Fix unintentional case-sensitivity for COEP header parsing

https://crrev.com/c/2132902 introduced case-sensitivity unintentionally.
Fix it.

Having a test for COEP header parsing for responses coming from service
workers in reporting.https.html is not good. Create a separate test
file and remove the corresponding test case from reporting.https.html.

Bug: 887967
Change-Id: I50da8ee5e38162fbb81699fc1c55f5b4cb9cd903
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2154364
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Makoto Shimazu <shimazu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#760391}

third_party/blink/renderer/core/fetch/fetch_response_data.cc

@@ -273,17 +273,16 @@ mojom::blink::FetchAPIResponsePtr FetchResponseData::PopulateFetchAPIResponse(
   if (base::FeatureList::IsEnabled(
           network::features::kCrossOriginEmbedderPolicy)) {
     network::CrossOriginEmbedderPolicy coep;
-    auto it =
-        response->headers.find(network::CrossOriginEmbedderPolicy::kHeaderName);
-    if (it != response->headers.end()) {
+    String value;
+    if (HeaderList()->Get(network::CrossOriginEmbedderPolicy::kHeaderName,
+                          value)) {
       std::tie(coep.value, coep.reporting_endpoint) =
-          network::CrossOriginEmbedderPolicy::Parse(it->value.Utf8());
+          network::CrossOriginEmbedderPolicy::Parse(value.Utf8());
     }
-    it = response->headers.find(
-        network::CrossOriginEmbedderPolicy::kReportOnlyHeaderName);
-    if (it != response->headers.end()) {
+    if (HeaderList()->Get(
+            network::CrossOriginEmbedderPolicy::kReportOnlyHeaderName, value)) {
       std::tie(coep.report_only_value, coep.report_only_reporting_endpoint) =
-          network::CrossOriginEmbedderPolicy::Parse(it->value.Utf8());
+          network::CrossOriginEmbedderPolicy::Parse(value.Utf8());
     }
     response->cross_origin_embedder_policy = std::move(coep);
   }

third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/coep-on-response-from-service-worker.https.html

+<!doctype html>
+<html>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
+<script>
+const FRAME_URL = 'resources/coep-frame.html'
+const SCOPE = new URL(FRAME_URL, location).pathname;
+const SCRIPT = 'resources/sw.js?';
+
+// This is similar to
+// none-sw-from-require-corp.https.html, but there is one difference:
+// In this file, the frame controlled by the service worker comes from
+// the service worker, but on none-sw-from-require-corp.https.html
+// the main document comes from the network directly. Hence the tests
+// here test whether COEP is set correctly for documents coming from
+// service workers.
+
+function remote(path) {
+  const REMOTE_ORIGIN = get_host_info().HTTPS_REMOTE_ORIGIN;
+  return new URL(path, REMOTE_ORIGIN + '/html/cross-origin-embedder-policy/');
+}
+
+let registration;
+let frame;
+
+promise_test(async (t) => {
+  registration = await service_worker_unregister_and_register(t, SCRIPT, SCOPE);
+  await wait_for_state(t, registration.installing, 'activated')
+  frame = await with_iframe(FRAME_URL);
+}, 'setup');
+
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await w.fetch('resources/nothing-same-origin-corp.txt', {mode: 'no-cors'});
+}, 'making a same-origin request for CORP: same-origin');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await w.fetch('/common/blank.html', {mode: 'no-cors'});
+}, 'making a same-origin request for no CORP');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await w.fetch('resources/nothing-cross-origin-corp.txt', {mode: 'no-cors'});
+}, 'making a same-origin request for CORP: cross-origin');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await promise_rejects_js(
+    t, w.TypeError,
+    w.fetch(remote('resources/nothing-same-origin-corp.txt'), {mode: 'no-cors'}));
+}, 'making a cross-origin request for CORP: same-origin');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await promise_rejects_js(
+    t, w.TypeError, w.fetch(remote('/common/blank.html'), {mode: 'no-cors'}));
+}, 'making a cross-origin request for no CORP');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await w.fetch(
+    remote('resources/nothing-cross-origin-corp.txt'),
+    {mode: 'no-cors'});
+}, 'making a cross-origin request for CORP: cross-origin');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await promise_rejects_js(
+    t, w.TypeError,
+    w.fetch(remote('resources/nothing-same-origin-corp.txt?passthrough'),
+      {mode: 'no-cors'}));
+}, 'making a cross-origin request for CORP: same-origin [PASS THROUGH]');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await promise_rejects_js(
+    t, w.TypeError,
+    w.fetch(remote('/common/blank.html?passthrough'), {mode: 'no-cors'}));
+}, 'making a cross-origin request for no CORP [PASS THROUGH]');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await w.fetch(
+    remote('resources/nothing-cross-origin-corp.txt?passthrough'),
+    {mode: 'no-cors'});
+}, 'making a cross-origin request for CORP: cross-origin [PASS THROUGH]');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  await promise_rejects_js(
+    t, w.TypeError, w.fetch(remote('/common/blank.html'), {mode: 'cors'}));
+}, 'making a cross-origin request with CORS without ACAO');
+
+promise_test(async (t) => {
+  const w = frame.contentWindow;
+  const URL = remote(
+    '/common/blank.html?pipe=header(access-control-allow-origin,*');
+  await w.fetch(URL, {mode: 'cors'});
+}, 'making a cross-origin request with CORS');
+
+promise_test(async () => {
+  frame.remove();
+  await registration.unregister();
+}, 'teardown');
+
+</script>
+</html>

