Revert "Define hard-coded extra CORS-safelisted header names"

This reverts commit 33d1685b. Reason for revert: This short term fix is no longer needed. We'll implement a more complete fix in the future. Original change's description: > Define hard-coded extra CORS-safelisted header names > > To resolve OOR-CORS blocking enterprise issues, this CL defines > kExtraSafelistedHeaderNames. This is a very short term fix and violates > layer in order to make it mergeable. We'll use it only for M77. > > This affects only the OOR-CORS enabled path. > > Bug: 999052 > Change-Id: I66ab8f298ed761aa3d78d02fa521d1c08f492fed > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1774010 > Commit-Queue: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> > Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> > Cr-Commit-Position: refs/heads/master@{#691617} TBR=kinuko@chromium.org,toyoshim@chromium.org,yhirano@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 999052 Change-Id: I6805cd038a679e7474081d27f5cfdf70bf628f63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1782248 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#693099}

Revert "Define hard-coded extra CORS-safelisted header names"
This reverts commit 33d1685b. Reason for revert: This short term fix is no longer needed. We'll implement a more complete fix in the future. Original change's description: > Define hard-coded extra CORS-safelisted header names > > To resolve OOR-CORS blocking enterprise issues, this CL defines > kExtraSafelistedHeaderNames. This is a very short term fix and violates > layer in order to make it mergeable. We'll use it only for M77. > > This affects only the OOR-CORS enabled path. > > Bug: 999052 > Change-Id: I66ab8f298ed761aa3d78d02fa521d1c08f492fed > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1774010 > Commit-Queue: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> > Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> > Cr-Commit-Position: refs/heads/master@{#691617} TBR=kinuko@chromium.org,toyoshim@chromium.org,yhirano@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 999052 Change-Id: I6805cd038a679e7474081d27f5cfdf70bf628f63 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1782248 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#693099}
7e58acd7 · Yutaka Hirano · Commit Bot · 414f5801 · 7e58acd7 · 7e58acd7
Commit 7e58acd7 authored Sep 04, 2019 by Yutaka Hirano Committed by Commit Bot Sep 04, 2019
Showing with 0 additions and 114 deletions

services/network/cors/cors_url_loader_unittest.cc services/network/cors/cors_url_loader_unittest.cc +0 -101

services/network/public/cpp/cors/cors.cc services/network/public/cpp/cors/cors.cc +0 -13

No files found.
--- a/services/network/cors/cors_url_loader_unittest.cc
+++ b/services/network/cors/cors_url_loader_unittest.cc
@@ -1893,107 +1893,6 @@ TEST_F(CorsURLLoaderTest, RestrictedPrefetchFailsWithoutNIK) {
                             "LOAD_RESTRICTED_PREFETCH flag is not trusted"));
 }

