react-native-windows 0.70.0 → 0.70.2

package/Libraries/Network/RCTNetworking.windows.js

@@ -1 +1,117 @@
-module.exports = require('./RCTNetworkingWinShared');
+/**
+ * Copyright (c) Microsoft Corporation.
+ * Licensed under the MIT License.
+ *
+ * @flow strict-local
+ * @format
+ */
+
+'use strict';
+
+import RCTDeviceEventEmitter from '../EventEmitter/RCTDeviceEventEmitter';
+const RCTNetworkingNative =
+  require('../BatchedBridge/NativeModules').Networking; // [Windows]
+import {type NativeResponseType} from './XMLHttpRequest';
+import convertRequestBody, {type RequestBody} from './convertRequestBody';
+import {type EventSubscription} from '../vendor/emitter/EventEmitter';
+
+type RCTNetworkingEventDefinitions = $ReadOnly<{
+  didSendNetworkData: [
+    [
+      number, // requestId
+      number, // progress
+      number, // total
+    ],
+  ],
+  didReceiveNetworkResponse: [
+    [
+      number, // requestId
+      number, // status
+      ?{[string]: string}, // responseHeaders
+      ?string, // responseURL
+    ],
+  ],
+  didReceiveNetworkData: [
+    [
+      number, // requestId
+      string, // response
+    ],
+  ],
+  didReceiveNetworkIncrementalData: [
+    [
+      number, // requestId
+      string, // responseText
+      number, // progress
+      number, // total
+    ],
+  ],
+  didReceiveNetworkDataProgress: [
+    [
+      number, // requestId
+      number, // loaded
+      number, // total
+    ],
+  ],
+  didCompleteNetworkResponse: [
+    [
+      number, // requestId
+      string, // error
+      boolean, // timeOutError
+    ],
+  ],
+}>;
+
+let _requestId = 1;
+function generateRequestId(): number {
+  return _requestId++;
+}
+
+const RCTNetworking = {
+  addListener<K: $Keys<RCTNetworkingEventDefinitions>>(
+    eventType: K,
+    listener: (...$ElementType<RCTNetworkingEventDefinitions, K>) => mixed,
+    context?: mixed,
+  ): EventSubscription {
+    return RCTDeviceEventEmitter.addListener(eventType, listener, context);
+  },
+
+  sendRequest(
+    method: string,
+    trackingName: string,
+    url: string,
+    headers: {...},
+    data: RequestBody,
+    responseType: NativeResponseType,
+    incrementalUpdates: boolean,
+    timeout: number,
+    callback: (requestId: number) => void,
+    withCredentials: boolean,
+  ) {
+    const requestId = generateRequestId();
+    const body = convertRequestBody(data);
+    RCTNetworkingNative.sendRequest(
+      {
+        method,
+        url,
+        requestId,
+        data: {...body, trackingName},
+        headers,
+        responseType,
+        incrementalUpdates,
+        timeout,
+        withCredentials,
+      },
+      callback,
+    );
+  },
+
+  abortRequest(requestId: number) {
+    RCTNetworkingNative.abortRequest(requestId);
+  },
+
+  clearCookies(callback: (result: boolean) => void) {
+    RCTNetworkingNative.clearCookies(callback);
+  },
+};
+
+module.exports = RCTNetworking;

package/Microsoft.ReactNative/Pch/pch.h

@@ -43,7 +43,6 @@
 #include <winrt/Windows.Storage.Streams.h>
 #include <winrt/Windows.UI.ViewManagement.Core.h>
 #include <winrt/Windows.UI.ViewManagement.h>
-#include <winrt/Windows.Web.Http.Filters.h>
 #include <winrt/Windows.Web.Http.Headers.h>
 
