Origin Policy: Implement 'redirect' behaviour.

Because: https://wicg.github.io/origin-policy/#monkey-patching-fetch, 3.4.2 #8

This addresses deferred feedback from https://crrev.com/c/1148395

Bug: 751996
Change-Id: Iac7756bf7c6b126711f002fd94b82bfd5fcae522
Reviewed-on: https://chromium-review.googlesource.com/1221146
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593626}

chrome/test/data/origin_policy_browsertest/.well-known/origin-policy/policy-with-301redirect

+

chrome/test/data/origin_policy_browsertest/.well-known/origin-policy/policy-with-301redirect.mock-http-headers

+HTTP/1.0 301 Moved Permanently
+Location: /.well-known/origin-policy/example-policy
+

chrome/test/data/origin_policy_browsertest/.well-known/origin-policy/policy-with-302redirect

+

chrome/test/data/origin_policy_browsertest/.well-known/origin-policy/policy-with-302redirect.mock-http-headers

+HTTP/1.0 302 Found
+Location: /.well-known/origin-policy/example-policy
+

chrome/test/data/origin_policy_browsertest/.well-known/origin-policy/policy-with-307redirect

+

chrome/test/data/origin_policy_browsertest/.well-known/origin-policy/policy-with-307redirect.mock-http-headers

+HTTP/1.0 307 Temporary Redirect
+Location: /.well-known/origin-policy/example-policy
+

chrome/test/data/origin_policy_browsertest/page-policy-301redirect.html

+<html>
+<head>
+  <title>Page With Policy 301 Redirect</title>
+</head>
+<body>
+  <p>Page With Policy 301 Redirect</p>
+</body>
+</html>
+

chrome/test/data/origin_policy_browsertest/page-policy-301redirect.html.mock-http-headers

+HTTP/1.0 200 OK
+Content-Type: text/html
+Sec-Origin-Policy: policy-with-301redirect
+

chrome/test/data/origin_policy_browsertest/page-policy-302redirect.html

+<html>
+<head>
+  <title>Page With Policy 302 Redirect</title>
+</head>
+<body>
+  <p>Page With Policy 302 Redirect</p>
+</body>
+</html>
+

chrome/test/data/origin_policy_browsertest/page-policy-302redirect.html.mock-http-headers

+HTTP/1.0 200 OK
+Content-Type: text/html
+Sec-Origin-Policy: policy-with-302redirect
+

chrome/test/data/origin_policy_browsertest/page-policy-307redirect.html

+<html>
+<head>
+  <title>Page With Policy 307 Redirect</title>
+</head>
+<body>
+  <p>Page With Policy 307 Redirect</p>
+</body>
+</html>
+

chrome/test/data/origin_policy_browsertest/page-policy-307redirect.html.mock-http-headers

+HTTP/1.0 200 OK
+Content-Type: text/html
+Sec-Origin-Policy: policy-with-307redirect
+

chrome/test/origin_policy/origin_policy_browsertest.cc

@@ -76,4 +76,19 @@ IN_PROC_BROWSER_TEST_F(OriginPolicyBrowserTest, ErrorCantDownloadPolicy) {
             NavigateToAndReturnTitle("/page-policy-missing.html"));
 }
 
+IN_PROC_BROWSER_TEST_F(OriginPolicyBrowserTest, ErrorPolicy301Redirect) {
+  EXPECT_EQ(base::ASCIIToUTF16(kErrorInterstitialTitle),
+            NavigateToAndReturnTitle("/page-policy-301redirect.html"));
+}
+
+IN_PROC_BROWSER_TEST_F(OriginPolicyBrowserTest, ErrorPolicy302Redirect) {
+  EXPECT_EQ(base::ASCIIToUTF16(kErrorInterstitialTitle),
+            NavigateToAndReturnTitle("/page-policy-302redirect.html"));
+}
+
+IN_PROC_BROWSER_TEST_F(OriginPolicyBrowserTest, ErrorPolicy307Redirect) {
+  EXPECT_EQ(base::ASCIIToUTF16(kErrorInterstitialTitle),
+            NavigateToAndReturnTitle("/page-policy-307redirect.html"));
+}
+
 }  // namespace content

content/browser/frame_host/origin_policy_throttle.cc

@@ -37,8 +37,7 @@ namespace content {
 bool OriginPolicyThrottle::ShouldRequestOriginPolicy(
     const GURL& url,
     std::string* request_version) {
-  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
-
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
   bool origin_policy_enabled =
       base::FeatureList::IsEnabled(features::kOriginPolicy) ||
       base::CommandLine::ForCurrentProcess()->HasSwitch(
@@ -61,7 +60,7 @@ bool OriginPolicyThrottle::ShouldRequestOriginPolicy(
 // static
 std::unique_ptr<NavigationThrottle>
 OriginPolicyThrottle::MaybeCreateThrottleFor(NavigationHandle* handle) {
-  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
   DCHECK(handle);
 
