpMethod() == "POST")
-        loadPostRequest(request.resourceRequest(), referrer, request.frameName(), loadType, event, formState.get());
-    else
-        loadURL(request.resourceRequest().url(), referrer, request.frameName(), loadType, event, formState.get());
+    if (loadType == FrameLoadTypeReload || loadType == FrameLoadTypeReloadFromOrigin)
+        resourceRequest.setCachePolicy(ReloadIgnoringCacheData);
+
+    loadURL(resourceRequest, request.frameName(), loadType, event, formState.get());
 
     // FIXME: It's possible this targetFrame will not be the same frame that was targeted by the actual
     // load if frame names have changed.
@@ -1061,28 +1053,20 @@
     }
 }
 
-void FrameLoader::loadURL(const KURL& newURL, const String& referrer, const String& frameName, FrameLoadType newLoadType,
-    PassRefPtr<Event> event, PassRefPtr<FormState> prpFormState)
+void FrameLoader::loadURL(const ResourceRequest& request, const String& frameName, FrameLoadType newLoadType,
+    PassRefPtr<Event> event, PassRefPtr<FormState> formState)
 {
     if (m_inStopAllLoaders)
         return;
 
-    RefPtr<FormState> formState = prpFormState;
     bool isFormSubmission = formState;
-    
-    ResourceRequest request(newURL);
-    if (!referrer.isEmpty()) {
-        request.setHTTPReferrer(referrer);
-        RefPtr<SecurityOrigin> referrerOrigin = SecurityOrigin::createFromString(referrer);
-        addHTTPOriginIfNeeded(request, referrerOrigin->toString());
-    }
 
     ASSERT(newLoadType != FrameLoadTypeSame);
 
     // The search for a target frame is done earlier in the case of form submission.
     Frame* targetFrame = isFormSubmission ? 0 : findFrameForNavigation(frameName);
     if (targetFrame && targetFrame != m_frame) {
-        targetFrame->loader()->loadURL(newURL, referrer, "_self", newLoadType, event, formState.release());
+        targetFrame->loader()->loadURL(request, "_self", newLoadType, event, formState);
         return;
     }
 
@@ -1092,16 +1076,16 @@
     NavigationAction action(request, newLoadType, isFormSubmission, event);
 
     if (!targetFrame && !frameName.isEmpty()) {
-        checkNewWindowPolicyAndContinue(formState.release(), frameName, action);
+        checkNewWindowPolicyAndContinue(formState, frameName, action);
         return;
     }
 
-    bool sameURL = shouldTreatURLAsSameAsCurrent(newURL);
-    loadWithNavigationAction(request, action, newLoadType, formState.release(), defaultSubstituteDataForURL(request.url()));
+    bool sameURL = shouldTreatURLAsSameAsCurrent(request.url());
+    loadWithNavigationAction(request, action, newLoadType, formState, defaultSubstituteDataForURL(request.url()));
     // Example of this case are sites that reload the same URL with a different cookie
     // driving the generated content, or a master frame with links that drive a target
     // frame, where the user has clicked on the same link repeatedly.
-    if (sameURL && newLoadType != FrameLoadTypeReload && newLoadType != FrameLoadTypeReloadFromOrigin)
+    if (sameURL && newLoadType != FrameLoadTypeReload && newLoadType != FrameLoadTypeReloadFromOrigin && request.httpMethod() != "POST")
         m_loadType = FrameLoadTypeSame;
 }
 
@@ -1137,35 +1121,22 @@
     const KURL& unreachableURL = request.substituteData().failingURL();
 
     FrameLoadType type;
-    if (shouldTreatURLAsSameAsCurrent(r.url()))
+    if (shouldTreatURLAsSameAsCurrent(r.url())) {
+        r.setCachePolicy(ReloadIgnoringCacheData);
         type = FrameLoadTypeSame;
-    else if (shouldTreatURLAsSameAsCurrent(unreachableURL) && m_loadType == FrameLoadTypeReload)
+    } else if (shouldTreatURLAsSameAsCurrent(unreachableURL) && m_loadType == FrameLoadTypeReload)
         type = FrameLoadTypeReload;
     else
         type = FrameLoadTypeStandard;
-    
-    // When we loading alternate content for an unreachable URL that we're
-    // visiting in the history list, we treat it as a reload so the history list 
-    // is appropriately maintained.
-    //
-    // FIXME: This seems like a dangerous overloading of the meaning of "FrameLoadTypeReload" ...
-    // shouldn't a more explicit type of reload be defined, that means roughly 
-    // "load without affecting history" ? 
-    if (shouldReloadToHandleUnreachableURL(unreachableURL)) {
-        // shouldReloadToHandleUnreachableURL() returns true only when the original load type is back-forward.
-        // In this case we should save the document state now. Otherwise the state can be lost because load type is
-        // changed and updateForBackForwardNavigation() will not be called when loading is committed.
-        history()->saveDocumentAndScrollState();
-
-        ASSERT(type == FrameLoadTypeStandard);
-        type = FrameLoadTypeReload;
-    }
-
     loadWithNavigationAction(r, NavigationAction(r, type, false), type, 0, request.substituteData());
 }
 
 void FrameLoader::loadWithNavigationAction(const ResourceRequest& request, const NavigationAction& action, FrameLoadType type, PassRefPtr<FormState> formState, const SubstituteData& substituteData, const String& overrideEncoding)
 {
+    ASSERT(m_client->hasWebView());
+    if (m_pageDismissalEventBeingDispatched != NoDismissal)
+        return;
+
     RefPtr<DocumentLoader> loader = m_client->createDocumentLoader(request, substituteData);
     loader->setTriggeringAction(action);
 
