DevTools: do not report raw headers and cookies for protected subresources.

In case subresource request's site needs to have its document protected, don't
send raw headers and cookies into the frame's renderer.

Bug: 793692
Change-Id: I9f41adfe35717eec284130f89ac92ecc78089969
Reviewed-on: https://chromium-review.googlesource.com/821410Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Pavel Feldman <pfeldman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523364}

content/browser/loader/resource_dispatcher_host_impl.cc

@@ -1278,6 +1278,17 @@ void ResourceDispatcherHostImpl::ContinuePendingBeginRequest(
       report_raw_headers = false;
     }
 
+    // Do not report raw headers if the request's site needs to be isolated
+    // from the current process.
+    if (report_raw_headers) {
+      bool is_isolated =
+          SiteIsolationPolicy::UseDedicatedProcessesForAllSites() ||
+          policy->IsIsolatedOrigin(url::Origin::Create(request_data.url));
+      if (is_isolated &&
+          !policy->CanAccessDataForOrigin(child_id, request_data.url))
+        report_raw_headers = false;
+    }
+
     if (request_data.resource_type == RESOURCE_TYPE_PREFETCH ||
         request_data.resource_type == RESOURCE_TYPE_FAVICON) {
       do_not_prompt_for_login = true;

third_party/WebKit/LayoutTests/flag-specific/site-per-process/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt

+Tests that raw response headers are not reported in case of site isolation.
+
+<script src="http://127.0.0.1:8000/inspector-protocol/network/resources/cookie.pl">
+Cookie: cookie
+
+<script src="http://devtools.oopif.test:8000/inspector-protocol/network/resources/cookie.pl">
+No cookie
+

third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt

+Tests that raw response headers are not reported in case of site isolation.
+
+<script src="http://127.0.0.1:8000/inspector-protocol/network/resources/cookie.pl">
+Cookie: cookie
+
+<script src="http://devtools.oopif.test:8000/inspector-protocol/network/resources/cookie.pl">
+Cookie: cookie
+

third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document.js

+(async function(testRunner) {
+  var {page, session, dp} = await testRunner.startURL(
+      'resources/cookie.pl',
+      `Tests that raw response headers are not reported in case of site isolation.`);
+
+  await dp.Network.enable();
+
+  let count = 0;
+  dp.Network.onResponseReceived(response => {
+    testRunner.log(`\n<script src="${response.params.response.url}">`);
+    if (response.params.response.requestHeaders)
+      testRunner.log(`Cookie: ${response.params.response.headers['Cookie']}`);
+    else
+      testRunner.log(`No cookie`);
+    if (++count === 2)
+      testRunner.completeTest();
+  });
+
+  await dp.Runtime.evaluate({expression: `
+    const script = document.createElement('script');
+    script.src = 'cookie.pl';
+    document.head.appendChild(script);
+
+    const script2 = document.createElement('script');
+    script2.src = 'http://devtools.oopif.test:8000/inspector-protocol/network/resources/cookie.pl';
+    document.head.appendChild(script2);`
+  });
+})

third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/resources/cookie.pl

+#!/usr/bin/perl
+
+print "Status: 200 OK\r\n";
+print "Cookie: cookie\r\n\r\n";