 #include "Base/CxxReactIncludes.h"

package/Microsoft.ReactNative/Views/ViewManagerBase.cpp

@@ -271,9 +271,11 @@ bool ViewManagerBase::UpdateProperty(
     const auto iter = pointerEventsMap.find(propertyValue.AsString());
     if (iter != pointerEventsMap.end()) {
       nodeToUpdate->m_pointerEvents = iter->second;
-      if (nodeToUpdate->m_pointerEvents == PointerEventsKind::None) {
-        if (const auto uiElement = nodeToUpdate->GetView().try_as<xaml::UIElement>()) {
+      if (const auto uiElement = nodeToUpdate->GetView().try_as<xaml::UIElement>()) {
+        if (nodeToUpdate->m_pointerEvents == PointerEventsKind::None) {
           uiElement.IsHitTestVisible(false);
+        } else {
+          uiElement.ClearValue(xaml::UIElement::IsHitTestVisibleProperty());
         }
       }
     } else {

package/Microsoft.ReactNative.Managed/Microsoft.ReactNative.Managed.csproj

@@ -25,9 +25,6 @@
     <NoWarn>$(NoWarn);1591</NoWarn>
     <!-- Missing XML comment for publicly visible type or member -->
   </PropertyGroup>
-  <PropertyGroup Label="NuGet">
-    <AssetTargetFallback>$(AssetTargetFallback);native</AssetTargetFallback>
-  </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x86'">
     <PlatformTarget>x86</PlatformTarget>
     <DebugSymbols>true</DebugSymbols>
@@ -80,6 +77,7 @@
     <RestoreProjectStyle>PackageReference</RestoreProjectStyle>
     <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
   </PropertyGroup>
+  <Import Project="..\PropertySheets\NuGet.CSharp.props" />
   <Import Project="..\PropertySheets\WinUI.props" />
   <ItemGroup>
     <Compile Include="AttributedViewManager.cs" />

package/PropertySheets/External/Microsoft.ReactNative.Common.props

@@ -37,14 +37,5 @@
     <HermesNoDLLCopy Condition="'$(UseHermes)' != 'true'">true</HermesNoDLLCopy>
   </PropertyGroup>
 
-  <!-- Should match entry in $(ReactNativeWindowsDir)vnext\Directory.Build.props -->
-  <PropertyGroup Label="NuGet" Condition="'$(MSBuildProjectExtension)' == '.vcxproj'">
-    <!--See https://docs.microsoft.com/en-us/nuget/reference/msbuild-targets#restore-target-->
-    <RestoreUseStaticGraphEvaluation Condition="'$(BuildingInsideVisualStudio)' == 'true'">true</RestoreUseStaticGraphEvaluation>
-
-    <!-- Ensure PackageReference compatibility for any consuming projects/apps -->
-    <ResolveNuGetPackages>false</ResolveNuGetPackages>
-  </PropertyGroup>
-
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\Generated\PackageVersion.g.props" />
 </Project>

package/PropertySheets/External/Microsoft.ReactNative.Uwp.CSharpApp.props

@@ -20,5 +20,6 @@
   <Import Project="$(MSBuildThisFileDirectory)Microsoft.ReactNative.Uwp.Common.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\Appx.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\Autolink.props" />
+  <Import Project="$(ReactNativeWindowsDir)\PropertySheets\NuGet.CSharp.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\WinUI.props" />
 </Project>

package/PropertySheets/External/Microsoft.ReactNative.Uwp.CSharpLib.props

@@ -13,4 +13,5 @@
   </PropertyGroup>
 
   <Import Project="$(MSBuildThisFileDirectory)Microsoft.ReactNative.Uwp.Common.props" />
+  <Import Project="$(ReactNativeWindowsDir)\PropertySheets\NuGet.CSharp.props" />
 </Project>

package/PropertySheets/External/Microsoft.ReactNative.Uwp.CppApp.props

@@ -16,6 +16,7 @@
   <Import Project="$(MSBuildThisFileDirectory)Microsoft.ReactNative.Uwp.Common.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\Appx.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\Autolink.props" />
+  <Import Project="$(ReactNativeWindowsDir)\PropertySheets\NuGet.Cpp.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\WinUI.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\CppAppConsumeCSharpModule.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\PackageVersionDefinitions.props" />

package/PropertySheets/External/Microsoft.ReactNative.Uwp.CppLib.props

@@ -17,6 +17,7 @@
     <GenerateLibraryLayout>false</GenerateLibraryLayout>
   </PropertyGroup>
   <Import Project="$(MSBuildThisFileDirectory)Microsoft.ReactNative.Uwp.Common.props" />
+  <Import Project="$(ReactNativeWindowsDir)\PropertySheets\NuGet.Cpp.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\WinUI.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\PackageVersionDefinitions.props" />
 </Project>