@@ -1179,22 +1150,6 @@
     if (type == FrameLoadTypeRedirectWithLockedBackForwardList)
         loader->setIsClientRedirect(true);
 
-    // Retain because dispatchBeforeLoadEvent may release the last reference to it.
-    RefPtr<Frame> protect(m_frame);
-
-    ASSERT(m_client->hasWebView());
-
-    // Unfortunately the view must be non-nil, this is ultimately due
-    // to parser requiring a FrameView.  We should fix this dependency.
-
-    ASSERT(m_frame->view());
-
-    if (m_pageDismissalEventBeingDispatched != NoDismissal)
-        return;
-
-    if (m_frame->document())
-        m_previousURL = m_frame->document()->url();
-
     m_loadType = type;
     bool isFormSubmission = formState;
 
@@ -1215,11 +1170,6 @@
     frame->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Not allowed to load local resource: " + url);
 }
 
-const ResourceRequest& FrameLoader::initialRequest() const
-{
-    return activeDocumentLoader()->originalRequest();
-}
-
 bool FrameLoader::willLoadMediaElementURL(KURL& url)
 {
     ResourceRequest request(url);
@@ -1234,23 +1184,6 @@
     return error.isNull();
 }
 
-bool FrameLoader::shouldReloadToHandleUnreachableURL(const KURL& unreachableURL)
-{
-    if (unreachableURL.isEmpty())
-        return false;
-
-    if (!m_delegateIsHandlingProvisionalLoadError)
-        return false;
-
-    if (!isBackForwardLoadType(m_loadType))
-        return false;
-
-    // We only treat unreachableURLs specially during the delegate callbacks
-    // for provisional load errors. Loading alternate content
-    // at other times behaves like a standard load.
-    return unreachableURL == m_provisionalDocumentLoader->request().url();
-}
-
 void FrameLoader::reload(bool endToEndReload, const KURL& overrideURL, const String& overrideEncoding)
 {
     if (!m_documentLoader)
@@ -1263,8 +1196,16 @@
     else if (!m_documentLoader->unreachableURL().isEmpty())
         request.setURL(m_documentLoader->unreachableURL());
 
+    bool isFormSubmission = request.httpMethod() == "POST";
+    if (overrideEncoding.isEmpty())
+        request.setCachePolicy(ReloadIgnoringCacheData);
+    else if (isFormSubmission)
+        request.setCachePolicy(ReturnCacheDataDontLoad);
+    else
+        request.setCachePolicy(ReturnCacheDataElseLoad);
+
     FrameLoadType type = endToEndReload ? FrameLoadTypeReloadFromOrigin : FrameLoadTypeReload;
-    NavigationAction action(request, type, request.httpMethod() == "POST");
+    NavigationAction action(request, type, isFormSubmission);
     loadWithNavigationAction(request, action, type, 0, defaultSubstituteDataForURL(request.url()), overrideEncoding);
 }
 
@@ -1431,14 +1372,14 @@
     if (m_loadType != FrameLoadTypeReplace)
         closeOldDataSources();
 
-    transitionToCommitted();
-
-    if (pdl && m_documentLoader) {
-        // Check if the destination page is allowed to access the previous page's timing information.
+    // Check if the destination page is allowed to access the previous page's timing information.
+    if (m_frame->document()) {
         RefPtr<SecurityOrigin> securityOrigin = SecurityOrigin::create(pdl->request().url());
-        m_documentLoader->timing()->setHasSameOriginAsPreviousDocument(securityOrigin->canRequest(m_previousURL));
+        pdl->timing()->setHasSameOriginAsPreviousDocument(securityOrigin->canRequest(m_frame->document()->url()));
     }
 
+    transitionToCommitted();
+
     // Call clientRedirectCancelledOrFinished() here so that the frame load delegate is notified that the redirect's
     // status has changed, if there was a redirect.
     if (pdl->isClientRedirect())
@@ -1491,6 +1432,9 @@
 
     history()->updateForCommit();
     m_client->transitionToCommittedForNewPage();
+
+    if (!m_stateMachine.creatingInitialEmptyDocument() && !m_stateMachine.committedFirstRealDocumentLoad())
+        m_stateMachine.advanceTo(FrameLoaderStateMachine::DisplayingInitialEmptyDocumentPostCommit);
 }
 
 void FrameLoader::clientRedirectCancelledOrFinished()
@@ -1906,6 +1850,30 @@
 
     applyUserAgent(request);
 