   // We use presence of the origin policy request header to determine
@@ -146,7 +145,9 @@ OriginPolicyThrottle::WillProcessResponse() {
   FetchCallback done =
       base::BindOnce(&OriginPolicyThrottle::OnTheGloriousPolicyHasArrived,
                      base::Unretained(this));
-  FetchPolicy(policy, std::move(done));
+  RedirectCallback redirect = base::BindRepeating(
+      &OriginPolicyThrottle::OnRedirect, base::Unretained(this));
+  FetchPolicy(policy, std::move(done), std::move(redirect));
   return NavigationThrottle::DEFER;
 }
 
@@ -173,7 +174,9 @@ const url::Origin OriginPolicyThrottle::GetRequestOrigin() {
   return url::Origin::Create(navigation_handle()->GetURL());
 }
 
-void OriginPolicyThrottle::FetchPolicy(const GURL& url, FetchCallback done) {
+void OriginPolicyThrottle::FetchPolicy(const GURL& url,
+                                       FetchCallback done,
+                                       RedirectCallback redirect) {
   // Create the traffic annotation
   net::NetworkTrafficAnnotationTag traffic_annotation =
       net::DefineNetworkTrafficAnnotation("origin_policy_loader", R"(
@@ -197,26 +200,22 @@ void OriginPolicyThrottle::FetchPolicy(const GURL& url, FetchCallback done) {
           policy_exception_justification:
             "Not implemented, considered not useful."})");
 
-  // Create the SimpleURLLoader for the policy.
+  // Create and configure the SimpleURLLoader for the policy.
   std::unique_ptr<network::ResourceRequest> policy_request =
       std::make_unique<network::ResourceRequest>();
   policy_request->url = url;
   policy_request->request_initiator = url::Origin::Create(url);
-  policy_request->fetch_credentials_mode =
-      network::mojom::FetchCredentialsMode::kOmit;
-  policy_request->fetch_redirect_mode =
-      network::mojom::FetchRedirectMode::kError;
   policy_request->load_flags = net::LOAD_DO_NOT_SEND_COOKIES |
                                net::LOAD_DO_NOT_SAVE_COOKIES |
                                net::LOAD_DO_NOT_SEND_AUTH_DATA;
   url_loader_ = network::SimpleURLLoader::Create(std::move(policy_request),
                                                  traffic_annotation);
+  url_loader_->SetOnRedirectCallback(std::move(redirect));
 
   // Obtain the URLLoaderFactory from the NavigationHandle.
   SiteInstance* site_instance = navigation_handle()->GetStartingSiteInstance();
-  content::StoragePartition* storage_partition =
-      BrowserContext::GetStoragePartition(site_instance->GetBrowserContext(),
-                                          site_instance);
+  StoragePartition* storage_partition = BrowserContext::GetStoragePartition(
+      site_instance->GetBrowserContext(), site_instance);
   scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory =
       storage_partition->GetURLLoaderFactoryForBrowserProcess();
 
@@ -249,6 +248,15 @@ void OriginPolicyThrottle::OnTheGloriousPolicyHasArrived(
   Resume();
 }
 
+void OriginPolicyThrottle::OnRedirect(
+    const net::RedirectInfo& redirect_info,
+    const network::ResourceResponseHead& response_head,
+    std::vector<std::string>* to_be_removed_headers) {
+  // Fail hard if the policy response follows a redirect.
+  url_loader_.reset();  // Cancel the request while it's ongoing.
+  CancelNavigation(OriginPolicyErrorReason::kPolicyShouldNotRedirect);
+}
+
 void OriginPolicyThrottle::CancelNavigation(OriginPolicyErrorReason reason) {
   base::Optional<std::string> error_page =
       GetContentClient()->browser()->GetOriginPolicyErrorPage(

content/browser/frame_host/origin_policy_throttle.h

@@ -19,7 +19,11 @@ class GURL;
 namespace url {
 class Origin;
 }
+namespace net {
+struct RedirectInfo;
+}  // namespace net
 namespace network {
+struct ResourceResponseHead;
 class SimpleURLLoader;
 }  // namespace network
 
@@ -64,15 +68,24 @@ class CONTENT_EXPORT OriginPolicyThrottle : public NavigationThrottle {
 
  private:
   using FetchCallback = base::OnceCallback<void(std::unique_ptr<std::string>)>;
+  using RedirectCallback =
+      base::RepeatingCallback<void(const net::RedirectInfo&,
+                                   const network::ResourceResponseHead&,
+                                   std::vector<std::string>*)>;
 
   explicit OriginPolicyThrottle(NavigationHandle* handle);
 
   static KnownVersionMap& GetKnownVersions();
 
   const url::Origin GetRequestOrigin();
-  void FetchPolicy(const GURL& url, FetchCallback done);
+  void FetchPolicy(const GURL& url,
+                   FetchCallback done,
+                   RedirectCallback redirect);
   void OnTheGloriousPolicyHasArrived(
       std::unique_ptr<std::string> policy_content);
+  void OnRedirect(const net::RedirectInfo& redirect_info,
+                  const network::ResourceResponseHead& response_head,
+                  std::vector<std::string>* to_be_removed_headers);
   void CancelNavigation(OriginPolicyErrorReason reason);
 
   // We may need the SimpleURLLoader to download the policy. The loader must