package/PropertySheets/External/Microsoft.ReactNative.WinAppSDK.CSharpApp.props

@@ -22,5 +22,6 @@
   <Import Project="$(MSBuildThisFileDirectory)Microsoft.ReactNative.WinAppSDK.Common.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\Appx.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\Autolink.props" />
+  <Import Project="$(ReactNativeWindowsDir)\PropertySheets\NuGet.CSharp.props" />
   <Import Project="$(ReactNativeWindowsDir)\PropertySheets\WinUI.props" />
 </Project>

package/PropertySheets/Generated/PackageVersion.g.props

@@ -10,10 +10,10 @@
 -->
 <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <ReactNativeWindowsVersion>0.70.0</ReactNativeWindowsVersion>
+    <ReactNativeWindowsVersion>0.70.2</ReactNativeWindowsVersion>
     <ReactNativeWindowsMajor>0</ReactNativeWindowsMajor>
     <ReactNativeWindowsMinor>70</ReactNativeWindowsMinor>
-    <ReactNativeWindowsPatch>0</ReactNativeWindowsPatch>
+    <ReactNativeWindowsPatch>2</ReactNativeWindowsPatch>
     <ReactNativeWindowsCanary>false</ReactNativeWindowsCanary>
   </PropertyGroup>
 </Project>

package/PropertySheets/NuGet.CSharp.props

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- 
+  Copyright (c) Microsoft Corporation. All rights reserved.
+  Licensed under the MIT License.
+
+  Defines NuGet-related properties for C# projects using PackageReference.
+-->
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+
+  <PropertyGroup Label="NuGet">
+    <!-- https://github.com/NuGet/Home/issues/10511#issuecomment-778400668 -->
+    <AssetTargetFallback>$(AssetTargetFallback);native</AssetTargetFallback>
+  </PropertyGroup>
+  
+</Project>

package/PropertySheets/NuGet.Cpp.props

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- 
+  Copyright (c) Microsoft Corporation. All rights reserved.
+  Licensed under the MIT License.
+
+  Defines NuGet-related properties for C++ projects using PackageReference.
+-->
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+
+  <PropertyGroup Label="NuGet">
+    <!-- Should match entry in $(ReactNativeWindowsDir)vnext\Directory.Build.props -->
+    <!--See https://docs.microsoft.com/en-us/nuget/reference/msbuild-targets#restore-target-->
+    <RestoreUseStaticGraphEvaluation Condition="'$(BuildingInsideVisualStudio)' == 'true'">true</RestoreUseStaticGraphEvaluation>
+
+    <!-- Ensure PackageReference compatibility for any consuming projects/apps -->
+    <ResolveNuGetPackages>false</ResolveNuGetPackages>
+
+    <!-- https://github.com/NuGet/Home/issues/10511#issuecomment-778400668 -->
+    <AssetTargetFallback>$(AssetTargetFallback);uap10.0.16299</AssetTargetFallback>
+
+    <!--
+      Avoid Visual Studio error message:
+      "The project '$(MSBuildProjectName)' ran into a problem during the last operation: The value of the
+      'TargetFrameworkMoniker' and 'NuGetTargetMoniker' properties in the '$(Configuration)|$(Platform)' configuration are both
+      empty. This configuration will not contribute to NuGet restore, which may result in restore and build errors. You may
+      need to reload the solution after fixing the problem."
+    -->
+    <TargetFrameworkMoniker>native,Version=v0.0</TargetFrameworkMoniker>
+  </PropertyGroup>
+
+</Project>

package/PropertySheets/React.Cpp.props

@@ -17,21 +17,7 @@
     <EnableWinRtLeanAndMean Condition="'$(EnableWinRtLeanAndMean)' == ''">true</EnableWinRtLeanAndMean>
   </PropertyGroup>
 