+    if (!isMainResource) {
+        if (request.isConditional())
+            request.setCachePolicy(ReloadIgnoringCacheData);
+        else if (documentLoader()->isLoadingInAPISense()) {
+            // If we inherit cache policy from a main resource, we use the DocumentLoader's
+            // original request cache policy for two reasons:
+            // 1. For POST requests, we mutate the cache policy for the main resource,
+            //    but we do not want this to apply to subresources
+            // 2. Delegates that modify the cache policy using willSendRequest: should
+            //    not affect any other resources. Such changes need to be done
+            //    per request.
+            ResourceRequestCachePolicy mainDocumentOriginalCachePolicy = documentLoader()->originalRequest().cachePolicy();
+            // Back-forward navigations try to load main resource from cache only to avoid re-submitting form data, and start over (with a warning dialog) if that fails.
+            // This policy is set on initial request too, but should not be inherited.
+            ResourceRequestCachePolicy subresourceCachePolicy = (mainDocumentOriginalCachePolicy == ReturnCacheDataDontLoad) ? ReturnCacheDataElseLoad : mainDocumentOriginalCachePolicy;
+            request.setCachePolicy(subresourceCachePolicy);
+        } else
+            request.setCachePolicy(UseProtocolCachePolicy);
+
+    // FIXME: Other FrameLoader functions have duplicated code for setting cache policy of main request when reloading.
+    // It seems better to manage it explicitly than to hide the logic inside addExtraFieldsToRequest().
+    } else if (m_loadType == FrameLoadTypeReload || m_loadType == FrameLoadTypeReloadFromOrigin || request.isConditional())
+        request.setCachePolicy(ReloadIgnoringCacheData);
+
     if (request.cachePolicy() == ReloadIgnoringCacheData) {
         if (m_loadType == FrameLoadTypeReload)
             request.setHTTPHeaderField("Cache-Control", "max-age=0");
@@ -1949,40 +1917,6 @@
     request.setHTTPOrigin(origin);
 }
 
-void FrameLoader::loadPostRequest(const ResourceRequest& inRequest, const String& referrer, const String& frameName, FrameLoadType loadType, PassRefPtr<Event> event, PassRefPtr<FormState> prpFormState)
-{
-    RefPtr<FormState> formState = prpFormState;
-
-    // Previously when this method was reached, the original FrameLoadRequest had been deconstructed to build a 
-    // bunch of parameters that would come in here and then be built back up to a ResourceRequest.  In case
-    // any caller depends on the immutability of the original ResourceRequest, I'm rebuilding a ResourceRequest
-    // from scratch as it did all along.
-    const KURL& url = inRequest.url();
-    RefPtr<FormData> formData = inRequest.httpBody();
-    const String& contentType = inRequest.httpContentType();
-    String origin = inRequest.httpOrigin();
-
-    ResourceRequest workingResourceRequest(url);    
-
-    if (!referrer.isEmpty())
-        workingResourceRequest.setHTTPReferrer(referrer);
-    workingResourceRequest.setHTTPOrigin(origin);
-    workingResourceRequest.setHTTPMethod("POST");
-    workingResourceRequest.setHTTPBody(formData);
-    workingResourceRequest.setHTTPContentType(contentType);
-
-    NavigationAction action(workingResourceRequest, loadType, true, event);
-
-    if (!frameName.isEmpty()) {
-        // The search for a target frame is done earlier in the case of form submission.
-        if (Frame* targetFrame = formState ? 0 : findFrameForNavigation(frameName))
-            targetFrame->loader()->loadWithNavigationAction(workingResourceRequest, action, loadType, formState.release(), defaultSubstituteDataForURL(workingResourceRequest.url()));
-        else
-            checkNewWindowPolicyAndContinue(formState.release(), frameName, action);
-    } else
-        loadWithNavigationAction(workingResourceRequest, action, loadType, formState.release(), defaultSubstituteDataForURL(workingResourceRequest.url()));
-}
-
 unsigned long FrameLoader::loadResourceSynchronously(const ResourceRequest& request, StoredCredentials storedCredentials, ResourceError& error, ResourceResponse& response, Vector<char>& data)
 {
     ASSERT(m_frame->document());
@@ -2458,13 +2392,17 @@
     RefPtr<FormData> formData = item->formData();
     ResourceRequest request(item->url());
     request.setHTTPReferrer(item->referrer());
+
+    NavigationAction action;
     if (formData) {
         request.setHTTPMethod("POST");
         request.setHTTPBody(formData);
         request.setHTTPContentType(item->formContentType());
         RefPtr<SecurityOrigin> securityOrigin = SecurityOrigin::createFromString(item->referrer());
         addHTTPOriginIfNeeded(request, securityOrigin->toString());
-    }
+        request.setCachePolicy(ReturnCacheDataDontLoad);
+    } else
+        request.setCachePolicy(ReturnCacheDataElseLoad);
 
     loadWithNavigationAction(request, NavigationAction(request, FrameLoadTypeBackForward, false), FrameLoadTypeBackForward, 0, defaultSubstituteDataForURL(request.url()));
 }
@@ -2613,7 +2551,6 @@
     info.addMember(m_openedFrames, "openedFrames");
     info.addMember(m_outgoingReferrer, "outgoingReferrer");
     info.addMember(m_networkingContext, "networkingContext");
-    info.addMember(m_previousURL, "previousURL");
     info.addMember(m_requestedHistoryItem, "requestedHistoryItem");
 }
 

diff --git a/Source/core/loader/FrameLoader.h b/Source/core/loader/FrameLoader.h
index c291d54..c8942d5 100644
--- a/Source/core/loader/FrameLoader.h
+++ b/Source/core/loader/FrameLoader.h

