Merge pull request #7839 from AnalyticalGraphicsInc/ion-cors

Don't send ion access token to non-ion servers
CesiumGS · May 15, 2019 · 37cacdf · 37cacdf
2 parents 8425126 + 4f5a756
commit 37cacdf
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,12 +1,15 @@
 Change Log
 ==========
-### 1.58 - 2019-06-01
+### 1.58 - 2019-06-03
 
 ##### Additions :tada:
 * Added support for new `BingMapsStyle` values `ROAD_ON_DEMAND` and `AERIAL_WITH_LABELS_ON_DEMAND`. The older versions of these, `ROAD` and `AERIAL_WITH_LABELS`, have been deprecated by Bing. [#7808](https://github.com/AnalyticalGraphicsInc/cesium/pull/7808)
 * Added syntax to delete data from existing properties via CZML. [#7818](https://github.com/AnalyticalGraphicsInc/cesium/pull/7818)
 * `BingMapsImageryProvider` now uses `DiscardEmptyTileImagePolicy` by default to detect missing tiles as zero-length responses instead of inspecting pixel values. [#7810](https://github.com/AnalyticalGraphicsInc/cesium/pull/7810)
 
+##### Fixes :wrench:
+* Fixed an edge case where Cesium would provide ion access token credentials to non-ion servers if the actual asset entrypoint was being hosted by ion. [#7839](https://github.com/AnalyticalGraphicsInc/cesium/pull/7839)
+
 ### 1.57 - 2019-05-01
 
 ##### Additions :tada:

diff --git a/Source/Core/IonResource.js b/Source/Core/IonResource.js
@@ -1,4 +1,5 @@
 define([
+        '../ThirdParty/Uri',
         '../ThirdParty/when',
         './Check',
         './Credit',
@@ -9,6 +10,7 @@ define([
         './Resource',
         './RuntimeError'
     ], function(
+        Uri,
         when,
         Check,
         Credit,
@@ -64,6 +66,7 @@ define([
 
         // The asset endpoint data returned from ion.
         this._ionEndpoint = endpoint;
+        this._ionEndpointDomain = isExternal ? undefined : new Uri(endpoint.url).authority;
 
         // The endpoint resource to fetch when a new token is needed
         this._ionEndpointResource = endpointResource;
@@ -180,7 +183,8 @@ define([
     };
 
     IonResource.prototype._makeRequest = function(options) {
-        if (this._isExternal) {
+        // Don't send ion access token to non-ion servers.
+        if (this._isExternal || new Uri(this.url).authority !== this._ionEndpointDomain) {
             return Resource.prototype._makeRequest.call(this, options);
         }
 

diff --git a/Specs/Core/IonResourceSpec.js b/Specs/Core/IonResourceSpec.js
@@ -221,6 +221,18 @@ defineSuite([
         expect(_makeRequest.calls.argsFor(0)[0]).toBe(options);
     });
 
+    it('Calls base _makeRequest with no changes for ion assets with external urls', function() {
+        var originalOptions = {};
+        var expectedOptions = {};
+
+        var _makeRequest = spyOn(Resource.prototype, '_makeRequest');
+        var endpointResource = IonResource._createEndpointResource(assetId);
+        var resource = new IonResource(endpoint, endpointResource);
+        resource.url = 'http://test.invalid';
+        resource._makeRequest(originalOptions);
+        expect(_makeRequest).toHaveBeenCalledWith(expectedOptions);
+    });
+
     it('Calls base fetchImage with preferBlob for ion assets', function() {
         var fetchImage = spyOn(Resource.prototype, 'fetchImage');
         var endpointResource = IonResource._createEndpointResource(assetId);