Sending auth header only to google sites.

This cl ensures that that the auth headers are sent only to
the families.google.com servers for the EduCoexistence flow.

Bug: 1155252
Change-Id: Ia07b16d32c865052d7c30f23401cbfafdd6f4e4c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2572596Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Reviewed-by: Dan S <danan@chromium.org>
Commit-Queue: Yilkal Abe <yilkal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#833485}

chrome/browser/resources/chromeos/add_supervision/post_message_api.js

@@ -103,7 +103,7 @@ const MAX_INITIALIZATION_ATTEMPTS = 8;
    */
   initialize() {
     if (this.isInitialized_ ||
-        !this.originMatchesFilter_(this.clientElement_.src)) {
+        !this.originMatchesFilter(this.clientElement_.src)) {
       return;
     }
 
@@ -148,11 +148,10 @@ const MAX_INITIALIZATION_ATTEMPTS = 8;
 
   /**
    * Determines if the specified origin matches the origin filter.
-   * @private
    * @param {!string} origin The origin URL to match with the filter.
    * @return {boolean}  whether the specified origin matches the filter.
    */
-  originMatchesFilter_(origin) {
+  originMatchesFilter(origin) {
     const originURL = new URL(origin);
 
     // We allow the pathname portion of the URL to be a prefix filter,
@@ -168,7 +167,7 @@ const MAX_INITIALIZATION_ATTEMPTS = 8;
    * @param {Event} event  The postMessage event to handle.
    */
   onMessage_(event) {
-    if (!this.originMatchesFilter_(event.origin)) {
+    if (!this.originMatchesFilter(event.origin)) {
       console.log('Message received from unauthorized origin: ' + event.origin);
       return;
     }
@@ -292,7 +291,7 @@ const MAX_INITIALIZATION_ATTEMPTS = 8;
    *     sent from the server.
    */
   onInitialize_(event) {
-    if (!this.originMatchesFilter_(event.origin)) {
+    if (!this.originMatchesFilter(event.origin)) {
       console.error(
           'Initialization event received from non-authorized origin: ' +
           event.origin);
@@ -309,7 +308,7 @@ const MAX_INITIALIZATION_ATTEMPTS = 8;
    * @param {!string} origin The origin URL to match with the filter.
    * @return {boolean}  whether the specified origin matches the filter.
    */
-  originMatchesFilter_(origin) {
+  originMatchesFilter(origin) {
     return origin == this.serverOriginURLFilter_;
   }
 
@@ -319,7 +318,7 @@ const MAX_INITIALIZATION_ATTEMPTS = 8;
    *     API.
    */
   onMessage_(event) {
-    if (!this.originMatchesFilter_(event.origin)) {
+    if (!this.originMatchesFilter(event.origin)) {
       console.error(
           'Message received from non-authorized origin: ' + event.origin);
       return;

chrome/browser/resources/chromeos/edu_coexistence/edu_coexistence_controller.js

@@ -85,10 +85,12 @@ export class EduCoexistenceController extends PostMessageAPIServer {
 
     this.webview_.request.onBeforeSendHeaders.addListener(
         (details) => {
-          details.requestHeaders.push({
-            name: 'Authorization',
-            value: 'Bearer ' + this.eduCoexistenceAccessToken_,
-          });
+          if (this.originMatchesFilter(details.url)) {
+            details.requestHeaders.push({
+              name: 'Authorization',
+              value: 'Bearer ' + this.eduCoexistenceAccessToken_,
+            });
+          }
 
           return {requestHeaders: details.requestHeaders};
         },