@@ -95,7 +95,7 @@
     void setupForReplace();
 
     // FIXME: These are all functions which start loads. We have too many.
-    void loadURLIntoChildFrame(const KURL&, const String& referer, Frame*);
+    void loadURLIntoChildFrame(const ResourceRequest&, Frame*);
     void loadFrameRequest(const FrameLoadRequest&, bool lockBackForwardList,  // Called by submitForm, calls loadPostRequest and loadURL.
         PassRefPtr<Event>, PassRefPtr<FormState>, ShouldSendReferrer);
 
@@ -144,7 +144,6 @@
     FrameState state() const { return m_state; }
 
     const ResourceRequest& originalRequest() const;
-    const ResourceRequest& initialRequest() const;
     void receivedMainResourceError(const ResourceError&);
 
     bool willLoadMediaElementURL(KURL&);
@@ -246,8 +245,6 @@
 
     bool suppressOpenerInNewFrame() const { return m_suppressOpenerInNewFrame; }
 
-    static ObjectContentType defaultObjectContentType(const KURL&, const String& mimeType, bool shouldPreferPlugInsForImages);
-
     bool shouldClose();
     
     void started();
@@ -262,8 +259,6 @@
 
     NetworkingContext* networkingContext() const;
 
-    const KURL& previousURL() const { return m_previousURL; }
-
     void reportMemoryUsage(MemoryObjectInfo*) const;
 
 private:
@@ -302,8 +297,6 @@
 
     void closeOldDataSources();
 
-    bool shouldReloadToHandleUnreachableURL(const KURL&);
-
     void dispatchDidCommitLoad();
 
     void urlSelected(const FrameLoadRequest&, PassRefPtr<Event>, bool lockBackForwardList, ShouldSendReferrer);
@@ -312,10 +305,8 @@
     void loadWithNavigationAction(const ResourceRequest&, const NavigationAction&,
         FrameLoadType, PassRefPtr<FormState>, const SubstituteData&, const String& overrideEncoding = String());
 
-    void loadPostRequest(const ResourceRequest&, const String& referrer,                // Called by loadFrameRequest, calls loadWithNavigationAction
-        const String& frameName, FrameLoadType, PassRefPtr<Event>, PassRefPtr<FormState>);
-    void loadURL(const KURL&, const String& referrer, const String& frameName,          // Called by loadFrameRequest, calls loadWithNavigationAction or dispatches to navigation policy delegate
-        FrameLoadType, PassRefPtr<Event>, PassRefPtr<FormState>);
+    // Called by loadFrameRequest, calls loadWithNavigationAction or checkNewWindowPolicyAndContinue
+    void loadURL(const ResourceRequest&, const String& frameName, FrameLoadType, PassRefPtr<Event>, PassRefPtr<FormState>);
 
     bool shouldReload(const KURL& currentURL, const KURL& destinationURL);
 
@@ -393,7 +384,6 @@
 
     RefPtr<FrameNetworkingContext> m_networkingContext;
 
-    KURL m_previousURL;
     RefPtr<HistoryItem> m_requestedHistoryItem;
 };
 

diff --git a/Source/core/loader/FrameLoaderStateMachine.cpp b/Source/core/loader/FrameLoaderStateMachine.cpp
index ec335fd..c5a9efb 100644
--- a/Source/core/loader/FrameLoaderStateMachine.cpp
+++ b/Source/core/loader/FrameLoaderStateMachine.cpp

@@ -46,7 +46,7 @@
 
 bool FrameLoaderStateMachine::committedFirstRealDocumentLoad() const 
 {
-    return m_state >= CommittedFirstRealLoad;
+    return m_state >= DisplayingInitialEmptyDocumentPostCommit;
 }
 
 bool FrameLoaderStateMachine::creatingInitialEmptyDocument() const 
@@ -56,7 +56,7 @@
 
 bool FrameLoaderStateMachine::isDisplayingInitialEmptyDocument() const 
 {
-    return m_state == DisplayingInitialEmptyDocument;
+    return m_state == DisplayingInitialEmptyDocument || m_state == DisplayingInitialEmptyDocumentPostCommit;
 }
 
 void FrameLoaderStateMachine::advanceTo(State state)

diff --git a/Source/core/loader/FrameLoaderStateMachine.h b/Source/core/loader/FrameLoaderStateMachine.h
index 23d6d85..1402ebc 100644
--- a/Source/core/loader/FrameLoaderStateMachine.h
+++ b/Source/core/loader/FrameLoaderStateMachine.h

@@ -46,6 +46,7 @@
     enum State {
         CreatingInitialEmptyDocument,
         DisplayingInitialEmptyDocument,
+        DisplayingInitialEmptyDocumentPostCommit,
         CommittedFirstRealLoad
     };
 

diff --git a/Source/core/loader/FrameNetworkingContext.h b/Source/core/loader/FrameNetworkingContext.h
index 274ee68..2cc05f7 100644
--- a/Source/core/loader/FrameNetworkingContext.h
+++ b/Source/core/loader/FrameNetworkingContext.h