-  <PropertyGroup Label="NuGet">
-    <ResolveNuGetPackages>false</ResolveNuGetPackages>
-
-    <!-- https://github.com/NuGet/Home/issues/10511#issuecomment-778400668 -->
-    <AssetTargetFallback>$(AssetTargetFallback);native</AssetTargetFallback>
-
-    <!--
-      Avoid Visual Studio error message:
-      "The project '$(MSBuildProjectName)' ran into a problem during the last operation: The value of the
-      'TargetFrameworkMoniker' and 'NuGetTargetMoniker' properties in the '$(Configuration)|$(Platform)' configuration are both
-      empty. This configuration will not contribute to NuGet restore, which may result in restore and build errors. You may
-      need to reload the solution after fixing the problem."
-    -->
-    <TargetFrameworkMoniker>native,Version=v0.0</TargetFrameworkMoniker>
-  </PropertyGroup>
+  <Import Project="$(MSBuildThisFileDirectory)NuGet.Cpp.props" />
 
   <PropertyGroup Label="Desktop">
     <!-- See https://docs.microsoft.com/en-us/cpp/porting/modifying-winver-and-win32-winnt -->

package/Scripts/OfficeReact.Win32.nuspec

@@ -56,6 +56,7 @@
     <file src="$nugetroot$\inc\Shared\Modules\I18nModule.h" target="inc"/>
     <file src="$nugetroot$\inc\Shared\NativeModuleProvider.h" target="inc"/>
     <file src="$nugetroot$\inc\Shared\Networking\IWebSocketResource.h" target="inc"/>
+    <file src="$nugetroot$\inc\Shared\Networking\OriginPolicy.h" target="inc"/>
     <file src="$nugetroot$\inc\Shared\RuntimeOptions.h" target="inc"/>
     <file src="$nugetroot$\inc\Shared\Tracing.h" target="inc"/>
 

package/Shared/Modules/HttpModule.cpp

@@ -72,9 +72,11 @@ static void SetUpHttpResource(
   };
   resource->SetOnData(std::move(onDataDynamic));
 
-  resource->SetOnError([weakReactInstance](int64_t requestId, string &&message) {
+  resource->SetOnError([weakReactInstance](int64_t requestId, string &&message, bool isTimeout) {
     dynamic args = dynamic::array(requestId, std::move(message));
-    // TODO: isTimeout errorArgs.push_back(true);
+    if (isTimeout) {
+      args.push_back(true);
+    }
 
     SendEvent(weakReactInstance, completedResponse, std::move(args));
   });

package/Shared/Modules/HttpModule.h

@@ -15,7 +15,7 @@ namespace Microsoft::React {
 
 ///
 /// Realizes <c>NativeModules</c> projection.
-/// <remarks>See src\Libraries\Network\RCTNetworkingWinShared.js</remarks>
+/// <remarks>See src\Libraries\Network\RCTNetworking.windows.js</remarks>
 ///
 class HttpModule : public facebook::xplat::module::CxxModule {
  public:

package/Shared/Networking/IHttpResource.h

@@ -96,7 +96,7 @@ struct IHttpResource {
   virtual void SetOnData(std::function<void(int64_t requestId, std::string &&responseData)> &&handler) noexcept = 0;
   virtual void SetOnData(std::function<void(int64_t requestId, folly::dynamic &&responseData)> &&handler) noexcept = 0;
   virtual void SetOnError(
-      std::function<void(int64_t requestId, std::string &&errorMessage /*, bool isTimeout*/)> &&handler) noexcept = 0;
+      std::function<void(int64_t requestId, std::string &&errorMessage, bool isTimeout)> &&handler) noexcept = 0;
 };
 
 } // namespace Microsoft::React::Networking

package/Shared/Networking/IRedirectEventSource.h

@@ -0,0 +1,18 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+#pragma once
+
+#include <winrt/Windows.Foundation.h>
+#include <winrt/Windows.Web.Http.h>
+#include <winrt/base.h>
+
+namespace Microsoft::React::Networking {
+
+struct IRedirectEventSource : winrt::implements<IRedirectEventSource, winrt::Windows::Foundation::IInspectable> {
+  virtual bool OnRedirecting(
+      winrt::Windows::Web::Http::HttpRequestMessage const &request,
+      winrt::Windows::Web::Http::HttpResponseMessage const &response) noexcept = 0;
+};
+
+} // namespace Microsoft::React::Networking

