Define hard-coded extra CORS-safelisted header names

To resolve OOR-CORS blocking enterprise issues, this CL defines kExtraSafelistedHeaderNames. This is a very short term fix and violates layer in order to make it mergeable. We'll use it only for M77. This affects only the OOR-CORS enabled path. Bug: 999052 Change-Id: I66ab8f298ed761aa3d78d02fa521d1c08f492fed Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1774010 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#691617}

Define hard-coded extra CORS-safelisted header names
To resolve OOR-CORS blocking enterprise issues, this CL defines kExtraSafelistedHeaderNames. This is a very short term fix and violates layer in order to make it mergeable. We'll use it only for M77. This affects only the OOR-CORS enabled path. Bug: 999052 Change-Id: I66ab8f298ed761aa3d78d02fa521d1c08f492fed Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1774010 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#691617}
33d1685b · Yutaka Hirano · Commit Bot · 1330e660 · 33d1685b · 33d1685b
Commit 33d1685b authored Aug 29, 2019 by Yutaka Hirano Committed by Commit Bot Aug 29, 2019
Showing with 114 additions and 0 deletions

services/network/cors/cors_url_loader_unittest.cc services/network/cors/cors_url_loader_unittest.cc +101 -0

services/network/public/cpp/cors/cors.cc services/network/public/cpp/cors/cors.cc +13 -0

No files found.
--- a/services/network/cors/cors_url_loader_unittest.cc
+++ b/services/network/cors/cors_url_loader_unittest.cc
@@ -1893,6 +1893,107 @@ TEST_F(CorsURLLoaderTest, RestrictedPrefetchFailsWithoutNIK) {
                             "LOAD_RESTRICTED_PREFETCH flag is not trusted"));
 }

+// TODO(yhirano): Remove this as soon as possible.
+TEST_F(CorsURLLoaderTest, ExtraSafelistedHeader1) {
+  const GURL origin("https://example.com");
+  const GURL url("https://other.example.com/foo.png");
+  const GURL new_url("https://other2.example.com/bar.png");
+
+  ResourceRequest request;
+  request.mode = mojom::RequestMode::kCors;
+  request.credentials_mode = mojom::CredentialsMode::kOmit;
+  request.method = "GET";
+  request.url = url;
+  request.request_initiator = url::Origin::Create(origin);
+  request.headers.SetHeader("x-gOOgapps-allowed-domains", "foo");
+  request.headers.SetHeader("YouTube-restricT", "bar");
+
+  CreateLoaderAndStart(request);
+
+  // NO preflight request
+  ASSERT_EQ(1, num_created_loaders());
+  EXPECT_EQ(GetRequest().url, url);
+  EXPECT_EQ(GetRequest().method, "GET");
+}
+
+// TODO(yhirano): Remove this as soon as possible.
+TEST_F(CorsURLLoaderTest, ExtraSafelistedHeader2) {
+  const GURL origin("https://example.com");
+  const GURL url("https://other.example.com/foo.png");
+  const GURL new_url("https://other2.example.com/bar.png");
+
+  ResourceRequest request;
+  request.mode = mojom::RequestMode::kCors;
+  request.credentials_mode = mojom::CredentialsMode::kOmit;
+  request.method = "GET";
+  request.url = url;
+  request.request_initiator = url::Origin::Create(origin);
+  request.headers.SetHeader("x-gOOgapps-allowed-domains", "foo");
+
+  CreateLoaderAndStart(request);
+
+  // NO preflight request
+  ASSERT_EQ(1, num_created_loaders());
+  EXPECT_EQ(GetRequest().url, url);
+  EXPECT_EQ(GetRequest().method, "GET");
+}
+
+// TODO(yhirano): Remove this as soon as possible.
+TEST_F(CorsURLLoaderTest, ExtraSafelistedHeader3) {
+  const GURL origin("https://example.com");
+  const GURL url("https://other.example.com/foo.png");
+  const GURL new_url("https://other2.example.com/bar.png");
+
+  ResourceRequest request;
+  request.mode = mojom::RequestMode::kCors;
+  request.credentials_mode = mojom::CredentialsMode::kOmit;
+  request.method = "GET";
+  request.url = url;
+  request.request_initiator = url::Origin::Create(origin);
+  request.headers.SetHeader("x-gOOgapps-allowed-domains", "foo");
+  request.headers.SetHeader("foo", "foo");
+
+  CreateLoaderAndStart(request);
+
+  // preflight request
+  ASSERT_EQ(1, num_created_loaders());
+  EXPECT_EQ(GetRequest().url, url);
+  EXPECT_EQ(GetRequest().method, "OPTIONS");
+
+  std::string headers;
+  EXPECT_TRUE(GetRequest().headers.GetHeader("access-control-request-headers",
+                                             &headers));
+  EXPECT_EQ(headers, "foo");
+}
+
+// TODO(yhirano): Remove this as soon as possible.
+TEST_F(CorsURLLoaderTest, ExtraSafelistedHeader4) {
+  const GURL origin("https://example.com");
+  const GURL url("https://other.example.com/foo.png");
+  const GURL new_url("https://other2.example.com/bar.png");
+
+  ResourceRequest request;
+  request.mode = mojom::RequestMode::kCors;
+  request.credentials_mode = mojom::CredentialsMode::kOmit;
+  request.method = "GET";
+  request.url = url;
+  request.request_initiator = url::Origin::Create(origin);
+  request.headers.SetHeader("x-gOOgapps-allowed-domains", "foo");
+  request.headers.SetHeader("YouTube-restricT", "bar");
+  request.headers.SetHeader("hoge", "fuga");
+
+  CreateLoaderAndStart(request);
+
+  // preflight request
+  ASSERT_EQ(1, num_created_loaders());
+  EXPECT_EQ(GetRequest().url, url);
+  EXPECT_EQ(GetRequest().method, "OPTIONS");
+  std::string headers;
+  EXPECT_TRUE(GetRequest().headers.GetHeader("access-control-request-headers",
+                                             &headers));
+  EXPECT_EQ(headers, "hoge");
+}
+
 }  // namespace

 }  // namespace cors

--- a/services/network/public/cpp/cors/cors.cc
+++ b/services/network/public/cpp/cors/cors.cc
@@ -10,11 +10,13 @@
 #include <vector>

 #include "base/containers/flat_set.h"
+#include "base/feature_list.h"
 #include "base/no_destructor.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "net/base/mime_util.h"
 #include "net/http/http_request_headers.h"
+#include "services/network/public/cpp/features.h"
 #include "url/gurl.h"
 #include "url/origin.h"
 #include "url/url_constants.h"
@@ -414,6 +416,17 @@ bool IsCorsSafelistedHeader(const std::string& name, const std::string& value) {
      "sec-ch-ua-model",
  };
  const std::string lower_name = base::ToLowerASCII(name);
+
+  if (base::FeatureList::IsEnabled(features::kOutOfBlinkCors)) {
+    // Here we temporarily define extra CORS safelisted header names. This is
+    // a very short term fix in order to make the change mergeable.
+    // TODO(yhirano): Remove this definition as soon as possible.
+    if (lower_name == "x-googapps-allowed-domains" ||
+        lower_name == "youtube-restrict") {
+      return true;
+    }
+  }
+
  if (std::find(std::begin(safe_names), std::end(safe_names), lower_name) ==
      std::end(safe_names))
    return false;