@@ -22,7 +22,7 @@
 
 #include "core/dom/Document.h"
 #include "core/page/Frame.h"
-#include "origin/ReferrerPolicy.h"
+#include "weborigin/ReferrerPolicy.h"
 #include "core/platform/network/NetworkingContext.h"
 
 namespace WebCore {

diff --git a/Source/core/loader/ImageLoader.cpp b/Source/core/loader/ImageLoader.cpp
index bceddd1..db60677 100644
--- a/Source/core/loader/ImageLoader.cpp
+++ b/Source/core/loader/ImageLoader.cpp

@@ -38,7 +38,7 @@
 #include "core/page/Frame.h"
 #include "core/rendering/RenderImage.h"
 #include "core/rendering/RenderVideo.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SecurityOrigin.h"
 
 #if ENABLE(SVG)
 #include "core/rendering/svg/RenderSVGImage.h"
@@ -211,8 +211,8 @@
             clearFailedLoadURL();
     } else if (!attr.isNull()) {
         // Fire an error event if the url is empty.
-        // FIXME: Should we fire this event asynchronoulsy via errorEventSender()?
-        m_element->dispatchEvent(Event::create(eventNames().errorEvent, false, false));
+        m_hasPendingErrorEvent = true;
+        errorEventSender().dispatchEventSoon(this);
     }
     
     CachedImage* oldImage = m_image.get();

diff --git a/Source/core/loader/LinkLoader.cpp b/Source/core/loader/LinkLoader.cpp
index f1734be..3c0ec73 100644
--- a/Source/core/loader/LinkLoader.cpp
+++ b/Source/core/loader/LinkLoader.cpp

@@ -109,16 +109,8 @@
     m_client->didSendDOMContentLoadedForLinkPrerender();
 }
 
-bool LinkLoader::loadLink(const LinkRelAttribute& relAttribute, const String& type,
-                          const String& sizes, const KURL& href, Document* document)
+bool LinkLoader::loadLink(const LinkRelAttribute& relAttribute, const String& type, const KURL& href, Document* document)
 {
-    // We'll record this URL per document, even if we later only use it in top level frames
-    if (relAttribute.iconType() != InvalidIcon && href.isValid() && !href.isEmpty()) {
-        if (!m_client->shouldLoadLink()) 
-            return false;
-        document->addIconURL(href.string(), type, sizes, relAttribute.iconType());
-    }
-
     if (relAttribute.isDNSPrefetch()) {
         Settings* settings = document->settings();
         // FIXME: The href attribute of the link element can be in "//hostname" form, and we shouldn't attempt

diff --git a/Source/core/loader/LinkLoader.h b/Source/core/loader/LinkLoader.h
index b558857..d49f2ee 100644
--- a/Source/core/loader/LinkLoader.h
+++ b/Source/core/loader/LinkLoader.h

@@ -62,7 +62,7 @@
     virtual void didSendDOMContentLoadedForPrerender() OVERRIDE;
 
     void released();
-    bool loadLink(const LinkRelAttribute&, const String& type, const String& sizes, const KURL&, Document*);
+    bool loadLink(const LinkRelAttribute&, const String& type, const KURL&, Document*);
 
 private:
     void linkLoadTimerFired(Timer<LinkLoader>*);

diff --git a/Source/core/loader/MixedContentChecker.cpp b/Source/core/loader/MixedContentChecker.cpp
index ddef5b2..4691de1 100644
--- a/Source/core/loader/MixedContentChecker.cpp
+++ b/Source/core/loader/MixedContentChecker.cpp

@@ -36,8 +36,8 @@
 #include "core/page/DOMWindow.h"
 #include "core/page/Frame.h"
 #include "core/page/Settings.h"
-#include "origin/SchemeRegistry.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SchemeRegistry.h"
+#include "weborigin/SecurityOrigin.h"
 #include "wtf/text/CString.h"
 #include "wtf/text/WTFString.h"
 

diff --git a/Source/core/loader/PingLoader.cpp b/Source/core/loader/PingLoader.cpp
index 2ef5451..518f9fb 100644
--- a/Source/core/loader/PingLoader.cpp
+++ b/Source/core/loader/PingLoader.cpp

@@ -46,8 +46,8 @@
 #include "core/platform/network/ResourceHandle.h"
 #include "core/platform/network/ResourceRequest.h"
 #include "core/platform/network/ResourceResponse.h"
-#include "origin/SecurityOrigin.h"
-#include "origin/SecurityPolicy.h"
+#include "weborigin/SecurityOrigin.h"
+#include "weborigin/SecurityPolicy.h"
 
 namespace WebCore {
 
@@ -114,18 +114,18 @@
     String referrer = SecurityPolicy::generateReferrerHeader(frame->document()->referrerPolicy(), reportURL, frame->loader()->outgoingReferrer());
     if (!referrer.isEmpty())
         request.setHTTPReferrer(referrer);
-    OwnPtr<PingLoader> pingLoader = adoptPtr(new PingLoader(frame, request));
+    OwnPtr<PingLoader> pingLoader = adoptPtr(new PingLoader(frame, request, SecurityOrigin::create(reportURL)->isSameSchemeHostPort(frame->document()->securityOrigin()) ? AllowStoredCredentials : DoNotAllowStoredCredentials));
 
     // Leak the ping loader, since it will kill itself as soon as it receives a response.
     PingLoader* leakedPingLoader = pingLoader.leakPtr();
     UNUSED_PARAM(leakedPingLoader);
 }
 