-// TODO(yhirano): Remove this as soon as possible.
-TEST_F(CorsURLLoaderTest, ExtraSafelistedHeader1) {
-  const GURL origin("https://example.com");
-  const GURL url("https://other.example.com/foo.png");
-  const GURL new_url("https://other2.example.com/bar.png");
-
-  ResourceRequest request;
-  request.mode = mojom::RequestMode::kCors;
-  request.credentials_mode = mojom::CredentialsMode::kOmit;
-  request.method = "GET";
-  request.url = url;
-  request.request_initiator = url::Origin::Create(origin);
-  request.headers.SetHeader("x-gOOgapps-allowed-domains", "foo");
-  request.headers.SetHeader("YouTube-restricT", "bar");
-
-  CreateLoaderAndStart(request);
-
-  // NO preflight request
-  ASSERT_EQ(1, num_created_loaders());
-  EXPECT_EQ(GetRequest().url, url);
-  EXPECT_EQ(GetRequest().method, "GET");
-}
-
-// TODO(yhirano): Remove this as soon as possible.
-TEST_F(CorsURLLoaderTest, ExtraSafelistedHeader2) {
-  const GURL origin("https://example.com");
-  const GURL url("https://other.example.com/foo.png");
-  const GURL new_url("https://other2.example.com/bar.png");
-
-  ResourceRequest request;
-  request.mode = mojom::RequestMode::kCors;
-  request.credentials_mode = mojom::CredentialsMode::kOmit;
-  request.method = "GET";
-  request.url = url;
-  request.request_initiator = url::Origin::Create(origin);
-  request.headers.SetHeader("x-gOOgapps-allowed-domains", "foo");
-
-  CreateLoaderAndStart(request);
-
-  // NO preflight request
-  ASSERT_EQ(1, num_created_loaders());
-  EXPECT_EQ(GetRequest().url, url);
-  EXPECT_EQ(GetRequest().method, "GET");
-}
-
-// TODO(yhirano): Remove this as soon as possible.
-TEST_F(CorsURLLoaderTest, ExtraSafelistedHeader3) {
-  const GURL origin("https://example.com");
-  const GURL url("https://other.example.com/foo.png");
-  const GURL new_url("https://other2.example.com/bar.png");
-
-  ResourceRequest request;
-  request.mode = mojom::RequestMode::kCors;
-  request.credentials_mode = mojom::CredentialsMode::kOmit;
-  request.method = "GET";
-  request.url = url;
-  request.request_initiator = url::Origin::Create(origin);
-  request.headers.SetHeader("x-gOOgapps-allowed-domains", "foo");
-  request.headers.SetHeader("foo", "foo");
-
-  CreateLoaderAndStart(request);
-
-  // preflight request
-  ASSERT_EQ(1, num_created_loaders());
-  EXPECT_EQ(GetRequest().url, url);
-  EXPECT_EQ(GetRequest().method, "OPTIONS");
-
-  std::string headers;
-  EXPECT_TRUE(GetRequest().headers.GetHeader("access-control-request-headers",
-                                             &headers));
-  EXPECT_EQ(headers, "foo");
-}
-
-// TODO(yhirano): Remove this as soon as possible.
-TEST_F(CorsURLLoaderTest, ExtraSafelistedHeader4) {
-  const GURL origin("https://example.com");
-  const GURL url("https://other.example.com/foo.png");
-  const GURL new_url("https://other2.example.com/bar.png");
-
-  ResourceRequest request;
-  request.mode = mojom::RequestMode::kCors;
-  request.credentials_mode = mojom::CredentialsMode::kOmit;
-  request.method = "GET";
-  request.url = url;
-  request.request_initiator = url::Origin::Create(origin);
-  request.headers.SetHeader("x-gOOgapps-allowed-domains", "foo");
-  request.headers.SetHeader("YouTube-restricT", "bar");
-  request.headers.SetHeader("hoge", "fuga");
-
-  CreateLoaderAndStart(request);
-
-  // preflight request
-  ASSERT_EQ(1, num_created_loaders());
-  EXPECT_EQ(GetRequest().url, url);
-  EXPECT_EQ(GetRequest().method, "OPTIONS");
-  std::string headers;
-  EXPECT_TRUE(GetRequest().headers.GetHeader("access-control-request-headers",
-                                             &headers));
-  EXPECT_EQ(headers, "hoge");
-}
-
 }  // namespace

 }  // namespace cors

--- a/services/network/public/cpp/cors/cors.cc
+++ b/services/network/public/cpp/cors/cors.cc
@@ -10,13 +10,11 @@
 #include <vector>

 #include "base/containers/flat_set.h"
-#include "base/feature_list.h"
 #include "base/no_destructor.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "net/base/mime_util.h"
 #include "net/http/http_request_headers.h"
-#include "services/network/public/cpp/features.h"
 #include "url/gurl.h"
 #include "url/origin.h"
 #include "url/url_constants.h"
@@ -416,17 +414,6 @@ bool IsCorsSafelistedHeader(const std::string& name, const std::string& value) {
      "sec-ch-ua-model",
  };
  const std::string lower_name = base::ToLowerASCII(name);
-
-  if (base::FeatureList::IsEnabled(features::kOutOfBlinkCors)) {
-    // Here we temporarily define extra CORS safelisted header names. This is
-    // a very short term fix in order to make the change mergeable.
-    // TODO(yhirano): Remove this definition as soon as possible.
-    if (lower_name == "x-googapps-allowed-domains" ||
-        lower_name == "youtube-restrict") {
-      return true;
-    }
-  }
-
  if (std::find(std::begin(safe_names), std::end(safe_names), lower_name) ==
      std::end(safe_names))
    return false;