Set |request_initiator| to the website (fixing XHR as well).

This is a follow-up to r694827 which intended to ensure that
|request_initiator| is always set to the website (and not, for example,
to the content script's origin), but missed fixing this for XHR API.

Note that some follow-ups for r694827 (e.g. r700486 and r704100) have
already landed in M79 - these follow-ups assume that |request_initiator|
is set to the website origin everywhere.  This CL fixes this assumption
for XHR.  We should consider merging this CL to M79 (otherwise CORB and
CORS might incorrectly start to block same-origin XHRs).

This CL is also a prerequisite for starting to enforce
request_initiator_site_lock in a follow-up CL at
https://crrev.com/c/1875273

Bug: 1017448
Change-Id: I8512daf9364aaa10d76c81ef9bcc18f072a2337d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1876981
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#710554}

chrome/browser/extensions/api/web_request/web_request_apitest.cc

@@ -1028,7 +1028,12 @@ IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest, ExtensionRequests) {
   // The extension frame does run in the extension's process. Any requests made
   // by it should not be visible to other extensions, since they won't have
   // access to the request initiator.
-  EXPECT_EQ("Did not intercept any requests.", listener_result.message());
+  //
+  // OTOH, the content script executes fetches/XHRs as-if they were initiated by
+  // the webpage that the content script got injected into.  Here, the webpage
+  // has origin of http://127.0.0.1:<some port>, and so the webRequest API
+  // extension should have access to the request.
+  EXPECT_EQ("Intercepted requests: ?contentscript", listener_result.message());
 }
 
 IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest, HostedAppRequest) {

chrome/test/data/extensions/api_test/webrequest/test_unload5.js

@@ -10,7 +10,7 @@ runTests([
   function startXMLHttpRequestAndRemoveFrame() {
     const hostname = 'slow-resourcetype-xhr-immediately-remove-frame';
     const url = getSlowURL(hostname);
-    const initiator = 'chrome-extension://' + chrome.runtime.id;
+    const initiator = getServerDomain(initiators.WEB_INITIATED, hostname)
     const mainUrl = getPageWithFrame('empty.html', hostname);
 
     expect([
@@ -81,7 +81,7 @@ runTests([
   function startXMLHttpRequestAndRemoveTab() {
     const hostname = 'slow-resourcetype-xhr-immediately-remove-tab';
     const url = getSlowURL(hostname);
-    const initiator = 'chrome-extension://' + chrome.runtime.id;
+    const initiator = getServerDomain(initiators.WEB_INITIATED, hostname)
     const mainUrl = getServerURL('empty.html', hostname);
 
     expect([

third_party/blink/renderer/core/xmlhttprequest/xml_http_request.cc

@@ -305,18 +305,6 @@ Document* XMLHttpRequest::GetDocument() const {
   return To<Document>(GetExecutionContext());
 }
 
-const SecurityOrigin* XMLHttpRequest::GetSecurityOrigin() const {
-  return isolated_world_security_origin_
-             ? isolated_world_security_origin_.get()
-             : GetExecutionContext()->GetSecurityOrigin();
-}
-
-SecurityOrigin* XMLHttpRequest::GetMutableSecurityOrigin() {
-  return isolated_world_security_origin_
-             ? isolated_world_security_origin_.get()
-             : GetExecutionContext()->GetMutableSecurityOrigin();
-}
-
 XMLHttpRequest::State XMLHttpRequest::readyState() const {
   return state_;
 }
@@ -1048,12 +1036,15 @@ void XMLHttpRequest::CreateRequest(scoped_refptr<EncodedFormData> http_body,
   // We also remember whether upload events should be allowed for this request
   // in case the upload listeners are added after the request is started.
   upload_events_allowed_ =
-      GetSecurityOrigin()->CanRequest(url_) || upload_events ||
-      !cors::IsCorsSafelistedMethod(method_) ||
+      GetExecutionContext()->GetSecurityOrigin()->CanRequest(url_) ||
+      (isolated_world_security_origin_ &&
+       isolated_world_security_origin_->CanRequest(url_)) ||
+      upload_events || !cors::IsCorsSafelistedMethod(method_) ||
       !cors::ContainsOnlyCorsSafelistedHeaders(request_headers_);
 
   ResourceRequest request(url_);
-  request.SetRequestorOrigin(GetSecurityOrigin());
+  request.SetRequestorOrigin(GetExecutionContext()->GetSecurityOrigin());
+  request.SetIsolatedWorldOrigin(isolated_world_security_origin_);
   request.SetHttpMethod(method_);
   request.SetRequestContext(mojom::RequestContextType::XML_HTTP_REQUEST);
   request.SetMode(upload_events
@@ -1494,8 +1485,9 @@ String XMLHttpRequest::getAllResponseHeaders() const {
     // TODO: Consider removing canLoadLocalResources() call.
     // crbug.com/567527
     if (FetchUtils::IsForbiddenResponseHeaderName(it->key) &&
-        !GetSecurityOrigin()->CanLoadLocalResources())
+        !GetExecutionContext()->GetSecurityOrigin()->CanLoadLocalResources()) {
       continue;
+    }
 
     if (response_.GetType() == network::mojom::FetchResponseType::kCors &&
         !cors::IsCorsSafelistedResponseHeader(it->key) &&
@@ -1530,7 +1522,7 @@ const AtomicString& XMLHttpRequest::getResponseHeader(
 
   // See comment in getAllResponseHeaders above.
   if (FetchUtils::IsForbiddenResponseHeaderName(name) &&
-      !GetSecurityOrigin()->CanLoadLocalResources()) {
+      !GetExecutionContext()->GetSecurityOrigin()->CanLoadLocalResources()) {
     LogConsoleError(GetExecutionContext(),
                     "Refused to get unsafe header \"" + name + "\"");
     return g_null_atom;

third_party/blink/renderer/core/xmlhttprequest/xml_http_request.h

@@ -176,12 +176,6 @@ class XMLHttpRequest final : public XMLHttpRequestEventTarget,
 
   Document* GetDocument() const;
 
-  // Returns the SecurityOrigin of the isolated world if the XMLHttpRequest was
-  // created in an isolated world. Otherwise, returns the SecurityOrigin of the
-  // execution context.
-  const SecurityOrigin* GetSecurityOrigin() const;
-  SecurityOrigin* GetMutableSecurityOrigin();
-
   void DidSendData(uint64_t bytes_sent,
                    uint64_t total_bytes_to_be_sent) override;
   void DidReceiveResponse(uint64_t identifier,

third_party/blink/web_tests/http/tests/xmlhttprequest/chromium/resources/access-control-origin-header-in-isolated-world.php

 <?php
-if ($_SERVER["HTTP_ORIGIN"] == "http://example.com") {
-  header("Access-Control-Allow-Origin: http://example.com");
+if ($_SERVER["HTTP_ORIGIN"] == "http://127.0.0.1:8000") {
+  header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
 
   if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") {
     header("Access-Control-Allow-Headers: X-Custom-Header");