-PingLoader::PingLoader(Frame* frame, ResourceRequest& request)
+PingLoader::PingLoader(Frame* frame, ResourceRequest& request, StoredCredentials credentialsAllowed)
     : m_timeout(this, &PingLoader::timeout)
 {
     unsigned long identifier = createUniqueIdentifier();
-    m_handle = ResourceHandle::create(frame->loader()->networkingContext(), request, this, false, false, AllowStoredCredentials);
+    m_handle = ResourceHandle::create(frame->loader()->networkingContext(), request, this, false, false, credentialsAllowed);
 
     InspectorInstrumentation::continueAfterPingLoader(frame, identifier, frame->loader()->activeDocumentLoader(), request, ResourceResponse());
 

diff --git a/Source/core/loader/PingLoader.h b/Source/core/loader/PingLoader.h
index a0f73db..d65842d 100644
--- a/Source/core/loader/PingLoader.h
+++ b/Source/core/loader/PingLoader.h

@@ -34,6 +34,7 @@
 
 #include "core/platform/Timer.h"
 #include "core/platform/network/ResourceHandleClient.h"
+#include "core/platform/network/ResourceHandleTypes.h"
 #include <wtf/Noncopyable.h>
 #include <wtf/RefPtr.h>
 
@@ -61,7 +62,7 @@
     virtual ~PingLoader();
 
 private:
-    PingLoader(Frame*, ResourceRequest&);
+    PingLoader(Frame*, ResourceRequest&, StoredCredentials = AllowStoredCredentials);
 
     virtual void didReceiveResponse(ResourceHandle*, const ResourceResponse&) OVERRIDE { delete this; }
     virtual void didReceiveData(ResourceHandle*, const char*, int, int) OVERRIDE { delete this; }

diff --git a/Source/core/loader/Prerenderer.cpp b/Source/core/loader/Prerenderer.cpp
index 6f027b4..b3a5c4e 100644
--- a/Source/core/loader/Prerenderer.cpp
+++ b/Source/core/loader/Prerenderer.cpp

@@ -38,8 +38,8 @@
 #include "core/loader/PrerendererClient.h"
 #include "core/page/Frame.h"
 #include "core/platform/PrerenderHandle.h"
-#include "origin/ReferrerPolicy.h"
-#include "origin/SecurityPolicy.h"
+#include "weborigin/ReferrerPolicy.h"
+#include "weborigin/SecurityPolicy.h"
 
 #include <wtf/MemoryInstrumentationVector.h>
 #include <wtf/PassOwnPtr.h>

diff --git a/Source/core/loader/ResourceLoader.cpp b/Source/core/loader/ResourceLoader.cpp
index b97e3de..34bff2a 100644
--- a/Source/core/loader/ResourceLoader.cpp
+++ b/Source/core/loader/ResourceLoader.cpp

@@ -43,7 +43,7 @@
 #include "core/platform/Logging.h"
 #include "core/platform/network/ResourceError.h"
 #include "core/platform/network/ResourceHandle.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SecurityOrigin.h"
 
 namespace WebCore {
 

diff --git a/Source/core/loader/ResourceLoaderOptions.h b/Source/core/loader/ResourceLoaderOptions.h
index ad1adaa..88c1fc0 100644
--- a/Source/core/loader/ResourceLoaderOptions.h
+++ b/Source/core/loader/ResourceLoaderOptions.h

@@ -61,12 +61,28 @@
 };
 
 struct ResourceLoaderOptions {
-    ResourceLoaderOptions() : sendLoadCallbacks(DoNotSendCallbacks), sniffContent(DoNotSniffContent), dataBufferingPolicy(BufferData), allowCredentials(DoNotAllowStoredCredentials), crossOriginCredentialPolicy(DoNotAskClientForCrossOriginCredentials), securityCheck(DoSecurityCheck) { }
-    ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCrossOriginCredentialPolicy crossOriginCredentialPolicy, SecurityCheckPolicy securityCheck)
+    ResourceLoaderOptions()
+        : sendLoadCallbacks(DoNotSendCallbacks)
+        , sniffContent(DoNotSniffContent)
+        , dataBufferingPolicy(BufferData)
+        , allowCredentials(DoNotAllowStoredCredentials)
+        , credentialsRequested(ClientDidNotRequestCredentials)
+        , crossOriginCredentialPolicy(DoNotAskClientForCrossOriginCredentials)
+        , securityCheck(DoSecurityCheck) { }
+
+    ResourceLoaderOptions(
+        SendCallbackPolicy sendLoadCallbacks,
+        ContentSniffingPolicy sniffContent,
+        DataBufferingPolicy dataBufferingPolicy,
+        StoredCredentials allowCredentials,
+        CredentialRequest credentialsRequested,
+        ClientCrossOriginCredentialPolicy crossOriginCredentialPolicy,
+        SecurityCheckPolicy securityCheck)
         : sendLoadCallbacks(sendLoadCallbacks)
         , sniffContent(sniffContent)
         , dataBufferingPolicy(dataBufferingPolicy)
         , allowCredentials(allowCredentials)
+        , credentialsRequested(credentialsRequested)
         , crossOriginCredentialPolicy(crossOriginCredentialPolicy)
         , securityCheck(securityCheck)
     {
@@ -75,6 +91,7 @@
     ContentSniffingPolicy sniffContent;
     DataBufferingPolicy dataBufferingPolicy;
     StoredCredentials allowCredentials; // Whether HTTP credentials and cookies are sent with the request.
+    CredentialRequest credentialsRequested; // Whether the client (e.g. XHR) wanted credentials in the first place.
     ClientCrossOriginCredentialPolicy crossOriginCredentialPolicy; // Whether we will ask the client for credentials (if we allow credentials at all).
     SecurityCheckPolicy securityCheck;
 };

diff --git a/Source/core/loader/SubframeLoader.cpp b/Source/core/loader/SubframeLoader.cpp
index 3bea110..c3b999f 100644
--- a/Source/core/loader/SubframeLoader.cpp
+++ b/Source/core/loader/SubframeLoader.cpp