package/Shared/Networking/IWinRTHttpRequestFactory.h

@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+#pragma once
+
+#include <winrt/Windows.Foundation.Collections.h>
+#include <winrt/Windows.Foundation.h>
+#include <winrt/Windows.Web.Http.h>
+
+namespace Microsoft::React::Networking {
+
+struct IWinRTHttpRequestFactory {
+  virtual ~IWinRTHttpRequestFactory() noexcept {}
+
+  virtual winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::Web::Http::HttpRequestMessage> CreateRequest(
+      winrt::Windows::Web::Http::HttpMethod &&method,
+      winrt::Windows::Foundation::Uri &&uri,
+      winrt::Windows::Foundation::Collections::IMap<winrt::hstring, winrt::Windows::Foundation::IInspectable>
+          props) noexcept = 0;
+};
+
+} // namespace Microsoft::React::Networking

package/Shared/Networking/OriginPolicy.h

@@ -9,7 +9,7 @@ enum class OriginPolicy : size_t {
   None = 0,
   SameOrigin = 1,
   SimpleCrossOriginResourceSharing = 2,
-  CrossOriginResourceSharing = 3, // TODO: Rename as FullCrossOriginResourceSharing?
+  CrossOriginResourceSharing = 3,
 };
 
 } // namespace Microsoft::React::Networking

package/Shared/Networking/OriginPolicyHttpFilter.cpp

@@ -11,10 +11,6 @@
 #include <boost/algorithm/string.hpp>
 #include <boost/lexical_cast/try_lexical_convert.hpp>
 
-// Windows API
-#include <winrt/Windows.Foundation.Collections.h>
-#include <winrt/Windows.Web.Http.Headers.h>
-
 // Standard Library
 #include <queue>
 #include <regex>
@@ -28,6 +24,7 @@ using winrt::to_hstring;
 using winrt::Windows::Foundation::IInspectable;
 using winrt::Windows::Foundation::IPropertyValue;
 using winrt::Windows::Foundation::Uri;
+using winrt::Windows::Foundation::Collections::IMap;
 using winrt::Windows::Web::Http::HttpMethod;
 using winrt::Windows::Web::Http::HttpRequestMessage;
 using winrt::Windows::Web::Http::HttpResponseMessage;
@@ -119,7 +116,7 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
 }
 
 /*static*/ bool OriginPolicyHttpFilter::IsSameOrigin(Uri const &u1, Uri const &u2) noexcept {
-  return u1.SchemeName() == u2.SchemeName() && u1.Host() == u2.Host() && u1.Port() == u2.Port();
+  return (u1 && u2) && u1.SchemeName() == u2.SchemeName() && u1.Host() == u2.Host() && u1.Port() == u2.Port();
 }
 
 /*static*/ bool OriginPolicyHttpFilter::IsSimpleCorsRequest(HttpRequestMessage const &request) noexcept {
@@ -374,7 +371,7 @@ bool OriginPolicyHttpFilter::ConstWcharComparer::operator()(const wchar_t *a, co
   }
 }
 
-OriginPolicyHttpFilter::OriginPolicyHttpFilter(IHttpFilter &&innerFilter) : m_innerFilter{std::move(innerFilter)} {}
+OriginPolicyHttpFilter::OriginPolicyHttpFilter(IHttpFilter const &innerFilter) : m_innerFilter{innerFilter} {}
 
 OriginPolicyHttpFilter::OriginPolicyHttpFilter()
     : OriginPolicyHttpFilter(winrt::Windows::Web::Http::Filters::HttpBaseProtocolFilter{}) {}
@@ -443,21 +440,24 @@ OriginPolicy OriginPolicyHttpFilter::ValidateRequest(HttpRequestMessage const &r
 void OriginPolicyHttpFilter::ValidateAllowOrigin(
     hstring const &allowedOrigin,
     hstring const &allowCredentials,
-    IInspectable const &iRequestArgs) const {
+    IMap<hstring, IInspectable> props) const {
   // 4.10.1-2 - null allow origin
   if (L"null" == allowedOrigin)
     throw hresult_error{
         E_INVALIDARG,
         L"Response header Access-Control-Allow-Origin has a value of [null] which differs from the supplied origin"};
 