third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/reporting.https-expected.txt

@@ -5,7 +5,6 @@ PASS navigation CORP
 PASS COEP violation on nested frame navigation
 FAIL subresource requests initiated from DedicatedWorker assert_unreached: A report whose blocked-url is https://www1.web-platform.test:8444/common/text-plain.txt?abc&subresource-corp-from-dedicated-worker and url is https://web-platform.test:8444/html/cross-origin-embedder-policy/resources/fetch-in-dedicated-worker.js is not found. Reached unreachable code
 FAIL subresource requests initiated from DedicatedWorker controlled by a passthrough service worker assert_unreached: A report whose blocked-url is https://www1.web-platform.test:8444/common/text-plain.txt?abc&subresource-corp-from-dedicated-worker-via-passthrough-sw and url is https://web-platform.test:8444/html/cross-origin-embedder-policy/resources/fetch-in-dedicated-worker.js is not found. Reached unreachable code
-PASS subresource CORP in a passthrough iframe hosted by a service worker without COEP
-PASS subresource CORP in a respondWith(fetch) iframe hosted by a service worker without COEP
+PASS subresource CORP in an iframe hosted by a service worker without COEP
 Harness: the test ran to completion.
 

third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/reporting.https.html

@@ -458,50 +458,5 @@ promise_test(async (t) => {
   checkCorpReportExistence(reports, blockedDueToCoep, iframe.src);
   checkCorpReportExistence(reports, redirect, iframe.src);
   checkReportNonExistence(reports, dest, iframe.src);
-}, 'subresource CORP in a passthrough iframe hosted by a service worker without COEP');
-
-promise_test(async (t) => {
-  const iframe_src = `resources/reporting-empty-frame.html`;
-  // Register a service worker that controls an iframe.
-  const registration = await service_worker_unregister_and_register(
-      t, 'resources/sw.js', iframe_src);
-  t.add_cleanup(() => registration.unregister());
-  await wait_for_state(t, registration.installing, 'activated');
-
-  const iframe = document.createElement('iframe');
-  t.add_cleanup(() => iframe.remove());
-
-  iframe.src = iframe_src;
-  document.body.appendChild(iframe);
-  await new Promise(resolve => {
-    iframe.addEventListener('load', resolve, {once: true});
-  });
-
-  async function fetchInIframe(url) {
-    const init = { mode: 'no-cors', cache: 'no-store' };
-    // Ignore errors.
-    return iframe.contentWindow.fetch(url, init).catch(() => {});
-  }
-
-  const suffix = 'subresource-corp-respondwith-fetch-sw';
-  const sameOriginUrl = `/common/text-plain.txt?${suffix}`;
-  const blockedByPureCorp = `${REMOTE_ORIGIN}${BASE}/nothing-same-origin-corp.txt?${suffix}`;
-  const blockedDueToCoep = `${REMOTE_ORIGIN}/common/text-plain.txt?abc&${suffix}`;
-  const dest = `${REMOTE_ORIGIN}/common/text-plain.txt?xyz&${suffix}`;
-  const redirect = `/common/redirect.py?location=${encodeURIComponent(dest)}&${suffix}`;
-
-  fetchInIframe(sameOriginUrl);
-  fetchInIframe(blockedByPureCorp);
-  fetchInIframe(blockedDueToCoep)
-  fetchInIframe(redirect);
-
-  // Wait until |reports| is ready.
-  await wait(1000);
-
-  checkReportNonExistence(reports, sameOriginUrl, iframe.src);
-  checkReportNonExistence(reports, blockedByPureCorp, iframe.src);
-  checkCorpReportExistence(reports, blockedDueToCoep, iframe.src);
-  checkCorpReportExistence(reports, redirect, iframe.src);
-  checkReportNonExistence(reports, dest, iframe.src);
-}, 'subresource CORP in a respondWith(fetch) iframe hosted by a service worker without COEP');
+}, 'subresource CORP in an iframe hosted by a service worker without COEP');
 </script>$