@@ -52,8 +52,8 @@
 #include "core/plugins/PluginData.h"
 #include "core/rendering/RenderEmbeddedObject.h"
 #include "core/rendering/RenderView.h"
-#include "origin/SecurityOrigin.h"
-#include "origin/SecurityPolicy.h"
+#include "weborigin/SecurityOrigin.h"
+#include "weborigin/SecurityPolicy.h"
 
 namespace WebCore {
     

diff --git a/Source/core/loader/TextTrackLoader.cpp b/Source/core/loader/TextTrackLoader.cpp
index 842c42c..1fa9ac4 100644
--- a/Source/core/loader/TextTrackLoader.cpp
+++ b/Source/core/loader/TextTrackLoader.cpp

@@ -37,7 +37,7 @@
 #include "core/platform/Logging.h"
 #include "core/platform/SharedBuffer.h"
 #include "core/platform/network/ResourceHandle.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SecurityOrigin.h"
 
 namespace WebCore {
     

diff --git a/Source/core/loader/ThreadableLoader.h b/Source/core/loader/ThreadableLoader.h
index 89724fe..e12b540 100644
--- a/Source/core/loader/ThreadableLoader.h
+++ b/Source/core/loader/ThreadableLoader.h

@@ -32,7 +32,7 @@
 #define ThreadableLoader_h
 
 #include "core/loader/ResourceLoaderOptions.h"
-#include "origin/SecurityOrigin.h"
+#include "weborigin/SecurityOrigin.h"
 #include "core/platform/network/ResourceHandle.h"
 #include <wtf/Noncopyable.h>
 #include <wtf/PassRefPtr.h>
@@ -59,12 +59,22 @@
         PreventPreflight
     };
 
+    enum ContentSecurityPolicyEnforcement {
+        EnforceConnectSrcDirective,
+        DoNotEnforceContentSecurityPolicy,
+    };
+
     struct ThreadableLoaderOptions : public ResourceLoaderOptions {
-        ThreadableLoaderOptions() : preflightPolicy(ConsiderPreflight), crossOriginRequestPolicy(DenyCrossOriginRequests) { }
+        ThreadableLoaderOptions()
+            : preflightPolicy(ConsiderPreflight)
+            , crossOriginRequestPolicy(DenyCrossOriginRequests)
+            , contentSecurityPolicyEnforcement(EnforceConnectSrcDirective) { }
+
         PreflightPolicy preflightPolicy; // If AccessControl is used, how to determine if a preflight is needed.
         CrossOriginRequestPolicy crossOriginRequestPolicy;
         RefPtr<SecurityOrigin> securityOrigin;
         AtomicString initiator;
+        ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement;
     };
 
     // Useful for doing loader operations from any thread (not threadsafe, 

diff --git a/Source/core/loader/archive/MHTMLArchive.cpp b/Source/core/loader/archive/MHTMLArchive.cpp
index 65281ac..a958caf 100644
--- a/Source/core/loader/archive/MHTMLArchive.cpp
+++ b/Source/core/loader/archive/MHTMLArchive.cpp

@@ -40,7 +40,7 @@
 #include "core/platform/MIMETypeRegistry.h"
 #include "core/platform/SharedBuffer.h"
 #include "core/platform/text/QuotedPrintable.h"
-#include "origin/SchemeRegistry.h"
+#include "weborigin/SchemeRegistry.h"
 #include "wtf/CryptographicallyRandomNumber.h"
 #include "wtf/DateMath.h"
 #include "wtf/GregorianDateTime.h"

diff --git a/Source/core/loader/cache/CachedResourceLoader.cpp b/Source/core/loader/cache/CachedResourceLoader.cpp
index 854aed9..ba2a389 100644
--- a/Source/core/loader/cache/CachedResourceLoader.cpp
+++ b/Source/core/loader/cache/CachedResourceLoader.cpp

@@ -58,8 +58,8 @@
 #include "core/page/Performance.h"
 #include "core/page/Settings.h"
 #include "core/platform/Logging.h"
-#include "origin/SecurityOrigin.h"
-#include "origin/SecurityPolicy.h"
+#include "weborigin/SecurityOrigin.h"
+#include "weborigin/SecurityPolicy.h"
 
 #include "core/loader/cache/CachedTextTrack.h"
 
@@ -186,7 +186,7 @@
         memoryCache()->remove(existing);
     }
 
-    request.setOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck));
+    request.setOptions(ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, SkipSecurityCheck));
     return static_cast<CachedCSSStyleSheet*>(requestResource(CachedResource::CSSStyleSheet, request).get());
 }
 