-  bool withCredentials = iRequestArgs.as<RequestArgs>()->WithCredentials;
+  bool withCredentials = props.Lookup(L"RequestArgs").as<RequestArgs>()->WithCredentials;
   // 4.10.3 - valid wild card allow origin
   if (!withCredentials && L"*" == allowedOrigin)
     return;
 
   // We assume the source (request) origin is not "*", "null", or empty string. Valid URI is expected
   // 4.10.4 - Mismatched allow origin
-  if (allowedOrigin.empty() || !IsSameOrigin(s_origin, Uri{allowedOrigin})) {
+  auto taintedOriginProp = props.TryLookup(L"TaintedOrigin");
+  auto taintedOrigin = taintedOriginProp && winrt::unbox_value<bool>(taintedOriginProp);
+  auto origin = taintedOrigin ? nullptr : s_origin;
+  if (allowedOrigin.empty() || !IsSameOrigin(origin, Uri{allowedOrigin})) {
     hstring errorMessage;
     if (allowedOrigin.empty())
       errorMessage = L"No valid origin in response";
@@ -511,14 +511,14 @@ void OriginPolicyHttpFilter::ValidatePreflightResponse(
 
   auto controlValues = ExtractAccessControlValues(response.Headers());
 
-  auto iRequestArgs = request.Properties().Lookup(L"RequestArgs");
+  auto props = request.Properties();
   // Check if the origin is allowed in conjuction with the withCredentials flag
   // CORS preflight should always exclude credentials although the subsequent CORS request may include credentials.
-  ValidateAllowOrigin(controlValues.AllowedOrigin, controlValues.AllowedCredentials, iRequestArgs);
+  ValidateAllowOrigin(controlValues.AllowedOrigin, controlValues.AllowedCredentials, props);
 
   // See https://fetch.spec.whatwg.org/#cors-preflight-fetch, section 4.8.7.5
   // Check if the request method is allowed
-  bool withCredentials = iRequestArgs.as<RequestArgs>()->WithCredentials;
+  bool withCredentials = props.Lookup(L"RequestArgs").as<RequestArgs>()->WithCredentials;
   bool requestMethodAllowed = false;
   for (const auto &method : controlValues.AllowedMethods) {
     if (L"*" == method) {
@@ -579,8 +579,8 @@ void OriginPolicyHttpFilter::ValidateResponse(HttpResponseMessage const &respons
   if (originPolicy == OriginPolicy::SimpleCrossOriginResourceSharing ||
       originPolicy == OriginPolicy::CrossOriginResourceSharing) {
     auto controlValues = ExtractAccessControlValues(response.Headers());
-    auto withCredentials =
-        response.RequestMessage().Properties().Lookup(L"RequestArgs").try_as<RequestArgs>()->WithCredentials;
+    auto props = response.RequestMessage().Properties();
+    auto withCredentials = props.Lookup(L"RequestArgs").try_as<RequestArgs>()->WithCredentials;
 
     if (GetRuntimeOptionBool("Http.StrictOriginCheckSimpleCors") &&
         originPolicy == OriginPolicy::SimpleCrossOriginResourceSharing) {
@@ -595,8 +595,7 @@ void OriginPolicyHttpFilter::ValidateResponse(HttpResponseMessage const &respons
         throw hresult_error{E_INVALIDARG, L"The server does not support CORS or the origin is not allowed"};
       }
     } else {
-      auto iRequestArgs = response.RequestMessage().Properties().Lookup(L"RequestArgs");
-      ValidateAllowOrigin(controlValues.AllowedOrigin, controlValues.AllowedCredentials, iRequestArgs);
+      ValidateAllowOrigin(controlValues.AllowedOrigin, controlValues.AllowedCredentials, props);
     }
 
     if (originPolicy == OriginPolicy::SimpleCrossOriginResourceSharing) {
@@ -684,6 +683,38 @@ ResponseOperation OriginPolicyHttpFilter::SendPreflightAsync(HttpRequestMessage
   co_return {co_await m_innerFilter.SendRequestAsync(preflightRequest)};
 }
 