@@ -233,6 +233,7 @@
     case CachedResource::SVGDocumentResource:
 #endif
     case CachedResource::CSSStyleSheet:
+    case CachedResource::RawResource:
         // These resource can inject script into the current document (Script,
         // XSL) or exfiltrate the content of the current document (CSS).
         if (Frame* f = frame())
@@ -241,7 +242,6 @@
         break;
     case CachedResource::TextTrackResource:
     case CachedResource::ShaderResource:
-    case CachedResource::RawResource:
     case CachedResource::ImageResource:
     case CachedResource::FontResource: {
         // These resources can corrupt only the frame's pixels.
@@ -498,34 +498,6 @@
     request.setTargetType(targetType);
 }
 
-ResourceRequestCachePolicy CachedResourceLoader::resourceRequestCachePolicy(const ResourceRequest& request, CachedResource::Type type)
-{
-    if (type == CachedResource::MainResource) {
-        FrameLoadType frameLoadType = frame()->loader()->loadType();
-        bool isReload = frameLoadType == FrameLoadTypeReload || frameLoadType == FrameLoadTypeReloadFromOrigin;
-        if (request.httpMethod() == "POST" && (isReload || frameLoadType == FrameLoadTypeBackForward))
-            return ReturnCacheDataDontLoad;
-        if (!m_documentLoader->overrideEncoding().isEmpty() || frameLoadType == FrameLoadTypeBackForward)
-            return ReturnCacheDataElseLoad;
-        if (isReload || frameLoadType == FrameLoadTypeSame || request.isConditional())
-            return ReloadIgnoringCacheData;
-        return UseProtocolCachePolicy;
-    }
-
-    if (request.isConditional())
-        return ReloadIgnoringCacheData;
-
-    if (m_documentLoader->isLoadingInAPISense()) {
-        // For POST requests, we mutate the main resource's cache policy to avoid form resubmission.
-        // This policy should not be inherited by subresources.
-        ResourceRequestCachePolicy mainResourceCachePolicy = m_documentLoader->request().cachePolicy();
-        if (mainResourceCachePolicy == ReturnCacheDataDontLoad)
-            return ReturnCacheDataElseLoad;
-        return mainResourceCachePolicy;
-    }
-    return UseProtocolCachePolicy;
-}
-
 void CachedResourceLoader::addAdditionalRequestHeaders(ResourceRequest& request, CachedResource::Type type)
 {
     if (!frame())
@@ -555,7 +527,6 @@
         FrameLoader::addHTTPOriginIfNeeded(request, outgoingOrigin);
     }
 
-    request.setCachePolicy(resourceRequestCachePolicy(request, type));
     if (request.targetType() == ResourceRequest::TargetIsUnspecified)
         determineTargetType(request, type);
     frameLoader->addExtraFieldsToRequest(request);
@@ -1042,7 +1013,7 @@
 
 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
 {
-    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck);
+    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientRequestedCredentials, AskClientForCrossOriginCredentials, DoSecurityCheck);
     return options;
 }
 

diff --git a/Source/core/loader/cache/CachedResourceLoader.h b/Source/core/loader/cache/CachedResourceLoader.h
index 8550160..728836e 100644
--- a/Source/core/loader/cache/CachedResourceLoader.h
+++ b/Source/core/loader/cache/CachedResourceLoader.h

@@ -144,7 +144,6 @@
     RevalidationPolicy determineRevalidationPolicy(CachedResource::Type, ResourceRequest&, bool forPreload, CachedResource* existingResource, CachedResourceRequest::DeferOption) const;
 
     void determineTargetType(ResourceRequest&, CachedResource::Type);
-    ResourceRequestCachePolicy resourceRequestCachePolicy(const ResourceRequest&, CachedResource::Type);
     void addAdditionalRequestHeaders(ResourceRequest&, CachedResource::Type);
 
     void notifyLoadedFromMemoryCache(CachedResource*);

diff --git a/Source/core/loader/cache/MemoryCache.cpp b/Source/core/loader/cache/MemoryCache.cpp
index 7feb100..d118fcb 100644
--- a/Source/core/loader/cache/MemoryCache.cpp
+++ b/Source/core/loader/cache/MemoryCache.cpp

@@ -45,8 +45,8 @@
 #include "core/workers/WorkerContext.h"
 #include "core/workers/WorkerLoaderProxy.h"
 #include "core/workers/WorkerThread.h"
-#include "origin/SecurityOrigin.h"
-#include "origin/SecurityOriginHash.h"
+#include "weborigin/SecurityOrigin.h"
+#include "weborigin/SecurityOriginHash.h"
 
 using namespace std;
 

diff --git a/Source/core/loader/cache/MemoryCache.h b/Source/core/loader/cache/MemoryCache.h
index 51fdb87..7742c47 100644
--- a/Source/core/loader/cache/MemoryCache.h
+++ b/Source/core/loader/cache/MemoryCache.h

@@ -26,7 +26,7 @@
 #define Cache_h
 
 #include "core/loader/cache/CachedResource.h"
-#include "origin/SecurityOriginHash.h"
+#include "weborigin/SecurityOriginHash.h"
 #include <wtf/HashMap.h>
 #include <wtf/HashSet.h>
 #include <wtf/Noncopyable.h>