+#pragma region IRedirectEventSource
+
+bool OriginPolicyHttpFilter::OnRedirecting(
+    HttpRequestMessage const &request,
+    HttpResponseMessage const &response) noexcept {
+  // Consider the following scenario.
+  // User signs in to http://a.com and visits a page that makes CORS request to http://b.com with origin=http://a.com.
+  // Http://b.com reponds with a redirect to http://a.com. The browser follows the redirect to http://a.com with
+  // origin=http://a.com. Since the origin matches the URL, the request is authorized at http://a.com, but it actually
+  // allows http://b.com to bypass the CORS check at http://a.com since the redirected URL is from http://b.com.
+  if (!IsSameOrigin(response.Headers().Location(), request.RequestUri()) &&
+      !IsSameOrigin(s_origin, request.RequestUri())) {
+    // By masking the origin field in the request header, we make it impossible for the server to set a single value for
+    // the access-control-allow-origin header. It means, the only way to support redirect is that server allows access
+    // from all sites through wildcard.
+    request.Headers().Insert(L"Origin", L"null");
+
+    auto props = request.Properties();
+    // Look for 'RequestArgs' key to ensure we are redirecting the main request.
+    if (auto iReqArgs = props.TryLookup(L"RequestArgs")) {
+      props.Insert(L"TaintedOrigin", winrt::box_value(true));
+    } else {
+      // Abort redirection if the request is either preflight or extraneous.
+      return false;
+    }
+  }
+
+  return true;
+}
+
+#pragma endregion IRedirectEventSource
+
 #pragma region IHttpFilter
 
 ResponseOperation OriginPolicyHttpFilter::SendRequestAsync(HttpRequestMessage const &request) {

package/Shared/Networking/OriginPolicyHttpFilter.h

@@ -3,11 +3,14 @@
 
 #pragma once
 
+#include "IRedirectEventSource.h"
 #include "OriginPolicy.h"
 
 // Windows API
+#include <winrt/Windows.Foundation.Collections.h>
 #include <winrt/Windows.Foundation.h>
 #include <winrt/Windows.Web.Http.Filters.h>
+#include <winrt/Windows.Web.Http.Headers.h>
 #include <winrt/Windows.Web.Http.h>
 
 // Standard Library
@@ -16,7 +19,8 @@
 namespace Microsoft::React::Networking {
 
 class OriginPolicyHttpFilter
-    : public winrt::implements<OriginPolicyHttpFilter, winrt::Windows::Web::Http::Filters::IHttpFilter> {
+    : public winrt::
+          implements<OriginPolicyHttpFilter, winrt::Windows::Web::Http::Filters::IHttpFilter, IRedirectEventSource> {
  public:
   struct ConstWcharComparer {
     bool operator()(const wchar_t *, const wchar_t *) const;
@@ -75,7 +79,7 @@ class OriginPolicyHttpFilter
       winrt::Windows::Web::Http::HttpResponseMessage const &response,
       bool removeAll);
 
-  OriginPolicyHttpFilter(winrt::Windows::Web::Http::Filters::IHttpFilter &&innerFilter);
+  OriginPolicyHttpFilter(winrt::Windows::Web::Http::Filters::IHttpFilter const &innerFilter);
 
   OriginPolicyHttpFilter();
 
@@ -92,13 +96,22 @@ class OriginPolicyHttpFilter
   void ValidateAllowOrigin(
       winrt::hstring const &allowedOrigin,
       winrt::hstring const &allowCredentials,
-      winrt::Windows::Foundation::IInspectable const &iArgs) const;
+      winrt::Windows::Foundation::Collections::IMap<winrt::hstring, winrt::Windows::Foundation::IInspectable> props)
+      const;
 
   winrt::Windows::Foundation::IAsyncOperationWithProgress<
       winrt::Windows::Web::Http::HttpResponseMessage,
       winrt::Windows::Web::Http::HttpProgress>
   SendPreflightAsync(winrt::Windows::Web::Http::HttpRequestMessage const &request) const;
 
+#pragma region IRedirectEventSource
+
+  bool OnRedirecting(
+      winrt::Windows::Web::Http::HttpRequestMessage const &request,
+      winrt::Windows::Web::Http::HttpResponseMessage const &response) noexcept override;
+
+#pragma endregion IRedirectEventSource
+
 #pragma region IHttpFilter
 
   winrt::Windows::Foundation::IAsyncOperationWithProgress<